U.S. Treasury sanctions cryptocurrency exchange for alleged role in ransomware attacks

The U.S. Treasury Department announced Tuesday it will sanction a cryptocurrency exchange for its alleged role in laundering ransoms for cyberattacks.

It marks the first such action against a virtual currency exchange and comes after a string of cyberattacks crippled several industries and even threatened U.S. government agencies. The Treasury said ransomware payments totaled more than $400 million in 2020 alone, more than four times that of 2019.

Ransomware is a type of cyberattack where actors often shut down access to key programs and demand payment, usually in a cryptocurrency like bitcoin, to unlock them.

The department’s Office of Foreign Assets Control will designate the cryptocurrency exchange Suex for allegedly playing a role in facilitating financial transactions for ransomware actors.

While the Treasury emphasized that most virtual currency activity is legal, technologies facilitating those payments can be exploited by bad actors. Cryptocurrency transactions are decentralized and can be harder to trace than those conducted through traditional financial institutions. The department said that in Suex’s case, it helped facilitate illegal activity “for their own illicit gains.”

The department alleged that Suex “has facilitated transactions involving illicit proceeds from at least eight ransomware variants.” It also said that more than 40% of the company’s known transaction history is “associated with illicit actors.”

The new designation means it will be much harder for Suex to do business with U.S. entities. U.S. citizens are generally banned from performing transactions with sanctioned entities and financial institutions that engage in certain activities with them could themselves face sanctions or enforcement actions.

In addition to the action against Suex, the department clarified its guidance for businesses on how to respond to ransomware attacks. The guidance “strongly encourages victims and related companies to report these incidents to and fully cooperate with law enforcement as soon as possible,” according to a press release, and continues to discourage them from paying ransoms.

The advisory also states that U.S. entities could be penalized for making payments to a sanctioned actor, even if they’re unaware of that fact, like in the case of paying a ransom. Still, the guidance says OFAC would consider a company’s cooperation over a ransomware attack in determining its ultimate consequences.

The government has emphasized the importance of its own knowledge of cyberattacks to help mitigate harm. The value of such knowledge became clear last year through the attack on SolarWinds, which affected several government agencies. That assault came to light after another cybersecurity company, FireEye, reported a sophisticated attack on its own systems. Microsoft President Brad Smith told lawmakers that FireEye’s disclosure was critical to understanding the extent of the attack.

Since then, lawmakers have introduced a measure that would require government contractors and critical infrastructure companies to disclose cyberattacks, while granting them a limited safe harbor from legal action over those disclosures.