Cybersecurity professionals have long been discussing the role of cryptocurrency in the rise of ransomware attacks.
Virtual currency is easy to transfer across country borders, making it the currency of choice for most cybercriminals.
But it looks like the U.S. is now taking steps towards changing this.
U.S. counter-ransomware initiative
The U.S. Department of the Treasury announced a number of actions on Tuesday to strike down cryptocurrency transactions related to ransom laundering.
SUEX OTC, S.R.O., a foreign virtual currency exchange, was sanctioned for its part in supporting cybercriminal activity. This action was a historic move and first of its kind by the United States.
The Treasury also compared ransomware to a form of terrorism and implied the sanction against SUEX would be the start of a "counter-ransomware" initiative.
"Ransomware and cyber-attacks are victimizing businesses large and small across America and are a direct threat to our economy. We will continue to crack down on malicious actors. As cyber criminals use increasingly sophisticated methods and technology, we are committed to using the full range of measures, to include sanctions and regulatory tools, to disrupt, deter, and prevent ransomware attacks," said Treasury Secretary Janet L. Yellen.
Cost of ransomware in the United States
According to statistics by the Treasury Department, payments for ransomware attacks climbed to more than $400 million in 2020. That's four times higher than the payments were in 2019.
While the U.S. Treasury believed only a small portion of the cyberattacks impacted the economy, they were also concerned with how the attacks weaponize technology and impact life.
"The U.S. government estimates that these payments represent just a fraction of the economic harm caused by cyber-attacks, but they underscore the objectives of those who seek to weaponize technology for personal gain: to disrupt our economy and damage the companies, families, and individuals who depend on it for their livelihoods, savings, and futures. In addition to the millions of dollars paid in ransoms and recovery, the disruption to critical sectors, including financial services, healthcare, and energy, as well as the exposure of confidential information, can cause severe damage.”
Sanction risks for ransomware payments
In addition this this announcement, The U.S. Treasury's Office of Foreign Assets Control (OFAC) provided a new advisory statement on possible sanction risks for anyone making ransomware payments, and the statement includes very direct language:
"OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if such person did not know or have reason to know that it was engaging in a transaction that was prohibited under sanctions laws and regulations administered by OFAC."
Outlined in the advisory statement, OFAC gave examples of when ransomware operators were designated as sanctioned malicious actors.
Here is a timeline of notable designations:
- Dec. 2016 — Cryptolocker developer Evgeniy Mikhailovich Bogachev for infecting more than 234,000 computers worldwide
- Nov. 2018 — Two Iranian individuals for laundering SamSam ransomware funds
- Sept. 2019 — North-Korea-sponsored Lazarus Group and subgroups, Bluenoroff and Andariel, for infecting more than 300,000 computers in 150 countries with WannaCry 2.0
- Dec. 2019 — Russia-based Evil Corp's founder Maksim Yakubets for leading the distribution of Dridex malware, which resulted in more than $100 million in theft
- Sept. 2021 — SUEX OTC, S.R.O., after discovery that more than 40% of its transactions were related to illicit Maksim Yakubets
The Office of Foreign Assets Control reinforced the importance of not paying ransom demands, but also extended this to parties that might pay ransom on behalf of victims.
Government recommendations around ransomware
The OFAC advisory also outlines the following recommendations for ransomware risk mitigation:
1. Implement a risk plan to mitigate possible breaches, especially for financial institutions and others privy to sensitive information.
[RESOURCES: SecureWorld has a lineup of virtual conferences and webinars with expert-level speakers on how to create an anti-ransomware initiative at your organization. Each are eligible for CPE credit.]
2. Do not pay the ransom or allow anyone to pay the ransom for your organization if you are a victim.
"Such payments not only encourage and enrich malicious actors, but also perpetuate and incentivize additional attacks. Moreover, there is no guarantee that companies will regain access to their data or be free from further attacks themselves. For these reasons, the U.S. government strongly discourages the payment of cyber
ransom or extortion demands."
3. Contact the proper authorities and report the attack. Organizations can reach out to agencies like CISA, FBI, U.S. Treasury's Office of Cybersecurity and Critical Infrastructure Protection (OCCIP), and U.S. Secret Service.
"By reporting ransomware attacks as soon as possible, victims may also increase the likelihood of recovering access to their data through other means, such as alternative decryption tools, and in some circumstances may be able to recover some of the ransomware payment. Additionally, reporting ransomware attacks and payments provides critical information needed to track cyber actors, hold them accountable, and prevent or disrupt future attacks," says OFAC.
Will these steps by the U.S. Treasury result in fewer ransomware attacks? Discuss in the comments below. SecureWorld News will report on any updates as they come in.
