On September 21, 2021, the US Treasury Department’s Office
of Foreign Assets Control (“OFAC”) levied its first
sanctions against a Russian-operated virtual currency exchange
involved in ransomware payments and published an updated advisory
on sanctions risks for ransomware payments. At the same time,
Deputy Secretary of the Treasury Wally Adeyemo was careful to
underscore that “the vast majority of activity that’s
happening in the virtual currencies is legitimate activity.”
The actions form part of what the Treasury Department described as
a whole-of-government effort targeting ransomware networks and
certain foreign virtual currency exchanges – those that are
either illicit or operate at the edges of legality – that
support them. In a ransomware attack, a cyber actor uses malware to
encrypt the data on a victim’s computer system and only
decrypts it if the victim pays a ransom, usually in
cryptocurrency.

OFAC targeted only one, Russian-operated virtual currency
exchange, but its action signals a broader focus on intermediary
parties that launder ransom payments or otherwise facilitate
ransomware attacks. The September 21, 2021 advisory (the “Updated
Advisory“) expands on the guidance provided in its October 2020
predecessor about OFAC’s expectations of how victims and
others should act both before, during, and after an attack. All
companies, especially those in industries such as financial
services that are often targeted by ransomware attacks, and the
cybersecurity firms that help victims manage attacks, should review
the Updated Advisory and incorporate its guidance into their
ransomware planning.

New Sanctions and Updated Advisory on Cryptocurrency

US companies are generally prohibited from engaging in any
financial transactions with persons identified on OFAC’s
Specially Designated Nationals and Blocked Persons
(“SDN”) List, and with those located in certain
sanctioned countries or territories, including Cuba, Iran, and the
Crimea region of Ukraine. Non-US companies may also violate US
sanctions if they cause a US person to violate the sanctions
prohibitions. And, as OFAC indicates in the Updated Advisory, a
ransomware payment made to a sanctioned person or sanctioned
country would violate US law even if the victim of the ransomware
attack was unaware of the sanctions nexus.

Victims of ransomware attacks and those that might facilitate
the payment of ransom face a significant compliance challenge
because sanctions apply even if the payer does not know it has paid
a sanctioned party. Users of some virtual currency exchanges can
operate under pseudonyms, which means that exchanges and other
firms in the industry, many of which lack robust know-your-customer
(“KYC”) identification protocols, may find it difficult
to ascertain the identities of ransomware perpetrators or other
intermediaries to screen them against the SDN Lists and to comply
with the requirements of US anti-money laundering (“AML”)
laws and regulations. In its earlier advisory
issued in October 2020, OFAC had encouraged companies to
develop risk-based compliance programs to mitigate the risk of
exposure to sanctions violations, to report attacks to law
enforcement, and to cooperate with law enforcement, and affirmed
that it would consider such actions as “significant mitigating
factor[s] when evaluating a possible enforcement outcome.”

The Updated Advisory, together with the sanctions designation of
a Russian-operated virtual currency exchange, elaborate on that
guidance and provide additional insight into OFAC’s approach to
combatting ransomware attacks.

Focus on Exchanges. Treasury is now focusing
its counter-ransomware strategy on certain virtual currency
exchanges, which OFAC described as the “principal means of
facilitating ransomware payments and associated money laundering
activities.” In a briefing, Deputy Secretary Adeyemo noted
that while “the vast majority of activity that’s happening
in the virtual currencies is legitimate activity,” the use of
exchanges, mixers, and peer to peer services by criminals “is
not in our national interest.” He further stated that
“Treasury will prioritize the identification of nested
exchanges transacting a high percentage of illicit
activity.”

OFAC’s first-in-kind designation of the Russian-operated,
Czech-registered virtual currency exchange SUEX OTC, S.R.O.
(“SUEX”) exemplifies this strategy. OFAC found not only
that SUEX had facilitated financial transactions involving illicit
proceeds from at least eight ransomware variants, but also that 40%
of its transaction history involved illicit actors. The Treasury
Department wrote that SUEX met the criteria for designation under
the malicious cyber-enabled activities sanctions authority because
it “provide[s] material support to the threat posed by
criminal ransomware actors.”

Sanctions and AML / KYC. The SUEX designation
signals that certain cryptocurrency exchanges need to strengthen
their AML and combating the financing of terrorism
(“CFT”) compliance programs to avoid facilitating illicit
activities and to prevent sanctioned persons from transacting on
their platforms, including by implementing comprehensive KYC
protocols. In its press release, Treasury
noted that the virtual currency industry plays “a critical
role in implementing appropriate AML/CFT and sanctions controls to
prevent sanctioned persons and other illicit actors from exploiting
virtual currencies to undermine U.S. foreign policy and national
security interests.” It also emphasized its international
cooperation on improving AML compliance for crypto service
providers and exchanges and highlighted past Financial Crimes
Enforcement Network (“FinCEN”) guidance applying AML and
Bank Secrecy Act rules to virtual currency exchanges and money
services businesses.

USG Outreach. OFAC also provided additional
detail on specific cooperation measures ransomware victims can take
to mitigate sanctions exposure. Notably, the new advisory did not
establish any formal mechanism for a ransomware victim to work with
OFAC to determine whether the perpetrator has a sanctions nexus.
However, it did offer guidance on the appropriate channels for
reporting an attack with sanctions implications. The October 2020
advisory had noted generally that a company’s
“self-initiated, timely, and complete report of a ransomware
attack to law enforcement” would be “a significant
mitigating factor in determining an appropriate enforcement outcome
if the situation is later determined to have a sanctions
nexus.” Now, the Updated Advisory specifies two relevant U.S.
government agencies ransomware victims should consider contacting
if they suspect a sanctions issue: the Cybersecurity and
Infrastructure Security Agency (“CISA”) and the Treasury
Department’s Office of Cybersecurity and Critical
Infrastructure Protection (“OCCIP”). It also provides
that OFAC will consider such reports to be a voluntary
self-disclosure (for which companies are ordinarily credited by
OFAC only when OFAC learns of an apparent violation before other
parts of the U.S. Government), and that these mitigation efforts
can result in the non-public resolution of a violation, for example
through a No Action Letter.

Risk-Based Compliance. The Updated Advisory
also offers more precise guidance on the type of risk-based
compliance programs that will be considered as mitigation for any
sanctions-related violations. Where the earlier advisory had
encouraged financial institutions and others to implement
risk-based compliance programs to mitigate exposure to
sanctions-related violations, the September 2021 advisory further
states that meaningful steps to do so through the types of
cybersecurity practices highlighted in CISA’s
Ransomware Guide in particular will be “a significant
mitigating factor in any OFAC enforcement response.” Companies
providing financial services should consider tracking these
specific compliance guidelines.

Future Action Expected

The US Government has taken significant action in recent weeks
to address ransomware threats—the Department of Justice
established a Ransomware and Digital Extortion Task Force and launched a one-stop
ransomware resource at StopRansomware.gov to correlate
cybersecurity resources from across the Government, among others.
OFAC’s announcement this week reinforces the US
Government’s heightened focus on the role that virtual
currencies—and certain virtual currency exchanges in
particular—play in ransomware attacks. Industry actors should
expect additional OFAC action in the future to ensure that such
payment mechanisms are not used to subvert longstanding sanctions
and AML priorities. Treasury Secretary Janet Yellen has affirmed
the Treasury Department’s commitment to use sanctions to
“disrupt, deter, and prevent ransomware attacks,” which
we expect will be reflected not only in future designations but
also in civil enforcement action against exchanges and others that
do not take adequate steps to mitigate the risk that they
facilitate the use virtual currency in carrying out ransomware
attacks.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.