28 September 2021

Treasury Takes Aim at Ransomware and Illicit Cryptocurrency Trading

RADM (Ret) Mark Montgomery and Annie Fixler

As a result of the sanctions, Washington will block SUEX’s ability to interact with the U.S. financial system, and international banks will likely cut off the exchange as well because of SUEX’s failure to prevent illicit transactions. While malicious actors often exploit unwitting exchanges to move their ill-gotten gains, SUEX facilitates illegal activities for its own profit, Treasury said. More than 40 percent of the transactions on SUEX occur between criminals, Treasury estimated, and the exchange has facilitated proceeds from at least eight ransomware groups.

The sanctions also demonstrate the department’s modus operandi of targeting smaller actors with limited ties to the United States to pressure larger ones into preventing illicit activity more assiduously. “Shutting down one exchange will not materially alter the threat landscape,” Rep. Jim Langevin (D-RI) observed, but it is “an important demonstration of our resolve.”

Michael Phillips, co-chair of the Ransomware Task Force, a coalition of government agencies, private industry groups, and think tanks, noted that “sanctioning those bad actors puts pressure on actors who may be operating in a grayer space, who may [now] be inclined to start to invest in compliance.”

The Russia-based SUEX may indeed be a smaller target in the cryptocurrency ecosystem, but it “filled an essential niche” for converting “illicit crypto ransoms into real-world currency,” the blockchain intelligence and analytics firm TRM Labs explained in a Tuesday report on SUEX’s operations.

According to blockchain data platform Chainalysis, whose research Treasury used as part of its investigation into SUEX, 82 percent of all ransomware funds transit only five cryptocurrency exchanges. Chainalysis estimates that SUEX alone has received and facilitated tens if not hundreds of millions of dollars’ worth of cryptocurrency payments associated with ransomware and other cybercrime.

Treasury also issued updated guidance reminding companies that paying ransoms may run afoul of existing laws if Treasury has previously sanctioned the hackers or anyone else involved in the transaction. The guidance echoes other government requests for victims to work with law enforcement and not to pay ransoms, but includes a more explicit incentive: If Treasury discovers a nexus between the ransomware payment and a designated entity in the future that would lead to penalties against the company paying the ransom, the victim’s “full and ongoing cooperation with law enforcement both during and after a ransomware attack” will be a “significant mitigating factor.” In other words, Treasury is unlikely to take action against the company if it reported the cyber incident to law enforcement.

As part of a larger government effort, deploying Treasury’s most pointed economic tool can help combat ransomware and other illicit transactions that have blossomed in the age of cryptocurrencies. Treasury can shape market behavior and make it harder for bad actors to move illicit funds. In June 2021, the Justice Department revealed other tools to make ransomware unprofitable when it announced it had clawed back the profits from the May ransomware attack against Colonial Pipeline by Russia-based hackers.

At the end of the day, hackers will keep launching ransomware attacks until they are no longer profitable. Decreasing ransomware’s profitability by making it harder to move money and by stripping hackers of their intake constitutes an important cost-imposition strategy. But the solution also entails convincing private companies to invest in cybersecurity and to build their resilience so that when hackers try to extort payments, victims can refuse to pay.

Long-term success in the fight against ransomware will occur only if the Biden administration follows through on Deputy Secretary Wally Adeyemo’s pledge on Tuesday that this is just the first of many actions to come.

No comments: