The department also emphasized guidance for victim organizations who risk running afoul of enforcers by paying attackers and failing to report incidents.
The Treasury Department is banning U.S. persons from engaging in any way with SUEX, a cryptocurrency exchange it says laundered ransomware payments to criminals.
“SUEX has facilitated transactions involving illicit proceeds from at least eight ransomware variants,” Treasury said in a press release Tuesday. “Analysis of known SUEX transactions shows that over 40% of SUEX’s known transaction history is associated with illicit actors.”
Treasury, which worked with the FBI to issue the sanctions, said the action is part of a comprehensive plan that relies on cooperation between law enforcement, the private sector and international partners, a message President Joe Biden also delivered in remarks before the United Nations General Assembly Tuesday.
“We’re hardening our critical infrastructure against cyberattacks, disrupting ransomware networks, and working to establish clear rules of the road for all nations as it relates to cyberspace,” Biden said. “We reserve the right to respond decisively to cyberattacks that threaten our people, our allies, or our interests.”
The Treasury Department’s release highlighted a commitment from G7 nations to the appropriate regulation of virtual currencies. But that framework of leading nations famously excludes adversaries like Russia, which many see as harboring ransomware criminals.
Reacting to the announcement, Rep. Jim Langevin, D-R.I., said he is “pleased that the government has, for the first time, sanctioned a Russian cryptocurrency exchange that facilitates criminal activity. However, while sanctioning an exchange is an important demonstration of our resolve, shutting down one exchange will not materially alter the threat landscape. The Biden administration must also sanction companies that provide the information technology support to Russian ransomware gangs, and I look forward to continuing to work towards that goal.”
SUEX is a private firm reportedly based in the Czech Republic. But Treasury’s announcement also had significant implications for U.S. firms. The department has previously warned companies that make ransomware payments could be violating U.S. sanctions due to likely state-sponsored activity by regimes like North Korea. Tuesday’s notice highlighted this possibility in relation to the new sanctions against the sort of entity that facilitates such payments by providing a certain degree of anonymity.
“Persons that engage in certain transactions or activities with the sanctioned entities and individuals may expose themselves to sanctions or be subject to an enforcement action,” Treasury said. “[The Office of Foreign Assets Control] strongly encourages victims and related companies to report these incidents to and fully cooperate with law enforcement as soon as possible to avail themselves of OFAC’s significant mitigation related to OFAC enforcement matters and receive voluntary self-disclosure credit in the event a sanctions nexus is later determined.”
Langevin, co-founder of the House Cybersecurity Caucus, was also pleased by Treasury’s emphasis on the importance of practicing appropriate cyber hygiene in an updated advisory for companies on the sanctions risk associated with making ransomware payments.
“Improving cybersecurity, particularly of our critical infrastructure, is a matter of incentives, and today’s guidance appropriately encourages the stronger resilience measures we need to keep the country safe,” he said.