.svg)
The U.S. Department of the Treasury has taken its first action ever against a crypto-company for laundering cyber-ransom money. Meanwhile, its Office of Foreign Assets Control (OFAC) has updated an advisory note that pertains to ransomware.
As part of the government's campaign against ransomware, the Treasury has taken steps to disrupt criminal networks and virtual currency exchanges that launder the proceeds of ransoms. These steps include OFAC's encouragement of improvements in cybersecurity throughout the private sector in an updated "advisory," a non-binding document. In this advisory, OFAC has also encouraged victims and firms to report more incidents and ransomware payments to the Treasury and law enforcement agencies.
“Ransomware and cyber-attacks are victimizing businesses large and small across America and are a direct threat to our economy. We will continue to crack down on malicious actors,” said Treasury Secretary Janet Yellen in a press statement.
In 2020, ransomware payments exceeded $400m — more than four times their level in 2019, according to the U.S. government.
“Criminals definitely exploited the pandemic,” said Rūta Bajarūnaitė, an expert at the Centre for Anti-Money Laundering Excellence in Lithuania, noting that every company was bound to endure a cyber-attack and that the only question one could ask about it was "when?".
She went on to tell VIXIO that many companies still lacked the right safeguards to stop ransomware-related crimes.
“While there is no silver bullet when it comes to cybersecurity, what we urgently need is for companies to recognise cybersecurity as a strategic priority and to act accordingly.”
In addition, Bajarūnaitė thought that countries should ensure that their public and private sectors took a more collaborative and coordinated approach to the problem.
“Only by sharing information and combining private and public sectors’ capabilities can give us the best opportunity to disrupt ransomware crimes,” she said.
“As cybercriminals use increasingly sophisticated methods and technology, the U.S. government are committed to using the full range of measures, to include sanctions and regulatory tools, to disrupt, deter, and prevent ransomware attacks,” Yellen has warned.
Virtual currency exchanges are a crucial element of this ecosystem because virtual currency is the principal means by which people make ransomware payments and indulge in associated money laundering activities, according to the U.S. Department of Treasury.
With this in mind, OFAC has blocked or "designated" its first virtual currency exchange. It has sanctioned SUEX OTC, S.R.O. (SUEX) for facilitating financial transactions on behalf of the users of ransomware. As a result, all the exchange's U.S. assets are blocked and U.S. persons are generally prohibited from engaging in transactions with it.
According to the U.S. government, SUEX has "facilitated transactions involving illicit proceeds from at least eight ransomware variants."
More than 40 percent of known SUEX transactions are allegedly associated with criminals.
Bajarūnaitė warned that companies could become liable to prosecution because of the strict liability principle, which holds sanction-breakers accountable regardless of whether they know that they are breaking sanctions or not.
“If you happen to have no choice but to pay the demanded ransom, you can also be held legally liable to OFAC,” she told VIXIO. She went on to say that OFAC could prosecute companies that dealt with the victims of ransomware attacks. These, she thought, included companies that provided them with cyber-insurance, digital forensics, incident response services and the processing of ransom payments.
"Companies can mitigate these compliance risks by implementing sanctions compliance programmes. This could include conducting a sanctions risk assessment, with the goal of identifying inherent risks in order to inform risk-based decisions and controls.
"In addition, cybersecurity practices should also be adopted and improved on a regular basis by companies, with the bare minimum being at least making sure cybersecurity policies are effectively implemented — for example, by ensuring cybersecurity training is in place and that incident response plans are developed.
"It is highly recommended for victims or entities that negotiate and facilitate ransom payments to come forward and disclose breaches to law enforcement. This would be considered as a significant mitigating factor in determining an appropriate enforcement response."
