Five Key Considerations Regarding New U.S. Sanctions to Address Ransomware Threats

The Suex Sanctions

OFAC designated Suex, a virtual currency exchange registered in the Czech Republic that is believed to operate in Russia, “for its part in facilitating financial transactions for ransomware actors, involving illicit proceeds from at least eight ransomware variants.” As Treasury observed in its press release, “Analysis of known Suex transactions shows that over 40% of Suex’s known transaction history is associated with illicit actors.” According to a prominent blockchain analysis firm whose tools aided in the U.S. government’s investigation of Suex, the exchange received “over $160 million from ransomware actors, scammers, and darknet market operators” in bitcoin alone and “tens of millions [of dollars] worth of cryptocurrency payments from addresses associated with several forms of cybercrime.” The same analytics firm concludes that “[a] small group of illicit services facilitate the majority of cryptocurrency-based money laundering, and Suex is one of the worst offenders.” 

Suex was designated pursuant to the “cyber sanctions” authorized by Executive Order 13694, as amended (EO 13694), which permits the blocking of property of those who engage in significant malicious cyber-enabled activities. Since December 2016, OFAC has designated malicious cyber actors, including perpetrators of ransomware attacks. The agency took its first virtual-asset-related action pursuant to EO 13964 in November 2018, when it targeted two Iran-based individuals who helped exchange bitcoin ransom payments into fiat currency in connection with the notorious SamSam ransomware scheme and identified digital currency addresses associated with those two facilitators. OFAC’s subsequent use of the EO 13694 authority has resulted in sanctions against Chinese nationals who used cryptocurrency to advance drug trafficking; against Russian nationals who used cryptocurrency to fund activities in furtherance of ongoing malign influence operations around the world; and against Chinese nationals who are believed to have laundered over $100 million worth of cryptocurrency stolen from cryptocurrency exchanges by North Korean actors¹. The Suex designation represents the first sanctions designation against a virtual currency exchange.

As a result of Suex’s designation, all of that entity’s property and interests in property subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions, directly or indirectly, with Suex or in activity for the benefit of Suex. In addition, any entities 50% or more owned by one or more designated persons are also blocked. Finally, parties, including non-U.S. persons, that engage in certain transactions or activities with Suex may expose themselves to sanctions or be subject to an enforcement action. Treasury’s press release does note, however, that OFAC’s designation of Suex “does not implicate a sanctions nexus to any particular Ransomware-as-a-Service or variant.”

Updated OFAC Ransomware Advisory

Also on September 21, OFAC published an updated advisory, its strongest to date, demonstrating an intent to sanction not only individual cybercriminals involved in ransomware attacks but also the platforms those criminals use to commit their malign acts. The updated advisory supersedes guidance issued in October 2020 that formally articulated OFAC’s view that making ransomware payments with a sanctions nexus threatens U.S. national security interests and that third-party service providers that facilitate ransomware payments on behalf of a victim must consider and ensure compliance with OFAC regulations.

OFAC’s updated advisory does not expand existing law or provide new authority for imposing sanctions. The updated advisory does, however, outline a range of enforcement responses and factors OFAC will consider in making enforcement decisions. While OFAC continues strongly to discourage ransomware extortion payments and has directed that companies should engage in particular steps to protect themselves from ransom demands, the act of paying a ransom, alone, will not expose a victim to an enforcement action unless a designated party, such as Suex or another specially designated national, is involved. 

However, the identity of an attacker may be difficult to diagnose. Moreover, cyber-related sanctions, like most OFAC sanctions programs, impose strict liability. In addition, traditional sanctions controls, such as name screening, can be thwarted by the anonymous nature of cyberattackers and ransom demands. Therefore, in today’s environment of increasingly crippling cyberattacks, companies should ensure they have maintained and implemented a robust compliance and risk mitigation program designed to prevent and recover from malign cyberactivity, including ransomware attacks.  

In particular, financial institutions and companies that may be subject to ransomware attacks, as well as companies operating in the virtual assets industry generally, may wish to consider the following key lessons:

1. OFAC Strongly Discourages the Payment of Ransom Demands. OFAC’s updated advisory states that “the U.S. government strongly discourages the payment of cyber ransom or extortion demands.” This messaging echoes the formal views of federal law enforcement, as the FBI also does not support paying a ransom in response to a ransomware attack.
2. Platforms Facilitating Currency Exchanges May Be Subject to Sanctions. While the October 2020 OFAC guidance identified attackers and payees who may be designated under OFAC’s existing cyber-related sanctions authority, the agency’s September 2021 designation of Suex is significant because, as noted above, it represents the first time that a virtual currency platform, as distinct from a malicious attacker, has been so designated. This demonstrates that OFAC, consistent with the U.S. government’s broader counter-ransomware strategy, is expanding its efforts to combat ransomware attacks by targeting and disrupting aspects of the global ransomware infrastructure. Indeed, Treasury’s press release notes that “[v]irtual currency exchanges such as Suex are critical to the profitability of ransomware attacks” and emphasizes that “Treasury will continue to disrupt and hold accountable these entities to reduce the incentive for cybercriminals to continue to conduct these attacks.”
   
   And while Treasury’s press release observes that “most virtual currency activity is licit,” it also notes that “virtual currencies can be used for illicit activity through peer-to-peer exchangers, mixers, and exchanges.” The press release further observes that “[s]ome virtual currency exchanges are exploited by malicious actors, but others, as is the case with Suex, facilitate illicit activities for their own illicit gains.” These words indicate the continued importance of maintaining effective anti-money-laundering programs and of bolstering “know-your-customer” capabilities. They also reflect Treasury’s continued evaluation of the effects of virtual currencies on various aspects of American life and the U.S. national interest. Those involved in the nascent and rapidly growing virtual assets industry may take comfort in the noteworthy acknowledgment that “most virtual currency activity is licit”; nonetheless, federal enforcement officials, including those at Treasury, plainly will remain vigilant in exercising their prerogatives. 
3. OFAC Has Outlined What It Expects of Companies Seeking Mitigation in an Enforcement Setting After an Attack. Specifically, as discussed in more detail below, OFAC has explained that should a sanctions violation occur, it will evaluate how the company worked to prevent the attack and the actions the company took in response to an attack in considering enforcement action, including whether to issue nonmonetary and nonpublic enforcement actions, such as warning letters. Significantly, while it may be difficult to identify a sanctions-nexus in an attack, and therefore for a company to decide whether to file a voluntary self-disclosure, OFAC’s updated advisory states that “OFAC will consider a company’s self-initiated and complete report of a ransomware attack to law enforcement or other relevant U.S. government agencies ... made as soon as possible after discovery of an attack, to be a voluntary self-disclosure and a significant mitigating factor in determining an appropriate enforcement response.” Under OFAC’s Enforcement Guidelines, filing a voluntary self-disclosure typically results in a significant reduction of any penalty that may be issued and frequently results in nonmonetary enforcement.  
4. Companies Should Develop and Supplement Their Compliance and Risk Mitigation Programs for Preventing and Handling Cyberattacks. OFAC’s updated advisory provides additional guidance about what the agency believes to be the hallmarks of a robust compliance program. For example, it recommends that companies adopt meaningful cyber-risk-mitigation practices such as those found in the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) Ransomware Guide published in September 2020. OFAC specifically identifies the following steps as crucial actions that companies can take to protect themselves: “maintaining offline backups of data, developing incident response plans, instituting cybersecurity training, regularly updating antivirus and anti-malware software, and employing authentication protocols, among others.” As noted above, OFAC’s updated advisory states that adopting risk management protocols like those in the CISA Ransomware Guide will be considered a “significant mitigating factor in any OFAC enforcement response” — a reflection of interagency coordination and collaboration in this area. 
5. Companies Should Evaluate All of the Ways to Engage With OFAC and Law Enforcement. While OFAC’s prior advisory recommended that victim companies notify law enforcement and different components within Treasury, the updated advisory provides additional details and highlights interagency roles and relationships. Specifically, OFAC now “strongly encourages all victims and those involved with addressing ransomware attacks to report the incident to CISA, their local FBI field office, the FBI Internet Crime Complaint Center, or their local U.S. Secret Service office as soon as possible. Victims should also report ransomware attacks and payments to Treasury’s [Office of Cybersecurity and Critical Infrastructure Protection] and contact OFAC if there is any reason to suspect a potential sanctions nexus with regard to a ransomware payment.” Companies should make complete reports to law enforcement to receive credit, including providing all the relevant technical details, demand information, and instructions. The updated guidance links together both the timeliness and completeness of a company’s report to law enforcement, stating: “While the resolution of each potential enforcement matter depends on the specific facts and circumstances, OFAC would be more likely to resolve apparent violations involving ransomware attacks with a non-public response (i.e., a No Action Letter or a Cautionary Letter) when the affected party took the mitigating steps described [in the updated guidance], particularly reporting the ransomware attack to law enforcement as soon as possible and providing ongoing cooperation.” As described above, significantly, reports to law enforcement, when done timely and completely, may count as OFAC voluntary self-disclosures if a sanctions-nexus is discovered.

Given the focus of OFAC’s updated guidance on companies’ proactive procedures to prevent and respond to cyberattacks, companies should evaluate the security of their information technology systems and data repositories, the security and efficacy of their offline data backups, their sanctions and cybersecurity training, and their incident response programs — and make any necessary enhancements or modifications. Because of the increase of cyberattacks during the COVID-19 pandemic and the additional considerations regarding cybersecurity that are associated with remote work, these actions are increasingly important.