Feds Sanctions SUEX Cryptocurrency Exchange for Laundering Ransomware Payouts

The action is the first of its kind in the U.S., as the government increases efforts to get a handle on cybercrime.

In an unprecedented move, the federal government has sanctioned a cryptocurrency exchange for laundering ransom transactions for cybercriminals and helping them evade law-enforcement activity.

As part of its continued hardline against ransomware attacks, the U.S. Department of Treasury has prohibited anyone in the United States from conducting business with SUEX OTC, a Russian-linked currency exchange. It’s registered in the Czech Republic but operates out of Moscow.

The department’s Office of Foreign Assets Control’s (OFAC) designation of SUEX also blocks all of its property or interests in property that are subject to U.S. jurisdiction, according to a press release published Tuesday.

Infosec Insiders Newsletter

The feds analyzed SUEX’s transactions and found that the exchange facilitated transactions of illicit proceeds from at least eight ransomware variants, according to the release.

Moreover, OFAC’s analysis of known SUEX transactions showed that more than 40 percent of SUEX’s transaction history is associated with illicit actors. The office is sanctioning SUEX under Executive Order 13694, which was enacted by President Obama in 2015 and allows for taking action against “certain persons engaging in significant malicious cyber-enabled activities.”

The Wall Street Journal had reported last week that such a move was in the cards as part of the Biden administration’s crackdown on ransomware.

“Ransomware and cyberattacks are victimizing businesses large and small across America and are a direct threat to our economy,” Treasury Secretary Janet Yellen said in a press statement. “We will continue to crack down on malicious actors.”

First of Its Kind

The move is the first time the feds have officially sanctioned a currency exchange for its participation in cybercriminal activity. Typically, ransomware gangs break into organizations’ IT systems and encrypt files, locking them until an organization pays a ransom–usually in the millions of dollars — for the decryptor. They also exfiltrate data and threaten to leak it if victims don’t pay up.

Cryptocurrency exchanges are the principal way these gangs receive ransom payouts, which, due to their decentralized and largely unregulated nature, allows them to evade the legal scrutiny and regulations associated with traditional financial institutions like banks.

The federal government believes that by going after exchanges as part of its fight against ransomware, it can cut off a major financial pipeline for ransomware criminals, thwarting their ability to get paid and thus their attack incentive.

Indeed, the Biden administration has taken a particularly hard line against ransomware as attack frequency increases to unprecedented levels, particularly following the outbreak of the COVID-19 pandemic.

Rising Ransomware

In 2020, ransomware payments reached more than $400 million, more than four times their level in 2019, according to the Treasury Department. Research has found that ransomware is up more than tenfold in the first half of 2021 alone, which means organizations likely will lose much more than that this year to ransomware crimes.

Moreover, ransomware is becoming more disruptive to daily life as its incidence increases. While early ransomware attacks tended to mainly affect organizations and their direct customers or clients, recent attacks that go after critical infrastructure and product supply chains have a more widespread affect.

The now-notorious DarkSide ransomware attack in May on Colonial Pipeline disrupted the oil and gas supply and prices for some time after, while a REvil ransomware attack on global meat supplier JBS Foods and this week’s BlackMatter ransomware attack on Iowa farm cooperative NEW Cooperative created problems for the food supply chain.

These attacks have caused the Biden administration to double down on its determination to go after ransomware actors, many of whom reside in Russia and former Soviet states. In July, President Biden identified 16 sectors of critical national infrastructure (CNI) that he told Russian President Vladimir Putin in July are off limits to ransomware attacks in the hopes Putin would join in the fight.

History of Ransomware Sanctions

While the move against SUEX may be the first time the feds have sanctioned a cryptocurrency exchange, it’s not the first time the Treasury Department has taken the sanctions approach in the overall ransomware fight.

The department issued sanctions against Evil Corp. in December 2019 as part of a sweeping action against the prolific, Russia-based cybercriminal group. At the same time, the feds also offered a reward of $5 million for information leading to the arrest of Evil Corp. leader Maksim V. Yakubets.

Evil Corp initially was mainly associated with the info-stealing Dridex banking trojan and Zeus malware, using the tools to steal millions of dollars from victims. However, the group had moved into the ransomware business; Evil Corp was seen last August using WastedLocker ransomware against GPS maker Garmin, in an attack that allegedly cost the company $10 million in ransom.

Rule #1 of Linux Security: No cybersecurity solution is viable if you don’t have the basics down. JOIN Threatpost and Linux security pros at Uptycs for a LIVE roundtable on the 4 Golden Rules of Linux Security. Your top takeaway will be a Linux roadmap to getting the basics right! REGISTER NOW and join the LIVE event on Sept. 29 at Noon EST. Joining Threatpost is Uptycs’ Ben Montour and Rishi Kant who will spell out Linux security best practices and take your most pressing questions in real time.

Suggested articles