The White House imposed sanctions Tuesday against SUEX, a virtual currency exchange that enables users to trade cryptocurrency or other digital currencies, for its role in facilitating financial transactions for ransomware actors. Spearheaded by the Treasury Department’s Office of Foreign Assets Controls (OFAC), the new commercial and financial penalties against SUEX are intended to punish the platform “for its part in facilitating financial transactions for ransomware actors, involving illicit proceeds from at least eight ransomware variants,” according to Deputy Treasury Secretary Wally Adeyemo.
Tuesday’s announcement marks the first time OFAC has punished a virtual exchange for complicity in criminal ransomware activity. An analysis of known SUEX activity has shown that over 40% of transactions were associated with illicit actors, the Department of Treasury says.
“We recognize that the vast majority of activity that’s happening in the virtual currencies is legitimate activity,” Adeyemo told reporters during a briefing. “But we also do know that these criminals are using some of these exchanges and mixers, and peer to peer services to conduct illicit activity that is not in our national interest.”
In 2020, ransomware payments reached over $400 million. The FBI has indicated a nearly 21% increase in reported ransomware cases and a 225% increase in associated losses from 2019 to 2020.
The actions represent a significant step in the Biden administration’s efforts to starve parts of the crypto ecosystem that have knowingly fostered the business of ransomware in recent months and years.
“Treasury will prioritize the identification of nested exchanges transacting high percentages of illicit activity,” Adeyemo said.
The targeted sanctions stop far short of handicapping the entire cryptocurrency infrastructure, but serve as a warning for other platforms where ransomware transactions are suspected of taking place, nudging them to shore up compliance programs or avoid illicit transactions altogether.
After a ransomware variant known as Cryptolocker was used to infect more than 234,000 computers – about half of which were in the U.S. — OFAC sanctioned the developer of Cryptolocker, Evgeniy Mikhailovich Bogachev, in December 2016.
When SamSam ransomware was used to target U.S. government institutions and companies, including the City of Atlanta and the Colorado Department of Transportation, OFAC designated two Iranians for providing material support to a malicious cyber activity in 2018. The Treasury Department also identified two virtual currency addresses used to funnel SamSam ransomware proceeds.
And when the ransomware known as “WannaCry 2.0” notoriously infected approximately 300,000 computers in at least 150 countries in May of 2017, OFAC designated the Lazarus Group, the cybercriminal organization sponsored by North Korea, behind the attack.
More recently, the Biden administration has hastened to respond to a slew of high-profile ransomware attacks this spring, including several seven- and eight-figure ransoms traced back to Russia. Cyber attacks on critical infrastructure have prompted the shutdown of a major U.S. pipeline, a large meatpacking company and numerous hospitals, schools, municipalities and small businesses.
As a result of Tuesday’s designation, “all property and interests in property of [SUEX] that are subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them. Additionally, any entities 50% or more owned by one or more designated persons are also blocked,” according to guidance issued by OFAC.
The Treasury Department will also update its 2020 ransomware sanction guidance to public and private entities to strongly discourage the payment of ransoms and “recognize the importance of cyber hygiene in preventing or mitigating such attacks,” by incentivizing information sharing with law enforcement among ransomware victims.
“We make an express statement that the U.S. government strongly discourages the payment of cyber ransoms or extortion demands,” Adeyemo said. “If a company determines that it’s in their best interest to pay these demands, OPAC guidance makes clear that the best way to protect that company from the risk of paying a sanctioned entity is to report the fact that they have been attacked to law enforcement and to [the Department of Treasury.]”
Other agencies have previously shouted these warnings. “Paying a ransom may embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or may fund illicit activities,” CISA wrote in an advisory, last month.
Deputy national security adviser Anne Neuberger told reporters that the Biden administration will host a meeting with international partners next month to discuss counter ransomware efforts and policy solutions.
In July, President Biden warned Russian President Vladimir Putin that he would take “any action necessary” to defend the U.S. against ransomware attacks initiated on Russian soil.
“There is no indication that the Russian government has taken action to crack down on ransomware actors,” Paul Abbate, FBI deputy director,, last week.
NEW Cooperative, a Northern Iowa agricultural company responsible for operating grain elevators, purchasing crops from farmers and selling fertilizer, among other tasks, was reportedly targeted by BlackMatter, just last week. The criminal ransomware gang is believed to be linked to the ransomware group DarkSide – the actors behind the Colonial Pipeline’s forced shutdown – according to many cyber analysts.
“We’re tracking the ransomware incident, but we’re not seeing a particular impact at this time,” Neuberger briefed reporters, adding that the National Security Council continues to work with the FBI and company, but has not yet attributed the attack.