Treasury’s Ransomware Advisory

Recent administrations have rightfully been concerned about ransomware. Ransomware is a form of malware used to extort users – the software locks your device and then demands a ransom for its release. Ransomware attacks are increasing in scale, sophistication, and frequency, victimizing governments, individuals, and private companies around the world. In 2020, ransomware payments reached over $400 million, more than four times their level in 2019. The U.S. government estimates that these payments represent just a fraction of the economic harm caused by cyber-attacks, but they underscore the objectives of those who seek to weaponize technology for personal gain.

As part of the a “whole-of-government” effort to counter ransomware, OFAC announced a set of actions focused on disrupting criminal networks and virtual currency exchanges responsible for laundering ransoms, encouraging improved cyber security across the private sector, and increasing incident and ransomware payment reporting to U.S. government agencies, including both Treasury and law enforcement.

In a press release, Treasury Secretary Janet Yellen said:

“Ransomware and cyber-attacks are victimizing businesses large and small across America and are a direct threat to our economy. We will continue to crack down on malicious actors. As cyber criminals use increasingly sophisticated methods and technology, we are committed to using the full range of measures, to include sanctions and regulatory tools, to disrupt, deter, and prevent ransomware attacks.”

 OFAC has taken the following actions pursuant to its ransomware advisory:

  • Designation of the first virtual currency exchange for complicit financial services – On September 21, 2021, as part of its new ransomware policy, the U.S. Treasury Department’s Office of Foreign Assets Control (“OFAC”) targeted a virtual currency exchange for laundering cyber ransoms. OFAC designated SUEX OTC, S.R.O. (“SUEX”), a virtual currency exchange based out of Russia, for its part in facilitating financial transactions for ransomware actors. OFAC found that over 40% of SUEX’s transactions are associated with illicit actors. Accordingly, OFAC added SUEX to the Specially Designated Nationals As a result of this designation, all property and interests in property of SUEX were blocked, and U.S. persons are prohibited from engaging in transactions with or via SUEX. Furthermore, any entities 50% or more owned by SUEX are also blocked.
  • Issue updated advisory on potential sanctions risks for facilitating ransomware payments – The advisory emphasizes that the U.S. government continues to strongly discourage the payment of cyber ransom or extortion demands, and recognizes the importance of cyber hygiene in preventing or mitigating such attacks.
  • Commitment to international cooperation– OFAC and other U.S. enforcement agencies have been working closely with international partners to counter the threat of ransomware attacks. This included at the Group of Seven (G7) meeting in June 2020. Furthermore, as of June 2019, the Financial Action Task Force (“FATF”), an international money-laundering and terrorist financing watchdog, amended its standards to require all countries to regulate and supervise virtual asset service providers (”VASPs”), in order to mitigate against risks when engaging in virtual transactions.

OFAC’s sanction against SUEX was the second major enforcement against a cryptocurrency exchange platform (although the enforcement action against SUEX was the first for ransomware-complicit financial services). The first enforcement action against a cryptocurrency exchange platform occurred in February 18, 2021, when OFAC settled with Bitpay, Inc. for $507,375. OFAC alleged that BitPay violated U.S. sanctions laws by permitting persons in Crimea, Cuba, North Korea, Iran, Sudan, and Syria to transact with merchants in the United States and elsewhere using digital currency on Bitpay’s platform. These transactions resulted in 2,102 apparent violations.

Treasury Cyber Sanctions Program

On April 1, 2015, President Obama signed an executive order authorizing the imposition of sanctions on individuals and entities determined to be responsible for or complicit in malicious cyber-enabled activities that result in harm to the national security, foreign policy, economic health, or financial stability of the United States. Then, on December 28, 2016, President Obama signed another executive order directing the Attorney General and Secretary of State to impose sanctions on persons determined to be responsible for or complicit in significant malicious cyber-enabled activities. These two executive orders authorized OFAC’s cyber sanctions program.

What You Should Do

Increased enforcement and regulations are expected in the cryptocurrency space in the coming years. One important dimension to this are the sanctions implications of cryptocurrency mining and payment. Violations of U.S. sanctions laws can result in heavy penalties and even criminal liability. To ensure you are proactive about your sanctions compliance, particularly if your business transactions involve cryptocurrency, there is a lot you can do to be proactive:

  • Develop an effective sanctions compliance program– A key foundation of proactive and effective sanctions compliance requires the development of a sanctions compliance plan. A sanctions compliance plan establishes a set of procedures for your organization to ensure that everyone is on the same page about how standard processes work, who is responsible for what, how to identify violations, what to do when violations occur, etc. A sanctions compliance plan helps build consciousness in your organization that compliance is critical – both to avoid costly penalties and also to protect national security. Diaz Trade Law helps businesses create sanctions compliance manuals that help prove you have a process in place to vet proposed transactions and ensure you can prove you can take compliance seriously and implement all of the important great weight mitigating factors. Diaz Trade Law has significant experience in developing sanctions compliance plans for organizations without plans. Additionally, Diaz Trade Law can assist your business in auditing and improving your current plan so that it is in its best shape.
  • Perform sanctions compliance training – A foundation of a strong sanctions compliance program is sanctions compliance training. Training is important because it (1) ensures that all employees understand the sanctions regulations and reinforces internal policies and procedures, (2) demonstrates to federal government agencies that your business is proactive about sanctions compliance, and (3) avoids your business from being subject to costly penalties and even criminal liability. Fortunately, sanctions compliance training can be highly tailored to meet your company’s needs. All of your training events include assessments for comprehension, certificates for successful participation, and ample opportunities for Q&A. For your next sanctions compliance training event, trust Diaz Trade Law to provide highly-effective, engaging training.
  • Properly vet transactions– Unsure whether a proposed transaction violates OFAC sanctions? Diaz Trade Law has significant experience vetting your potential transaction against U.S. sanctions laws. Through research and due diligence, Diaz Trade Law ensures that your transaction won’t get you in trouble later down the road. In particular, it is important to vet end-uses (how is your product going to be used?), end-users (who will be using your product?), and destinations (where will your product be used?).
  • Submit voluntary self-disclosures when appropriate – If your business believes it may have violated OFAC sanctions, it can be in your business’ strategic interest to submit a voluntary self-disclosure (“VSD”). OFAC encourages anyone who may have violated OFAC-administered regulations to disclose the apparent violation to OFAC voluntarily. A voluntary self-disclosure to OFAC is considered a mitigating factor by OFAC in enforcement actions, and pursuant to OFAC’s Enforcement Guidelines, may result in a reduction in the base amount of any proposed civil penalty. Diaz Trade Law has significant experience filing VSDs and mitigating penalties. For detailed information on filing a VSD with OFAC, check out our article Submitting a Voluntary Self-Disclosure to OFAC published by Bloomberg Law.
  • Ensure specific license applications are applied for when necessary – A specific license is an authorization from OFAC to engage in a transaction that otherwise would be prohibited. Businesses may apply for OFAC specific licenses to release blocked funds, generally authorize transactions, and many other purposes. Diaz Trade Law has significant experience submitting specific license applications and receiving authorization for proposed transactions on behalf of our clients.
  • Have a process in place for corrective action when necessary – If your business has violated U.S. sanctions laws, there is a lot you should do to get back into compliance, ensuring you work to prevent future violations, training your employees, updating your manuals, and this work can assist in mitigating potential penalties. Diaz Trade Law has significant experience representing businesses in dealing with the U.S. Treasury Department’s Office of Foreign Assets Control. Specifically, Diaz Trade Law has successfully assisted clients in (1) submitting voluntary self-disclosures to mitigate penalties, (2) negotiated agreements with OFAC, (3) built corrective action systems to help ensure that your business does not make the same violation again, and (4) updating and enhancing your current export compliance plan.

Background on Treasury’s Cyber Sanctions Program

On April 1, 2015, President Obama signed an executive order authorizing the imposition of sanctions on individuals and entities determined to be responsible for or complicit in malicious cyber-enabled activities that result in harm to the national security, foreign policy, economic health, or financial stability of the United States. Then, on December 28, 2016, President Obama signed another executive order directing the Attorney General and Secretary of State to impose sanctions on persons determined to be responsible for or complicit in significant malicious cyber-enabled activities. These two executive orders authorized OFAC’s cyber sanctions program.

Contact Us

If you have questions or require assistance on sanctions, trade, or cryptocurrency-related matters, contact Diaz Trade Law today at info@diaztradelaw.com or 305-456-3830. Also, check out www.stopransomware.gov for a one-stop resource to reduce risks of ransomware attacks.