The rise of ransomware attacks has prompted the international community to explore a range of approaches to deter these attacks, including the use of sanctions, the further development and instantiation of norms governing cyberattacks, and the promotion of cybersecurity best practices.
Sanctions have been an important part of the toolkit used by government agencies to impose costs on ransomware actors. In February 2023, regulators in the UK and the US Treasury Department’s Office of Foreign Assets Control (OFAC) sanctioned seven members of the Russian-based cybercrime gang TrickBot, associated with Russian Intelligence Services, for deploying ransomware to target critical infrastructure in both countries. In August 2022, OFAC sanctioned Tornado Cash, a decentralized cryptocurrency mixer, for allegedly facilitating the laundering of $7 billion in virtual currency (VC). In a similar move, in September 2021, OFAC designated SUEX OTC, S.R.O. (SUEX), a Russian cryptocurrency exchange, as an entity on the Specially Designated Nationals and Blocked Persons list, which restricts US dealings with certain entities posing national security threats. Concurrently, OFAC issued a ransomware advisory (September 2021 Advisory) highlighting the sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities. SUEX was found to have moved hundreds of millions of dollars of cryptocurrency from illicit sources, including more than $160 million from ransomware actors.
While these designations are important, a comprehensive approach is necessary to continue to deter and degrade ransomware networks. This proactive and broad-based approach may involve targeted sanctions, information sharing, public-private partnerships, and empowering businesses and individuals to protect themselves from ransomware attacks. By focusing on foreign regulators that emphasize financial crimes compliance, this approach could more effectively supervise virtual asset service providers (VASPs) in their jurisdictions to reduce risks as they process payments for ransomware actors.
I. Understanding the Ransomware Ecosystem
Ransomware is a form of malicious software (malware) designed to block access to computer systems or data, often by encrypting data or programs. Cyber actors demand ransom payments, usually in VC, in exchange for a key to decrypt files and restore victims’ access to their information. In recent years, OFAC has been targeting various actors in the ransomware ecosystem, including:
- TrickBot: TrickBot is a modular malware suite operated by a Russian-based cybercrime gang that has targeted hospitals and healthcare centers. In February 2023, OFAC and regulators in the UK sanctioned seven members of the “TrickBot Group,” current members of which OFAC stated were associated with Russian Intelligence Services for deploying ransomware to target critical infrastructure in both countries.
- SUEX: SUEX is a Russian VC exchange designated by OFAC in September 2021 for facilitating transactions with illicit proceeds, including more than $160 million from ransomware actors. While SUEX has allegedly facilitated transactions with illicit proceeds from at least eight ransomware variants and more than 40 percent of its transaction history is associated with illicit actors, OFAC has acknowledged that “the action against SUEX does not implicate a sanctions nexus to any particular Ransomware-as-a-Service (RaaS) or variant.” Therefore, the impact of this action on ransomware attacks and associated payments remains uncertain.
- Tornado Cash: Tornado Cash, sanctioned by OFAC in August 2022, is a decentralized cryptocurrency mixer that OFAC said facilitated the laundering of $7 billion in cryptocurrency and $1.5 billion in proceeds from crimes such as ransomware attacks. Mixers like Tornado Cash increase privacy but have also been used by illicit actors. OFAC alleged that Tornado Cash was used to launder more than $455 million stolen by the Lazarus Group, a Democratic People’s Republic of Korea state-sponsored hacking group, in the largest VC heist known to date. OFAC advises US persons to consider mixers “high risk” and to use a “risk-based approach” to assess and mitigate VC-related risks, such as those posed by mixers’ anonymizing features. Going forward, OFAC intends to “investigate the use of mixers for illicit purposes [in response] to illicit financing risks in the [VC] ecosystem.”
II. OFAC’s September 2021 Advisory
In addition to designating a range of actors involved in the ransomware ecosystem, OFAC has also issued compliance guidance to help firms manage risks around ransomware transactions specifically and VC transactions generally. OFAC’s September 2021 Advisory notes that the US government “strongly discourages all private companies and citizens from paying ransom or extortion demands.” The September 2021 Advisory explains that under the International Emergency Economic Powers Act or the Trading with the Enemy Act, businesses can be held accountable for breaking OFAC rules by paying ransoms to sanctioned persons, even if they were unaware they were doing so. Furthermore, to avoid sanctions violations, OFAC suggests businesses implement a “risk-based compliance program to mitigate exposure to sanctions-related violations,” which can be supplemented through training, offline backups, response plans and other efforts to protect a company’s technical infrastructure. OFAC also emphasizes the importance of prompt reporting, noting that it views a “self-initiated and complete report of a ransomware attack to law enforcement” as a significant mitigating factor in an enforcement context. This guidance is consistent with OFAC’s broader guidance about how companies should build effective risk-based compliance programs.
Overall, OFAC’s sanctions campaign reflects its commitment to combating ransomware through targeted sanctions and partnerships with other government agencies and international partners.
III. Key Compliance Considerations for Ransomware Attack
To comply with OFAC regulations and mitigate sanctions risks when faced with ransomware payments, companies should implement risk-based compliance programs. These programs are essential for avoiding potential pitfalls associated with ransomware payments and maintaining a strong security posture. Key elements of these programs may include:
- Thorough due diligence: Conduct screening of names, wallet addresses and email addresses linked to potential ransomware actors to ensure no transactions inadvertently occur with sanctioned entities. Moreover, since civil penalties can still be imposed for unknowingly making payments to sanctioned actors on a strict liability basis, due diligence is essential to mitigating ransomware risk.
- Robust incident response plan: Establish a solid incident response plan that trains employees to recognize and report ransomware attacks, maintains offline backups of critical data and systems for swift recovery, and implements a clear communication strategy for internal stakeholders, coordinating with external partners like law enforcement agencies and cybersecurity firms. Promptly reporting ransomware attacks to relevant authorities is considered a mitigating factor by OFAC, emphasizing the value of collaboration and communication with law enforcement.
- Engaging expertise: Collaborating with expert third parties who can help companies navigate cyber incidents and comply with OFAC guidelines is essential. By enlisting the assistance of these experts, businesses can better manage the complexities associated with ransomware incidents and minimize operational disruptions as well as the potential legal and financial consequences of possible OFAC violations. These professionals possess up-to-date knowledge about the latest ransomware groups and payment methods, and they have relevant contacts, such as those within the FBI, enabling them to provide informed guidance and support during a crisis.
IV. Beyond Sanctions: A Comprehensive Strategy for Ransomware Threats
A whole-of-sector, holistic approach is necessary to effectively combat ransomware threats.
A. Operationalizing the Approach
Sanctions are an important—a necessary but not sufficient—component of an overall strategy to combat ransomware. US regulators should prioritize collaboration with foreign counterparts to implement sanctions measures.1 In addition, OFAC and others can build preventative principles by offering best-practice training and focusing on education in vulnerable regions such as Latin America, the Caribbean and Eastern Europe, strengthening global defense against ransomware, and mitigating its negative impact on businesses and individuals.
US regulators such as OFAC can take the lead in the responsible development and design of compliance standards, knowledge and tools for their international counterparts to effectively monitor and regulate VC exchanges and VASPs for financial crimes compliance purposes. To further deter the inadvertent facilitation of transactions to ransomware actors, this approach could also draw on lessons learned from counterterrorism finance efforts, which have emphasized an international whole-of-sector approach involving investment and collaboration with private-sector partners and other stakeholders to prevent attacks before they happen.
By supervising VASPs and empowering foreign regulators and companies with the necessary training and resources, implementing risk-based compliance programs, and collaborating with expert third parties, we can create a robust global defense against ransomware. Adopting this multifaceted approach goes beyond the imposition of sanctions on specific bad actors—it reduces the prevalence of ransomware, shielding governments and businesses from its devastating consequences.