Treasury Department Action a Small, Significant Step Forward in Tackling Ransomware

Andrew Jensen is a Cybersecurity Analyst at the Institute for Security and Technology, where he focuses on cybersecurity, ransomware, and global tech competition.

The Biden administration’s recent announcement of new sanctions against Chatex, a virtual illicit asset exchange, coupled with a sanctions designation against ransomware operators, represents a vital move forward in the global fight against ransomware. Paired with September’s advisories and guidance for victims from the Department of Treasury—and the landmark sanctions designation of SUEX OTC—the administration’s whole-of-government response to the ransomware threat is ramping up.

Ransomware made headlines over the past year as attacks against critical infrastructure and software supply chains have crippled vital industries within the U.S., levying significant costs against both citizens and businesses across the country. A recent U.S. Treasury financial trend analysis found that suspected ransomware payments in the first half of 2021 amounted to $590 million, 35% higher than the total amount of ransomware payments throughout all of 2020.

With sufficient follow-through, and some key tweaks, the U.S. can take the lead, forging crucial multilateral approaches to stem the tide of ransomware.

In September, the Treasury Department’s financial intelligence and enforcement agency, the Office of Foreign Assets Control (OFAC), published an updated advisory on sanctions for ransomware payments. With the new advisory, Treasury is rightly encouraging organizations to participate in risk-based compliance programs to effectively mitigate exposure to sanctions-related violations, introducing meaningful incentives to increase organizational defenses to such attacks, and outlining steps for cooperation with OFAC and other federal agencies.

Though the advisory is certainly a move in the right direction, it does not clarify important issues including what constitutes due diligence in understanding whether a ransom-attacker is a sanctioned entity, how much liability OFAC assigns to each stakeholder, the timeline and process for obtaining a payment license, and incident response “rules of engagement” for cryptocurrency exchanges and mixers.

Late last month, OFAC sanctioned a European virtual currency exchange, Chatex, as well as its associated support network. Chatex has direct ties with the previously targeted SUEX OTC and actively uses the exchange’s network as a nest to conduct virtual currency transactions, according to the Treasury. Similar to SUEX OTC, analysis of the Chatex known transaction ledger reveals that over half of the payments it facilitates are tied to illicit or high-risk activities, including ties to multiple ransomware variants.

In a unique move, OFAC further sanctioned 3 businesses that provide infrastructure material support, and assistance to Chatex, effectively cutting off support for Chatext and preventing criminal misuse of the platform.

Unregulated cryptocurrency exchanges, sub-exchanges, and mixers (services that offer to pool coins together and then distribute the coins back to users randomly, to increase user anonymity) provide a convenient and anonymous payments system that enables criminals to receive large influxes of fiat currency. Underpinned by businesses that allow these exchanges to function, virtual currency exchanges can provide valuable financial services to cybercriminals, particularly to those that deploy ransomware and depend on exchanges to cash out ransom demands. Stemming the payment pathway for these criminal enterprises can provide significant disruption and intervention opportunities for U.S. federal agencies.

By targeting the flow of money to cyber criminals, the door is open to take direct action against individual actors.

Sanctioning exchanges that turn a blind eye to illicit asset transfers directly stops the flow of money to smaller ransomware actors, such as criminals that use Ransomware-as-a-Service platforms to purchase and spread ransomware. By targeting the flow of money to cyber criminals, the door is open to take direct action against individual actors. Without a way to move illicit funds to safe storage locations, cyber criminals may seek alternative strategies that are more complex, limiting ransomware activities or shutting them down altogether.

Gaining clarity on these key dimensions has been an arduous process. In October 2020, OFAC published an advisory on the risk and consequences for making ransom payments to sanctioned entities—maintaining that victims, financial institutions, cyber insurance firms, digital forensic groups, and incident response groups are all responsible in the advent of a ransomware payment sanctions violation. The 2020 advisory did not address reporting requirements, victim obligations, or guidance for dealing with attackers that fell under sanctions. In its May 2021 report, the independent Ransomware Task Force encouraged OFAC to clarify portions of the 2020 advisory to reflect the perspectives of ransomware victims and protect them from further harm.

The updated OFAC advisory, which includes important incentives for ransomware victims, as well as the announcement of sanctions against multiple virtual currency exchanges is an important step forward in the fight against ransomware and represents a needed comprehensive, whole-of-government response.

In this truly global fight, OFAC and other government entities must continue engaging the private sector to enable a force multiplier. There are also key partners scattered across the globe that can help effectively turn the tide against criminal ransomware groups by decentralizing education, interdiction, and disruption. At its core, ransomware transcends business, government, academic, and geographic boundaries, and is a serious national and international security threat.