On September 21, 2021, the US Treasury Department’s Office of Foreign Assets Control (“OFAC”) levied its first sanctions against a Russian-operated virtual currency exchange involved in ransomware payments and published an updated advisory on sanctions risks for ransomware payments. At the same time, Deputy Secretary of the Treasury Wally Adeyemo was careful to underscore that “the vast majority of activity that’s happening in the virtual currencies is legitimate activity.” The actions form part of what the Treasury Department described as a whole-of-government effort targeting ransomware networks and certain foreign virtual currency exchanges – those that are either illicit or operate at the edges of legality – that support them. In a ransomware attack, a cyber actor uses malware to encrypt the data on a victim’s computer system and only decrypts it if the victim pays a ransom, usually in cryptocurrency.
OFAC targeted only one, Russian-operated virtual currency exchange, but its action signals a broader focus on intermediary parties that launder ransom payments or otherwise facilitate ransomware attacks. The September 21, 2021 advisory (the “Updated Advisory”) expands on the guidance provided in its October 2020 predecessor about OFAC’s expectations of how victims and others should act both before, during, and after an attack. All companies, especially those in industries such as financial services that are often targeted by ransomware attacks, and the cybersecurity firms that help victims manage attacks, should review the Updated Advisory and incorporate its guidance into their ransomware planning.
New Sanctions and Updated Advisory on Cryptocurrency
US companies are generally prohibited from engaging in any financial transactions with persons identified on OFAC’s Specially Designated Nationals and Blocked Persons (“SDN”) List, and with those located in certain sanctioned countries or territories, including Cuba, Iran, and the Crimea region of Ukraine. Non-US companies may also violate US sanctions if they cause a US person to violate the sanctions prohibitions. And, as OFAC indicates in the Updated Advisory, a ransomware payment made to a sanctioned person or sanctioned country would violate US law even if the victim of the ransomware attack was unaware of the sanctions nexus.
Victims of ransomware attacks and those that might facilitate the payment of ransom face a significant compliance challenge because sanctions apply even if the payer does not know it has paid a sanctioned party. Users of some virtual currency exchanges can operate under pseudonyms, which means that exchanges and other firms in the industry, many of which lack robust know-your-customer (“KYC”) identification protocols, may find it difficult to ascertain the identities of ransomware perpetrators or other intermediaries to screen them against the SDN Lists and to comply with the requirements of US anti-money laundering (“AML”) laws and regulations. In its earlier advisory issued in October 2020, OFAC had encouraged companies to develop risk-based compliance programs to mitigate the risk of exposure to sanctions violations, to report attacks to law enforcement, and to cooperate with law enforcement, and affirmed that it would consider such actions as “significant mitigating factor[s] when evaluating a possible enforcement outcome.”
The Updated Advisory, together with the sanctions designation of a Russian-operated virtual currency exchange, elaborate on that guidance and provide additional insight into OFAC’s approach to combatting ransomware attacks.
Focus on Exchanges. Treasury is now focusing its counter-ransomware strategy on certain virtual currency exchanges, which OFAC described as the “principal means of facilitating ransomware payments and associated money laundering activities.” In a briefing, Deputy Secretary Adeyemo noted that while “the vast majority of activity that’s happening in the virtual currencies is legitimate activity,” the use of exchanges, mixers, and peer to peer services by criminals “is not in our national interest.” He further stated that “Treasury will prioritize the identification of nested exchanges transacting a high percentage of illicit activity.”
OFAC’s first-in-kind designation of the Russian-operated, Czech-registered virtual currency exchange SUEX OTC, S.R.O. (“SUEX”) exemplifies this strategy. OFAC found not only that SUEX had facilitated financial transactions involving illicit proceeds from at least eight ransomware variants, but also that 40% of its transaction history involved illicit actors. The Treasury Department wrote that SUEX met the criteria for designation under the malicious cyber-enabled activities sanctions authority because it “provide[s] material support to the threat posed by criminal ransomware actors.”
Sanctions and AML / KYC. The SUEX designation signals that certain cryptocurrency exchanges need to strengthen their AML and combating the financing of terrorism (“CFT”) compliance programs to avoid facilitating illicit activities and to prevent sanctioned persons from transacting on their platforms, including by implementing comprehensive KYC protocols. In its press release, Treasury noted that the virtual currency industry plays “a critical role in implementing appropriate AML/CFT and sanctions controls to prevent sanctioned persons and other illicit actors from exploiting virtual currencies to undermine U.S. foreign policy and national security interests.” It also emphasized its international cooperation on improving AML compliance for crypto service providers and exchanges and highlighted past Financial Crimes Enforcement Network (“FinCEN”) guidance applying AML and Bank Secrecy Act rules to virtual currency exchanges and money services businesses.
USG Outreach. OFAC also provided additional detail on specific cooperation measures ransomware victims can take to mitigate sanctions exposure. Notably, the new advisory did not establish any formal mechanism for a ransomware victim to work with OFAC to determine whether the perpetrator has a sanctions nexus. However, it did offer guidance on the appropriate channels for reporting an attack with sanctions implications. The October 2020 advisory had noted generally that a company’s “self-initiated, timely, and complete report of a ransomware attack to law enforcement” would be “a significant mitigating factor in determining an appropriate enforcement outcome if the situation is later determined to have a sanctions nexus.” Now, the Updated Advisory specifies two relevant U.S. government agencies ransomware victims should consider contacting if they suspect a sanctions issue: the Cybersecurity and Infrastructure Security Agency (“CISA”) and the Treasury Department’s Office of Cybersecurity and Critical Infrastructure Protection (“OCCIP”). It also provides that OFAC will consider such reports to be a voluntary self-disclosure (for which companies are ordinarily credited by OFAC only when OFAC learns of an apparent violation before other parts of the U.S. Government), and that these mitigation efforts can result in the non-public resolution of a violation, for example through a No Action Letter.
Risk-Based Compliance. The Updated Advisory also offers more precise guidance on the type of risk-based compliance programs that will be considered as mitigation for any sanctions-related violations. Where the earlier advisory had encouraged financial institutions and others to implement risk-based compliance programs to mitigate exposure to sanctions-related violations, the September 2021 advisory further states that meaningful steps to do so through the types of cybersecurity practices highlighted in CISA’s Ransomware Guide in particular will be “a significant mitigating factor in any OFAC enforcement response.” Companies providing financial services should consider tracking these specific compliance guidelines.
Future Action Expected
The US Government has taken significant action in recent weeks to address ransomware threats—the Department of Justice established a Ransomware and Digital Extortion Task Force and launched a one-stop ransomware resource at StopRansomware.gov to correlate cybersecurity resources from across the Government, among others. OFAC’s announcement this week reinforces the US Government’s heightened focus on the role that virtual currencies—and certain virtual currency exchanges in particular—play in ransomware attacks. Industry actors should expect additional OFAC action in the future to ensure that such payment mechanisms are not used to subvert longstanding sanctions and AML priorities. Treasury Secretary Janet Yellen has affirmed the Treasury Department’s commitment to use sanctions to “disrupt, deter, and prevent ransomware attacks,” which we expect will be reflected not only in future designations but also in civil enforcement action against exchanges and others that do not take adequate steps to mitigate the risk that they facilitate the use virtual currency in carrying out ransomware attacks.
* * *
WilmerHale is prepared to advise clients on US sanctions regulatory compliance and enforcement and has particular expertise advising clients impacted by ransomware attacks.