The US Treasury on Tuesday sanctioned virtual cryptocurrency exchange Suex OTC for handling financial transactions for ransomware operators, an intervention that’s part of a broad US government effort to disrupt online extortion and related cyber-crime.
Suex is registered in the Czech Republic but operates out of offices in Russia. According to the US Treasury, more than 40 per cent of the firm’s known transaction history involves illicit entities, and that it handled payments from at least eight ransomware variants.
Crypto-coin forensics outfit Chainalysis claims Suex has received more than $160m in Bitcoin since 2018 from ransomware and other illicit operations. As such, the Treasure Department has determined that the firm provides material support to cybercriminals and has added Suex to its Office of Foreign Assets Control (OFAC) designated entities list.
Consequently, the firm’s US assets have been frozen and companies and persons doing business in the US are prohibited from transacting with it.
“Ransomware and cyber-attacks are victimizing businesses large and small across America and are a direct threat to our economy,” said Treasury Secretary Janet L. Yellen in a statement. “We will continue to crack down on malicious actors.”
The US Treasury Department says that in 2020, ransomware payments surpassed $400m, more than four times the total in 2019. And this year, two major ransomware incidents affecting Colonial Pipeline and JBS Foods, not to mention the Kayesa and Microsoft Exchange compromises, made it clear something has to be done to respond to threats affecting critical infrastructure.
Confronted with the ransomware surge, the Biden administration has tried to push back. In March, Alejandro Mayorkas, Secretary of Homeland Security, announced plans to deal with the increase in ransomware. In April, the Justice Department assembled its Ransomware and Digital Extortion Task Force and the industry-driven Institute for Security and Technology’s Ransomware Task Force published a report for policy makers with four dozen recommendations.
In May, the Biden administration signed an executive order to protect US critical infrastructure and in June it issued a National Security Memorandum expanding cyber defense efforts.
The EU took a similar step with the July launch of “No More Ransom,” an initiative undertaken by Europol’s European Cybercrime Centre, the National High Tech Crime Unit of the Netherlands’ police and McAfee to help ransomware victims decrypt maliciously encrypted files so no ransom need be paid.
Ransomware reports and policies argue for cooperating and sharing resources like decryption keys, but that doesn’t always happen. The FBI this summer reportedly withheld a decryption key that could have undone a July ransomware attack against Kaseya and could potentially have saved affected firms millions in ransom payments.
According to the Washington Post, the FBI withheld the key for three weeks while it planned a counter-strike on REvil, the Russia-based ransomware gang said to have been behind the Kaseya attack. But the FBI operation never occurred because REvil’s ransomware infrastructure went offline and the group went dark in mid-July before the Feds took action.
The Register asked the FBI to comment and the agency declined.
We also asked the US Treasury Department whether it has a policy on whether decryption keys should be shared with potential victims if those keys are available. ®