U.S. Treasury aims to discourage ransomware payments
The move to sanction cryptocurrency exchanges that facilitate ransomware payments made by the U.S. Department of Treasury is clearly intended to discourage businesses from caving into the demands of the cybercriminals that launch these attacks. However, it may in the end only serve to shift payments to cryptocurrency exchanges that are based on decentralized blockchain platforms that are deliberately constructed to make it more difficult to track payments.
In addition to issuing sanctions that prevent U.S. citizens from using crypto currency exchanges such as SUEX that are suspected of facilitating illicit transactions, the Office of Foreign Assets Control (OFAC) has also updated an advisory to emphasize how strongly companies are now discouraged to make ransomware payments.
Under the authority of the International Emergency Economic Powers Act (IEEPA) or the Trading with the Enemy Act (TWEA), U.S. citizens are generally prohibited from engaging in transactions, directly or indirectly, with individuals or entities listed on a Specially Designated Nationals and Blocked Persons List (SDN List), specific individuals and certain countries such as Cuba and North Korea. Any transaction that causes a violation under IEEPA, including a transaction by a non-U.S. person that causes a U.S. person to violate it, is also prohibited. U.S. citizen, wherever located, are also generally prohibited from facilitating actions of non-U.S. persons.
OFAC may impose civil penalties for sanctions violations based on strict liability, meaning that a person subject to U.S. jurisdiction may be held civilly liable even if such person did not know or have reason to know that it was engaging in a transaction that was prohibited under sanctions laws and regulations. OFAC strongly encourages victims and related companies to report these incidents to and fully cooperate with law enforcement as soon as possible to make sure they receive voluntary self-disclosure credit in the event violation of sanctions are later discovered.
The first set of sanctions against an exchange are being applied to SUEX. The Treasury Department estimates that 40% of all transactions at the sanctioned cryptocurrency exchange operating in Russia involve illicit activities. SUEX itself is headquartered in the Czech Republic. The Treasury Department also noted that in 2019 the Financial Action Task Force (FATF) created by the G7 group of countries amended its standards to require all countries to regulate and supervise virtual asset service providers (VASPs), including exchanges, and to mitigate risks when engaging in virtual asset transactions. Countries are expected to impose customer due diligence (CDD) requirements and report suspicious transaction reporting obligations across VASPs.
As well intentioned as these moves might be, there’s a fly in the proverbial sanction ointment. A decentralized exchange (DEX) employs a distributed ledger to facilitate transactions, it doesn't store user funds and personal data on its servers. Instead, that type of exchange only matches bids to buy or sell assets. Cybercriminals will undoubtedly shift demands for payments to this type of cryptocurrency exchange. It may be illegal to use one of these exchanges as the sanctions list grows over time but determining whether a payment was made will be extremely difficult.
Nevertheless, it’s clear the risks associated with making those payments are rising so victims of ransomware should consider just how valuable their data may be should somebody the U.S. Treasury one day start asking some very pointed questions that are likely to be a lot more costly to answer than the ransomware payment itself.