Building Ransomware Resilience — A Proactive Strategy for Businesses and Regulators

The rise of ransomware attacks has prompted the international community to explore a range of approaches to deter these attacks, including the use of sanctions, the further development and instantiation of norms governing cyberattacks, and the promotion of cybersecurity best practices.

Sanctions have been an important part of the toolkit used by government agencies to impose costs on ransomware actors. In February 2023, regulators in the UK and the US Treasury Department's Office of Foreign Assets Control (OFAC) sanctioned seven members of the Russian-based cybercrime gang TrickBot, associated with Russian Intelligence Services, for deploying ransomware to target critical infrastructure in both countries. In August 2022, OFAC sanctioned Tornado Cash, a decentralized cryptocurrency mixer, for allegedly facilitating the laundering of $7 billion in virtual currency (VC). In a similar move, in September 2021, OFAC designated SUEX OTC, S.R.O. (SUEX), a Russian cryptocurrency exchange, as an entity on the Specially Designated Nationals and Blocked Persons list, which restricts US dealings with certain entities posing national security threats. Concurrently, OFAC issued a ransomware advisory (September 2021 Advisory) highlighting the sanctions risks associated with ransomware payments in connection with malicious cyber-enabled activities. SUEX was found to have moved hundreds of millions of dollars of cryptocurrency from illicit sources, including more than $160 million from ransomware actors.

While these designations are important, a comprehensive approach is necessary to continue to deter and degrade ransomware networks. This proactive and broad-based approach may involve targeted sanctions, information sharing, public-private partnerships, and empowering businesses and individuals to protect themselves from ransomware attacks. By focusing on foreign regulators that emphasize financial crimes compliance, this approach could more effectively supervise virtual asset service providers (VASPs) in their jurisdictions to reduce risks as they process payments for ransomware actors.

I. Understanding the Ransomware Ecosystem

Ransomware is a form of malicious software (malware) designed to block access to computer systems or data, often by encrypting data or programs. Cyber actors demand ransom payments, usually in VC, in exchange for a key to decrypt files and restore victims’ access to their information. In recent years, OFAC has been targeting various actors in the ransomware ecosystem, including:

II. OFAC's September 2021 Advisory

In addition to designating a range of actors involved in the ransomware ecosystem, OFAC has also issued compliance guidance to help firms manage risks around ransomware transactions specifically and VC transactions generally. OFAC's September 2021 Advisory notes that the US government "strongly discourages all private companies and citizens from paying ransom or extortion demands." The September 2021 Advisory explains that under the International Emergency Economic Powers Act or the Trading with the Enemy Act, businesses can be held accountable for breaking OFAC rules by paying ransoms to sanctioned persons, even if they were unaware they were doing so. Furthermore, to avoid sanctions violations, OFAC suggests businesses implement a "risk-based compliance program to mitigate exposure to sanctions-related violations," which can be supplemented through training, offline backups, response plans and other efforts to protect a company's technical infrastructure. OFAC also emphasizes the importance of prompt reporting, noting that it views a "self-initiated and complete report of a ransomware attack to law enforcement" as a significant mitigating factor in an enforcement context. This guidance is consistent with OFAC's broader guidance about how companies should build effective risk-based compliance programs.

***

Overall, OFAC's sanctions campaign reflects its commitment to combating ransomware through targeted sanctions and partnerships with other government agencies and international partners.

III. Key Compliance Considerations for Ransomware Attacks

To comply with OFAC regulations and mitigate sanctions risks when faced with ransomware payments, companies should implement risk-based compliance programs. These programs are essential for avoiding potential pitfalls associated with ransomware payments and maintaining a strong security posture. Key elements of these programs may include:

IV. Beyond Sanctions: A Comprehensive Strategy for Ransomware Threats A whole-of-sector, holistic approach is necessary to effectively combat ransomware threats.

A. Operationalizing the Approach

Sanctions are an important—a necessary but not sufficient—component of an overall strategy to combat ransomware. US regulators should prioritize collaboration with foreign counterparts to implement sanctions measures.1 In addition, OFAC and others can build preventative principles by offering best-practice training and focusing on education in vulnerable regions such as Latin America, the Caribbean and Eastern Europe, strengthening global defense against ransomware, and mitigating its negative impact on businesses and individuals.

US regulators such as OFAC can take the lead in the responsible development and design of compliance standards, knowledge and tools for their international counterparts to effectively monitor and regulate VC exchanges and VASPs for financial crimes compliance purposes. To further deter the inadvertent facilitation of transactions to ransomware actors, this approach could also draw on lessons learned from counterterrorism finance efforts, which have emphasized an international whole-of-sector approach involving investment and collaboration with private-sector partners and other stakeholders to prevent attacks before they happen.

By supervising VASPs and empowering foreign regulators and companies with the necessary training and resources, implementing risk-based compliance programs, and collaborating with expert third parties, we can create a robust global defense against ransomware. Adopting this multifaceted approach goes beyond the imposition of sanctions on specific bad actors—it reduces the prevalence of ransomware, shielding governments and businesses from its devastating consequences.