Potential Sanctions Risks for Facilitating Ransomware Payments

By Alejandro Leanez, ACSS
October 1, 2021

Ransomware payments in response to cyberattacks are increasing while becoming more focused, sophisticated and costly.

In 2020, ransomware payments reached over $400 million, more than four times that of 2019. The FBI estimates that in 2019-2020 reported ransomware cases increased by 21% and associated losses by 225%.

The attacks are carried out against private and governmental entities in all sectors and of all sizes. In some cases, the attacks included vulnerable entities such as small businesses, which often allocate fewer resources for cyber protection and tend to make quick payments to the attackers for service restoration.

OFAC has targeted many malicious cyber actors under its cyber-related sanctions program and other sanctions programs, which include both those who facilitate ransomware transactions and perpetrators of ransomware attacks.

OFAC Enforcement Actions

SUEX

In September 2021, SUEX OTC, S.R.O. (SUEX), became the first virtual currency exchange designated by OFAC for facilitating financial transactions for ransomware actors. These included at least eight ransomware variants with illicit proceeds. An analysis of known SUEX transactions showed that over 40% of illicit actors were within SUEX’s transaction history.

OFAC said that, while most virtual currency activity is legal, virtual currencies can flow through illicit activities that facilitate sanctions evasion, ransomware schemes, and other cyber crimes.

Lazarus Group

In September 2019, OFAC designated Lazarus Group and two sub-groups, Bluenoroff and Andariel, allegedly affiliated with the government of North Korea.

Lazarus Group, which reportedly supports illicit weapon and missile programs, targets institutions such as government, military, financial, manufacturing, publishing, media, entertainment and international shipping companies, and critical infrastructure. Its tactics include cyber espionage, data theft, monetary heists, and destructive malware operations.

In May 2017, ransomware known as WannaCry 2.0 infected approximately 300,000 computers in at least 150 countries. This attack was linked to Lazarus Group.

In another attack, OFAC said Bluenoroff and Lazarus Group conspired to steal approximately $80 million from the Central Bank of Bangladesh’s New York Federal Reserve account. Both groups used malware in an attempt to steal a total of $851 million by making more than 36 large fund transfer requests using stolen SWIFT credentials. A typographical error alerted personnel who stopped the transactions.

Evil Corp

In December 2019, OFAC designated Evil Corp and its leader, Maksim Yakubets, for their development and distribution of the Dridex malware.

Beginning in 2015, OFAC says that Evil Corp, a Russia-based cyber criminal organization, used the Dridex malware to infect computers and harvest login credentials from hundreds of banks and financial institutions in over 40 countries. More than $100 million was stolen.

Steven T. Mnuchin, former US Secretary of the Treasury, said: “Treasury is sanctioning Evil Corp as part of a sweeping action against one of the world’s most prolific cyber criminal organizations. This coordinated action is intended to disrupt the massive phishing campaigns orchestrated by this Russian-based hacker group.”

OFAC Advisories

OFAC released two advisories on Potential Sanctions Risks for Facilitating Ransomware Payments in October 2020 and September 2021. The Updated Advisory warns companies of the ongoing sanctions risks for making or facilitating ransomware payments.

  • Ransomware victims are discouraged from making ransom payments to any threat actors, especially if there is a sanctions nexus to the transaction. When considering appropriate enforcement for sanctions violations, OFAC will now focus on the cybersecurity practices of ransomware victims to determine whether they took sufficient preventative measures to prevent a cyber attack.
  • Financial institutions and other involved parties such as negotiators or insurance companies are strongly discouraged from facilitating ransom payments.
  • Companies are encouraged to implement risk-based compliance programs to mitigate exposure and prevent potential sanctions violations. OFAC expects the programs for financial institutions and other companies that deal with ransoms for cyber attacks will specifically take into account the risk that a ransomware payment may violate sanctions.
  • Ransomware victims are encouraged to report cyber attacks to law enforcement as soon as possible and fully cooperate with any resulting investigation. For mitigation, such cooperation should include providing all relevant details of the cyber attack, the ransom demand and ransom payment instructions.

Trends and Considerations

Ransomware payments represent just a fraction of the economic harm caused by cyber attacks, according to the US government. As well as using the technology for personal gain, cyber attackers disrupt the economy and damage companies, families and individuals. The disruption created by these attacks can harm critical sectors, including healthcare, financial services and energy, and can expose confidential information.

Additionally, cyber criminal activity is funded with virtual currency exchanges such as SUEX, which are critical to the profitability of ransomware attacks. The US Department of the Treasury is moving toward continuing to disrupt and hold accountable these entities to reduce the incentive for cyber criminals to perform these attacks.