OFAC imposes new sanctions to thwart ransomware – Tech
On September 21, 2021, the US Treasury Department’s Office of Foreign Assets Control (“OFAC”) imposed its first sanctions on a Russian-operated virtual bureau de change implicated in ransomware payments and issued an updated notice. update on the risks of penalties for ransomware payments. At the same time, Deputy Treasury Secretary Wally Adeyemo was careful to point out that “the vast majority of activities that take place in virtual currencies are legitimate activities”. The actions are part of what the Treasury Department has described as a whole-of-government effort targeting ransomware networks and certain virtual foreign currency exchanges – those that are either illegal or operate at the limit of legality – that back them. In a ransomware attack, a cyber actor uses malware to encrypt data on a victim’s computer system and only decrypts it if the victim pays a ransom, usually in cryptocurrency.
OFAC has only targeted one Russian-operated virtual bureau de change, but its action signals a broader focus on middlemen who launder ransom payments or otherwise facilitate ransomware attacks. The notice of September 21, 2021 (the “Updated Notice“) builds on the guidance provided in its predecessor of October 2020 on OFAC’s expectations of how victims and others should act both before, during and after an attack. All businesses, especially those of Sectors such as financial services that are often the target of ransomware attacks, and cybersecurity companies that help victims manage attacks, should review the updated advisory and incorporate its advice into their ransomware planning.
New Sanctions and Updated Cryptocurrency Advisory
US businesses are generally prohibited from engaging in financial transactions with individuals identified on OFAC’s Specially Designated Nationals and Blocked Persons (“SDN”) list, and with those located in certain sanctioned countries or territories. , notably Cuba, Iran and the Crimean region of Ukraine. Non-U.S. Companies can also violate U.S. sanctions if they cause an American person to violate sanctions prohibitions. And, as OFAC states in the updated advisory, a ransomware payment made to a sanctioned person or country would violate US law even if the victim of the ransomware attack was unaware. the link between sanctions.
Victims of ransomware attacks and those who could facilitate the payment of a ransom face a significant compliance challenge as penalties apply even if the payer does not know they have paid a sanctioned party. Users of some virtual currency exchanges may operate under pseudonyms, which means that exchanges and other businesses in the industry, many of which do not have robust Know Your Customer (“KYC”) identification protocols, may have difficulty determining the identity of ransomware. authors or other intermediaries to compare them to SDN lists and to comply with the requirements of United States anti-money laundering laws and regulations (“AML”). In his previous opinion issued in October 2020, OFAC had encouraged companies to develop risk-based compliance programs to mitigate the risk of exposure to sanctions violations, report attacks to law enforcement, and cooperate with law enforcement , and asserted that he would consider these actions as “an important mitigating factor[s] when evaluating a possible application result.
The updated advisory, along with the sanctions designation for a Russian-operated virtual currency exchange, explains these guidelines and provides additional information on OFAC’s approach to combating ransomware attacks.
Focus on exchanges. The Treasury is now focusing its anti-ransomware strategy on certain virtual currency exchanges, which OFAC has described as the “primary means of facilitating ransomware payments and associated money laundering activities.” In a briefing, Deputy Secretary Adeyemo noted that while “the vast majority of activities that take place in virtual currencies are legitimate activities,” the use of peer-to-peer exchanges, mixers and services by criminals ” is not in our national interest “. He further stated that “the Treasury will prioritize the identification of nested exchanges dealing with a high percentage of illicit activity”.
The designation by OFAC, first in kind, of the virtual currency exchange managed by Russia and registered in the Czech Republic, SUEX OTC, SRO (“SUEX”) illustrates this strategy. OFAC found not only that SUEX facilitated financial transactions involving illicit products from at least eight ransomware variants, but also that 40% of its transaction history involved illicit actors. The Treasury Department wrote that SUEX met the criteria for designation under the Cyber Malicious Activity Sanction Authority because it “provides[s] material support for the threat posed by criminal ransomware actors. “
Sanctions and AML / KYC. The SUEX designation signals that some cryptocurrency exchanges need to strengthen their AML compliance and anti-terrorist financing (“CFT”) programs to avoid facilitating illicit activity and preventing sanctioned individuals from performing transactions on their platforms, in particular by implementing full KYC protocols. In his Press release, the Treasury noted that the virtual currency industry plays “a critical role in implementing appropriate AML / CFT controls and sanctions to prevent sanctioned persons and other illicit actors from exploiting virtual currencies to undermine US foreign policy and national security interests. ” It also highlighted its international cooperation on improving AML compliance for crypto service providers and exchanges and highlighted previous guidelines from the Financial Crimes Enforcement Network (“FinCEN”) applying the AML and Bank Secrecy Act rules to exchanges. virtual currency and money services businesses.
US government awareness. OFAC also provided additional details on specific cooperative steps ransomware victims can take to mitigate exposure to sanctions. Notably, the new opinion did not establish any formal mechanism for a ransomware victim to work with OFAC to determine if the perpetrator has any connection with the sanctions. However, he did offer advice on the appropriate channels for reporting an attack with sanctions implications. The October 2020 advisory generally stated that “automatic, prompt, and complete reporting of a ransomware attack to law enforcement” would be “an important mitigating factor in determining an appropriate enforcement outcome if the situation is. later determined to have a bond of sanctions. Now, the updated advisory specifies two relevant US government agencies that ransomware victims should consider contacting if they suspect a sanctions issue: the Cybersecurity and Infrastructure Security Agency (“CISA”) and the Office of Cyber Security and Security. the protection of critical infrastructures (“OCCIP”) of the Department of the Treasury. . It also provides that OFAC will consider these reports to be voluntary self-disclosure (for which companies are typically only credited by OFAC when OFAC learns of an apparent violation before other parts of the U.S. government), and that these mitigation efforts may result in the non-public resolution of a violation, for example through a no-action letter.
Risk-based compliance. The updated advisory also offers more specific guidance on the type of risk-based compliance programs that will be considered as mitigating measures for any sanctions violation. While the previous opinion encouraged financial institutions and others to implement risk-based compliance programs to mitigate exposure to sanctions violations, the September 2021 opinion further indicates that meaningful steps to do so through the types of cybersecurity practices highlighted in CISA Ransomware Guide in particular, will be “an important mitigating factor in any OFAC enforcement response”. Businesses providing financial services should consider following these specific compliance guidelines.
Expected future action
The United States government has taken important steps in recent weeks to combat ransomware threats: The Department of Justice has created a task force on ransomware and digital extortion, and spear a ransomware resource unique to StopRansomware.gov to correlate cybersecurity resources across government, among others. OFAC’s announcement this week reinforces the U.S. government’s increased attention to the role virtual currencies – and certain virtual currency exchanges in particular – play in ransomware attacks. Industry players should expect OFAC to take additional steps in the future to ensure that these payment mechanisms are not used to circumvent long-standing sanctions and AML priorities. Treasury Secretary Janet Yellen affirmed the Treasury Department’s commitment to use sanctions to “disrupt, deter and prevent ransomware attacks,” which we hope will not only be reflected in future designations, but also in civil enforcement actions against exchanges and others that fail to take adequate measures to mitigate the risk that they facilitate the use of virtual currency in carrying out ransomware attacks.
The content of this article is intended to provide a general guide on the subject. Specialist advice should be sought regarding your particular situation.