The Biden administration took aim Tuesday at the financial marketplace for criminal ransomware gangs, announcing sanctions against a Russia-based virtual currency brokerage that officials say has processed illicit transactions for attackers.
The Treasury Department sanctions are aimed at disrupting the economic infrastructure of a ransomware threat that has surged over the last year and targeted vital corporations and critical infrastructure, including a major fuel pipeline. Ransomware payments reached more than $400 million in 2020, the costliest year on record.
The goal of the action is to go after the “financial enablers” of ransomware gangs, Deputy Treasury Secretary Wally Adeyemo told reporters in previewing the announcement.
“Today’s action is a signal of our intention to expose and disrupt the illicit infrastructure using these attacks,” Adeyemo said.
Through its Office of Foreign Assets Control, the Treasury Department has previously sanctioned ransomware developers and distributors, and officials say more such designations are possible.
The administration selected for sanctions a currency exchange known as SUEX OTC, a broker it said has facilitated transactions for at least eight ransomware variants.
Though the majority of virtual currency exchanges are engaged in legal commerce, a subset of so-called “nested” exchanges processes a disproportionate amount of illicit transactions, Adeyemo said. In the case of SUEX, officials said, more than 40% of its known transaction history is associated with what the administration describes as illicit actors.
SUEX is among the most active of a small group of illicit services that handle most money laundering for cybercriminals, the cryptocurrency-tracking firm Chainalysis said in a blog post.
Although legally registered in the Czech Republic, SUEX has no known physical presence there and instead operates out of branches in Moscow and St. Petersburg, Russia, where users can cash out their virtual currency, said Chainalysis, which works closely with law enforcement on tracking criminal crypto transactions.
It said SUEX has been laundering money from the illicit cryptocurrency exchange BTC-e, which U.S. authorities shut down, perhaps on behalf of administrators, associates or former users. BTC-e’s operator was sentenced to five years in prison by a French court in December.
Chainalysis said SUEX deposit addresses hosted at large exchanges have received over $160 million from cybercriminals since the brokerage opened in early 2018, including nearly $13 million from ransomware operators including Ryuk, Conti, Maze.
In addition, the Treasury Department says it is updating guidance for ransomware victims that it first issued last year. The advisory strongly discourages victims from paying ransomware, reminding them that some transactions are against the law, and urges victims to report attacks to law enforcement.
“The reality is that the thing we know about this ecosystem is the way that we prevent ransomware attacks is by making sure that we get law enforcement engaged as soon as possible,” Adeyemo said.