Yesterday, the Treasury Division’s Workplace of International Property Management (OFAC) announced sanctions on SUEX OTC, S.R.O, a cryptocurrency alternate, for its position in laundering cash to ransomware attackers. In response to OFAC, SUEX facilitated prison transactions involving a minimum of eight ransomware variants and 40% of SUEX’s recognized transaction historical past concerned unhealthy actors. The designation of SUEX is the primary time OFAC has sanctioned a digital foreign money platform – and this method might show to be a helpful regulatory device to make malicious cyberactivity much less worthwhile and due to this fact deter cyber-criminals. Treasury Secretary Janet Yellen mentioned the federal government is “dedicated to utilizing the total vary of measures, to incorporate sanctions and regulatory instruments, to disrupt, deter, and forestall ransomware assault[s].”
Along with designating SUEX, OFAC up to date its steerage on the dangers firms face for taking part in an element in ransomware funds (see here). We’re offering a redline of the steerage towards OFAC’s earlier steerage from 2020 on your reference.
Ransomware Assaults: Enterprise and Nationwide Safety Risk
Ransomware assaults have been on the rise – each by particular person prison and state actors. In response to the Treasury Division, ransomware funds totaled greater than $400 million in 2020, greater than 4 occasions that of 2019. As a refresher, ransomware assaults are the kind of cyberattack that shut down an entity’s community and techniques and demand cost – oftentimes in cryptocurrency – in alternate for restoring entry. The federal government sees malicious cyber actions each as prison and as a risk to nationwide safety. We noticed how the SolarWinds hack, which we mentioned here, and the Colonial Pipeline assault considerably impacted authorities companies, non-public firms, and the general public at giant. Funds to ransomware attackers incentivize malicious actions and fund extra prison ransomware assaults.
The designation of SUEX coupled with the steerage OFAC issued highlights the dangers confronted by entities that facilitate ransomware funds and corporations which may be contemplating making such funds. When you’re topic to U.S. sanctions, that severely restricts your potential to do enterprise in or with the USA. At present, there are third occasion consultants that negotiate with cyber-attackers and facilitate the cost of ransoms. This motion towards SUEX emphasizes that making or facilitating these funds might topic you to extreme penalties.
“Corporations that facilitate ransomware funds to cyber actors on behalf of victims, together with monetary establishments, cyber insurance coverage corporations, and corporations concerned in digital forensics and incident response, not solely encourage future ransomware cost calls for but in addition might danger violating OFAC laws,” mentioned the Treasury Division.
What Ought to You Do?
For now, OFAC’s motion doesn’t straight influence broader cryptocurrency exchanges, however SUEX’s designation ought to function a warning to different digital foreign money platforms and encourage them to check out their practices to make sure they aren’t facilitating funds to unhealthy actors. Compliance with sanctions and anti-money laundering guidelines and laws is a problem within the digital foreign money world. Transactions are decentralized, and KYC / due diligence of customers is just not simple. However particularly in terms of ransomware assaults, the FBI and OFAC are working collectively to ramp up enforcement. Digital foreign money exchanges ought to heed OFAC’s steerage to implement greatest practices to guard towards OFAC and AML violations.
Specifically, the up to date OFAC steerage highlights the significance for firms to implement cybersecurity practices to scale back the danger of extortion by a sanctioned particular person. Some practices might embrace sustaining offline backups of knowledge, creating incident response plans, instituting cybersecurity coaching, usually updating antivirus and anti-malware software program, and using authentication protocols, amongst others. If an organization is the topic of an assault and pays the ransom involving a sanctioned occasion, whereas it may very well be topic to penalties, OFAC will contemplate the corporate’s protecting steps, in addition to the reporting of the assault to legislation enforcement, as mitigating elements when it assesses penalties (i.e., No motion Letter/Cautionary Letter vs. steep civil penalties).
Copyright © 2021, Sheppard Mullin Richter & Hampton LLP.Nationwide Legislation Evaluation, Quantity XI, Quantity 265