ArchiveOODA Original

U.S. Treasury’s Response to Ransomware Gangs: Punish the Attackers and the Victims

In late September 2021, the U.S. Department of Treasury (DoT) levied sanctions against the Russian cryptocurrency exchange Suex for its part in facilitating the laundering of transactions from at least eight ransomware groups. This latest move to “follow the money” is designed to hinder ransomware operations that rely on cryptocurrency to receive ransom payments from victims. According to one company specializing in blockchain analysis, Suex is registered in the Czech Republic though most of its operations are conducted in Moscow and St. Petersburg. Per the DoT, since it began in 2018, Suex maintained approximately 25 digital addresses that received more than $481 million in Bitcoin alone (this does not include other cryptocurrencies), approximately $160 million in transfers were associated with the Ryuk, Conti, and Maze ransomware operators, as well as darknet markets, other criminal scams, and “high risk” exchanges.

Ransomware gangs have been a scourge, their notoriety increasing as these operators target large organizations for top dollar ransom amounts. Worse, critical infrastructure entities are consistently in these groups’ crosshairs. Colonial Pipeline and JBS suffered ransomware serious attacks and ended up paying $4.4 million and $11 million, respectively. The fact that these successful compromises ended up impacting supply chains proved a powerful coercive tactic to encourage these organizations to pay up. Recent reporting indicates that victims paid approximately $350 million in ransom payments in 2020 (the DoT put this number closer to$400 million), a 311 percent increase from the previous year. The monies received have been used to fund other cybercriminal activities, further indicative of how ransomware activities support the larger cybercriminal ecosystem.

Cryptocurrency is pivotal to sustaining this environment and is the lifeblood of cybercriminals, especially ransomware gangs, due to its relative anonymity, decentralization, and difficulty tracing. The importance of cryptocurrency exchanges led one security researcher to develop a crowdsourced ransomware tracker. The site allows for the breakdown of victim payments linked to a dozen ransomware variants by “all time,” “this year,” “this month,” and “this week.” While ambitious, the site relies on the contributions of individuals to help enrich the understanding of the transactions of ransomware groups. Since its creation, cryptocurrency was designed to avoid governmental control, complicating attempts to track and regulate it. While exchanges occur on a “public ledger” – a visible record-keeping system where one can see transactions taking place – the identities of parties are anonymized, making it difficult to assign a digital wallet to a particular individual. Complicating matters is that cybercriminals likely maintain more than one wallet, moving money around frequently, further hindering attribution efforts.

Alas, difficult is not impossible. After the Colonial Pipeline attack, the Federal Bureau of Investigation (FBI) showed that capabilities exist to put a name to an account. According to court documents, the FBI investigated more than twenty cryptocurrency accounts to find perpetrators responsible, using court orders to allow for the seizing of funds. However, given the volume of gangs and their affiliates operating globally, it is inconceivable to think that any law enforcement entity has enough resources to pursue every attack. Colonial Pipeline was a major critical infrastructure entity, but smaller or less essential organizations may not elicit investigative assistance from the country’s premier law enforcement agency.

Therefore, on the surface, the sanctioning of Suex seems to be a new approach in trying to mitigate this pernicious threat by going after the financial underpinning of ransomware activities. Dovetailing with this is the U.S. Office of Foreign Assets Control (OFAC) updating its October 2020 Advisory on Potential Sanctions Risks for Facilitating Ransomware Payments. This OFAC advisory notes that ransom payment may violate statutes prohibiting “U.S. persons” (which include citizens/nationals/corporations) from engaging in financial transactions (including cryptocurrency ransom payments) with people listed either on the U.S. or international sanctions registries. The new advisory states that OFAC may “impose civil penalties for sanctions violations on strict liability.” This means that a “person” can be held culpable regardless of knowledge of the transaction or unaware of the prohibited nature of the transactions or the transactions themselves. Worse, sanctions can be applied to any entity associated with that person providing “cyber insurance, digital forensics and incident response, and financial services that may involve processing ransom payments.”

It appears that the Biden Administration is going after the money on both fronts, using a stick to punish both criminals and victims alike. This is a strange tactic as it puts victims on the same level as the criminals that extort them, which is hardly fair. While it’s certainly understandable that the government does not want ransom payments to perpetuate ransomware activities, penalizing companies for being targeted and compromised hardly seems an effective strategy. It runs counter to one of the government’s long-standing goals of further developing and refining public-private partnerships when it comes to cyber security. Instead of coming together as equals, the strong-arm tactic of imposing “strict liability” fulfills only one goal – compelling corporations to fall in line. OFAC’s updated advisory reflects an “easy” approach to the problem, and unnecessary and uninvited government surveillance and/or monitoring.

On October 1, the White House issued a statement that in addition to these measures, the United States would be partnering with approximately 30 nations from NATO and the G7 on this and other “cybercrime” activities. This is a better plan of attack – as a global problem demands a global response that requires international engagement, the establishment of treaties, partnership agreements with stakeholders, and collaborating with global law enforcement entities. If successful, this collaboration could reduce the areas where cybercriminals operate, herding them to specific countries as safe havens. This in turn would allow for the opportunity of “partnerships” to engage with these states directly or influence their behavior via political and economic channels when necessary.

This all sounds good, but putting it into practice is another matter. The United States has a chance to assume a natural leadership role, one that would speak volumes for one of the world’s leading cyber powers and the global advocate of state responsibility in cyberspace. This could lead to other big breakthroughs as well. Whereas states have been at an impasse on issues like internet governance and international cyber norms. If the U.S. fails to be that driving force, it risks opening the door for other states to get an upper hand on how they want to define the problem – and the solutions. Biden has told U.S. allies on several occasions that “America is back.” Leading by example is the best way to prove through deeds, not words.

Related Reading:

Ransomware gangs continue to evolve their tactics to stay one step ahead of network defenders and those tracking their developments.  Increased reporting that ransomware gangs – particularly Russian groups – are collaborating with one another is another example of this type of evolution.  See The Next Evolution of Ransomware Gangs: Collaboration.

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along their journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this mega trend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for business and governments

From the very beginning of the pandemic we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily daily intelligence as well as pointers to reputable information from other sites. See: OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See: Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See: The OODAcast

Emilio Iasiello

Emilio Iasiello

Emilio Iasiello has nearly 20 years’ experience as a strategic cyber intelligence analyst, supporting US government civilian and military intelligence organizations, as well as the private sector. He has delivered cyber threat presentations to domestic and international audiences and has published extensively in such peer-reviewed journals as Parameters, Journal of Strategic Security, the Georgetown Journal of International Affairs, and the Cyber Defense Review, among others. All comments and opinions expressed are solely his own.