Russia May Use Ransomware Payouts to Avoid Sanctions’ Financial Harm

FinCEN warns financial institutions to be ware of unusual cryptocurrency payments or illegal transactions Russia may use to ease financial hurt from Ukraine-linked sanctions.

Russia may ramp up ransomware attacks against the United States as a way to ease the financial hurt it’s under due to sanctions, U.S. federal authorities are warning. Those sanctions have been levied against the nation and Vladimir Putin’s government due to its invasion of Ukraine.

The Financial Crimes Enforcement Network (FinCEN) issued a FinCEN Alert (PDF) on Wednesday advising all financial institutions to remain vigilant against potential efforts to evade the expansive sanctions and other U.S.-imposed restrictions related to the current conflict. One way this may be done is to move cryptocurrency funds through ransomware payments collected after Russian state-sponsored actors carry out cyberattacks.

“In the face of mounting economic pressure on Russia, it is vitally important for U.S. financial institutions to be vigilant about potential Russian sanctions evasion, including by both state actors and oligarchs,” said FinCEN Acting Director Him Das in a press statement.

Infosec Insiders Newsletter

Financial actions taken against Russia by the U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) since the nation’s invasion of Ukraine last month are numerous. They include:

  • Sanctions against persons who have financial operations in the Russian Federation, including Putin and Russia’s Minister of Foreign Affairs Sergei Lavrov
  • Prohibitions on correspondent or payable-through account and payment processing and blocking of certain Russian financial institutions
  • Prohibitions related to new debt and equity for certain Russian entities
  • A prohibition on transactions involving certain Russian government entities, including the Central Bank of the Russian Federation.

FinCEN now is urging financial institutions – including those with visibility into cryptocurrency or convertible virtual currency (CVC) flows, such as CVC exchangers and administrators – to identify and report suspicious activity associated with potential sanctions evasion quickly and conduct an investigation where appropriate.

So far FinCEN has not seen widespread evasion of sanctions using methods such as cryptocurrency, Das noted. However, “prompt reporting of suspicious activity” can ensure this remains the case to support U.S. efforts and interest in supporting Ukraine.

Ramp-Up in Cyber-Attacks

Indeed, Russia state-sponsored actors already have ramped up cyber-attacks since the beginning of the conflict in the Ukraine; thus, an increase in ransomware activity is not an entirely unlikely prospect.

Researchers at Google’s Threat Analysis Group (TAG) reported earlier this week that they had observed advanced persistent threat (APT) groups affiliated with or backing Vladimir Putin’s government stepping up phishing attacks against Ukrainian and European targets, as well as distributed denial-of-service (DDoS) attacks against key government and service-oriented Ukrainian websites.

Because it is not regulated by typical financial currency laws in the United States, cryptocurrency has become a method of choice for cybercriminals to conduct transactions – including receiving payouts after ransomware attacks. For this reason, it also could be used by Russia to get around U.S. sanctions, noted one security professional.

“For the tech savvy or oligarch with a need to move money, they can hire the talent to move the transactions,” Rosa Smothers, senior vice president of cyber operations at security firm KnowBe4 and a former CIA cyber threat analyst and technical intelligence officer, observed in an email to Threatpost.

However, while cryptocurrency does provide privacy for storage and process transactions, “the transparency provided by blockchain could make the movement of large amounts of cryptocurrency detectable by law enforcement,” she noted, citing how the Department of Justice was able to seize millions of dollars in Bitcoin that Colonial Pipeline paid to the DarkSide group after a highly disruptive ransomware attack last May.

Indeed, another security professional expressed doubt that Russia could use ransomware payments or any other type of cryptocurrency transactions to evade U.S. sanctions “at any meaningful scale.”

“The magnitude of the recent sanction reaches into the billions, amounts that are large enough to be unattainable for almost all cryptocurrencies currently,” observed Chris Clements, vice president of solutions architecture at security firm Cerberus Sentinel. “There may be opportunities at the individual level, but for the scale of nation-state operations and expenditures, a few million or even tens of millions aren’t really going to move the needle.”

Like Smothers, he also noted that the transparency of blockchain technology due to its nature as “a public ledger” makes it easier for financial authorities to observe and trace suspicious cryptocurrency transactions than if sanctioned entities used “traditional money-laundering means.”

Register Today for Log4j Exploit: Lessons Learned and Risk Reduction Best Practices – a LIVE Threatpost event sked for Thurs., March 10 at 2PM ET. Join Sonatype code expert Justin Young as he helps you sharpen code-hunting skills to reduce attacker dwell time. Learn why Log4j is still dangerous and how SBOMs fit into software supply-chain security. Register Now for this one-time FREE event, Sponsored by Sonatype.

Suggested articles