New Treasury sanctions take aim at blocking ransomware groups from cashing out

The U.S. Treasury is wading into the fight against ransomware by sanctioning virtual cryptocurrency exchange Suex for its role in facilitating ransomware payments.

The sanctions are the first of its kind against a cryptocurrency exchange, and prohibit Americans from doing business with the company.

It’s the latest action as part of a U.S. government-wide effort to counter the rise of ransomware — including a cross-agency taskforce and a $10 million bounty for information on state-backed cybercriminals — that has so far seen mixed results. Just this week, the BlackMatter ransomware group demanded $5.9 million in ransom from a hacked Iowa farm services provider.

But experts believe that the Treasury’s action against Suex, and the U.S. government’s apparent decision to employ the age-old tactic of following the money rather than the criminals themselves, will come as a major blow to many of the biggest ransomware operators. While the sanctions won’t end ransomware attacks for good, dismantling the mechanisms for ransomware groups to cash out their cryptocurrency could be vital in slowing them down.

Chanalysis, which aided the U.S. in its investigation of Suex, has lauded the move as a “big win”, labeling the exchange as one of the worst-offenders of cryptocurrency-based money laundering. In a blog post, the blockchain analysis firm said Suex netted almost $13 million from ransomware operators like Ryuk and Maze since the exchange was founded in 2018. Chanalysis also said the exchange took in more than $24 million from crypto scam operators.

Read more on TechCrunch

The Treasury said that over 40% of known Suex transactions were associated with bad activity.

Gurvais Grigg, Chainalysis’s global public sector and chief technology officer, believes the U.S. will continue to target exchanges, yet his analysis shows that illicit activity is largely concentrated to just a few services.

“A group of just five received 82% of all ransomware funds from 2020, based on our data at the time,” he tells TechCrunch.

Paul Sibenik, lead case manager at blockchain forensics company CipherBlade, said the U.S. is likely to also go after lesser-known nested services and over-the-counter (OTC) brokers — where trading happens directly between two parties but utilizes a major exchange for liquidity. Suex, for example, uses the infrastructure of a larger exchange to handle its transactions.

“The usage of a rogue OTC like Suex can be an effective workaround so that an attacker need not have an account at the applicable exchange, but ultimately it’s fair to say that the exchange is still facilitating the transaction from the ransomware attacker,” Sibenik tells TechCrunch.

“Exchanges have an obligation to monitor suspicious transactions going into applicable accounts, but it’s also critically important for exchanges to ensure that whatever rogue OTCs and nested services they do business with are compliant themselves,” said Sibenik. “Otherwise, there can absolutely be a threat of enforcement actions, and arguably legal liability as well.”

The Treasury’s latest sanctions — and the threat of more — will undoubtedly see ransomware actors change their tactics, just as some have done by shifting to double extortion techniques. Rather than just encrypting files, double extortion ransomware exfiltrates the data first and threatens to publish the files if the ransom isn’t paid.

Sibenek has already seen some threat actors moving from Bitcoin to Monero, which he describes as “untraceable in any meaningful and practical way.” Even this is less viable for ransomware groups moving to cash out, with many exchanges having delisted so-called privacy coins due to regulatory guidance.

“Cryptocurrency is only useful if you can buy and sell goods and services or cash out into fiat, and that is much more difficult with privacy coins,” Grigg says.