Treasury Sanctions SUEX Exchange for Laundering Ransoms
The Biden administration fired another shot in its battle against ransomware Tuesday as the U.S. Treasury Department took steps to disrupt the financial infrastructure behind ransoms, designating for sanctions the SUEX OTC, S.R.O. virtual currency exchange for laundering ransom payments.
By designating SUEX, the Treasury Department’s Office of Foreign Assets Control (OFAC) is blocking the exchange’s property (and interests in property) that are under U.S. jurisdiction. In addition, if a designated person owns 50% or more of an entity, they also can be blocked; those involved in some transactions or activities – whether individuals or financial institutions – could be exposed to sanctions or some other penalty.
While the actions taken against SUEX aren’t attached to a particular ransomware-as-a-service (RaaS) or ransomware variant, the agency said an analysis of the exchange’s activities found transactions made for at least eight ransomware variants.
“This advisory is really a final warning for companies to get their security operations in order,” said Jake Williams, co-founder and CTO at BreachQuest. “The vast majority of ransomware incidents we respond to were trivially preventable.”
The government, he said, “sees companies facilitating ransomware payments as encouraging future ransomware attacks.”
The new advisory may prevent organizations from paying attackers to recover their data, “making it even more critical that they do what they can now to ensure they don’t suffer a ransomware attack in the first place,” said Williams.
Praising the Biden administration for doing “more for cybersecurity awareness and direction than we’ve seen in the past,” Bill O’Neill, vice president of public sector at ThycoticCentrify, added that, “The idea of disincentivizing organizations from paying out a ransom to attackers will likely only end up backfiring and having an adverse effect economically.” While the average company most often folds to ransomware demands “because they lack the proper knowledge, resources and technology to wrest [back] control of the data that was stolen from them to begin with,” O’Neill said, “Penalizing business owners for complying will only hurt them twofold while doing nothing to ultimately stop attacks from happening.”
If attackers can’t get ransom, then they’ll turn to the black market to make money by selling the data they pilfered. “Their victims, however, will be exponentially worse off and possibly open to further attacks,” said O’Neill. “The better approach would be to continue introducing policies and programs to raise awareness and educate organizations about the best ways to stay safe and prevent attacks, as well as providing resources surrounding key technologies to implement to help further minimize risks.”
The sanctions might be a good first step, but John Bambenek, principal threat hunter at Netenrich, said, “What is more important in stopping ransomware is finding those involved and getting them brought to justice; these kinds of actions could also impair intelligence collection on those bad actors.”
Brent Johnson, CISO at Bluefin, said that while the sanctions “should increase the security and monitoring programs of currency exchanges, and perhaps make it more difficult to exfiltrate proceeds, it’s my belief this will drive ransomware payments more towards privacy coins and the use of decentralized exchanges to facilitate payments … and so the game continues.”
Treasury Secretary Janet L. Yellen said in a release that Treasury is “committed to using the full range of measures, to include sanctions and regulatory tools, to disrupt, deter and prevent ransomware attacks.”
Among the other measures outlined today are those meant to improve cybersecurity in the private sector and ramping up incident and ransomware payment reporting by organizations that have experienced an attack.
OFAC issued an Updated Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments to stress the importance of improving cybersecurity practices as well as reporting to, and cooperating with, appropriate U.S. government agencies when experiencing a ransomware attack.
