CyberGuide - Information Security and Cyber Risk Management

Updated OFAC advisory sends clear message: Ransomware reporting now essential

By Erin Ayers, Advisen

As part of an ongoing campaign to disrupt cybercriminals, the U.S. Treasury on Sept. 22 took aim at a cryptocurrency exchange known for enabling ransom payments and reinforced the potential consequences for paying sanctioned threat actors.

Treasury’s Office of Foreign Assets Control (OFAC) first issued guidance around ransomware payments in October 2020. In the updated advisory issued Sept. 21, OFAC continued to “strongly discourage” the payment of ransom demands and emphasized the need to boost defenses against cyberattacks and report incidents.

The advisory is designed to encourage quick reporting to federal law enforcement agencies, according to Michael Lieberman, assistant director for enforcement for OFAC, who spoke during a Sept. 22 webinar held by Chainalysis, a blockchain software vendor. Treasury officials want to know as much information as can be shared, such as the victim, the firms involved in remediating, the dates of attack, ransom amounts, and whether the event has been reported to law enforcement, he added.

Such details are “essential” for the U.S. government to understand “the nature and full extent of incidents,” Lieberman said, noting that cooperative ransomware victims also “increase their likelihood of recovery” via decryption keys the government may be more readily able to access.

Cyber risk and insurance professionals told Advisen the Treasury guidance will not significantly alter how incident response firms and insurers handle ransomware events, but more assertively places the onus on businesses to actively mitigate cybersecurity risks.

“The updated OFAC guidance is not a radical change from the existing sanctions regime, but there are some positive, incremental signals that this is part of an emerging, comprehensive anti-ransomware strategy like the one we laid out in the Ransomware Task Force’s report,” said Michael Phillips, chief claims officer for Resilience Insurance. “For instance, the new guidance expands the concept of ‘significant mitigating factors’ to credit the steps that a victim may have taken to proactively reduce their risk, including incident response planning, maintaining offline backups, and employing authentication protocols. I am optimistic that the Treasury guidance is meant to keep the target on threat actors, and not on the victims of cybercrime.”

“I think this is different because of the tone. The tone is very stern, very ‘either you’re with us or against us,’” said Paul Ferrillo, privacy and cybersecurity partner at Seyfarth Shaw LLP. “I think this is a shot across the bow. If you’re facilitating ransomware payments, OFAC can come and get you.”

Ferrillo told Advisen sharing information with officials, particularly the FBI, can be helpful in preventing future events and attributing attacks. Reporting of cyber events is also becoming an essential part of corporate governance.

He added, “At the end of the day, it’s about doing your due diligence before the payment’s paid to make sure it’s not a sanctioned entity.

“This advisory is really a final warning for companies to get their security operations in order,” said Jake Williams, CTO and co-founder of BreachQuest. “The vast majority of ransomware incidents we respond to were trivially preventable. The federal government sees companies facilitating ransomware payments as encouraging future ransomware attacks. With this new advisory, organizations may lose the ability to pay attackers to recover, making it even more critical that they do what they can now to ensure they don’t suffer a ransomware attack in the first place.”

Bridget Choi, director with Booz Allen Hamilton, told Advisen the updated guidance marks an “excellent strategy move” and suggested it signaled intent on Treasury’s part to penalize companies with no cybersecurity planning and no attempts to report incidents.

Madaleine Gray and Sean Hoar, attorneys with Lewis Brisbois, cited some drawbacks to the guidance in a blog post, commenting, “Unfortunately, although the OFAC advisory is long on ‘reminders’ of potential liability to those who assist victims of malicious cyberattacks, it is short on effective assistance to them.”

While OFAC suggests relying upon government-crafted prevention guides, basic security measures may not be enough to prevent ransomware, the attorneys said.

“The OFAC advisory also suggests that by contacting government agencies, victim businesses may gain access to their data through ‘alternative decryption tools,’ and that they may be able to recover portions of ransom payments. These outcomes are not only unlikely for most businesses, but they may produce dangerous delays in the recovery process,” wrote Gray and Hoar in the post.

Disrupting crypto commerce

As part of its “robust actions against ransomware,” Treasury added SUEX to its Specially Designated National (SDN) list, noting that over 40% of the virtual currency exchange’s transactions stemmed from illicit activities.

SUEX is registered in the Czech Republic but actually operates from Russia, according to Josh Prober, senior content developer at Chainalysis. The move represents “a win against money laundering and ransomware,” he explained during the Sept. 22 webinar.

Chainalysis research earlier this year revealed that just five crypto exchanges handled 82% of all ransomware funds in 2020, meaning that taking down one major player could have wide-ranging effects for bad actors.

“The sanction of SUEX is a significant action taken by the government to combat the money launderers who make cryptocurrency-based crime like ransomware possible and profitable. SUEX is one of the biggest and most active of the launderers, and shutting them down is a significant blow to cyber threat actors, including ransomware attackers,” said Resilience’s Phillips.

Editor Erin Ayers can be reached at [email protected]