Ransomware, Threat Management, Governance, Risk and Compliance

Will sanctioning crypto exchanges move the ransomware needle?

Treasury Secretary Janet Yellen  speaks during an event at the U.S. Department of the Treasury on September 15, 2021 in Washington, D.C. (Photo by Drew Angerer/Getty Images)

The Biden administration announced landmark sanctions against a cryptocurrency exchange Tuesday as part of its efforts to fight ransomware. Experts say whether it will have any effect on ransomware depends on what the Biden administration does next.

The Suex cryptocurrency exchange became the first company of that type to ever be sanctioned by the United States government after the U.S. alleged "over 40%" of its transactions were illicit. Chainalysis, which tracks cybercrime trends over blockchain, estimates that around $13 million of the $481 million in bitcoin at Suex came from ransomware alone, with another $45 million coming from darknet markets and scams.

Sanctioning Suex limits the ability of cybercriminals to routing ransom through Suex hosted wallets. But, while Suex had attributes that appealed to criminals, it is far from the only cryptocurrency exchange that criminal groups could use. If this is a one-off, criminals will just hop to new wallets and very little will change, say sources tracking ransomware groups and criminal finance. If it is the first step in setting a new standard for exchanges, there is a chance the United States could in part limit the ability of cybercriminal groups to get paid.

"This is the blueprint for a way that governments can go forward," said Allan Liska, a threat researcher at Recorded Future.

Liska said the appeal of Suex was two-fold. Criminals saw the company, headquartered in the Czech Republic and Russia, as being located within a geographically safe space beyond most victims' reach. The exchange, he said, had also been perceived as lenient for anti-money laundering policies.

As of September 22, Suex's terms of service require a photo of any potential user with government identification and a bank card, which are on paper similar requirements to major exchanges.

With continued sanctions of exchanges, said Liska, ransomware operators might be forced to make uncomfortable choices.

"Ransomware groups could be forced to riskier and riskier exchanges. We've already seen this year something like seven or eight different exchanges that have been compromised and had money stolen from them. And as you move to these you obviously increase the chance of it happening to you," said Liska, who noted the irony of hackers being the downfall of ransomware fortunes. "Unfortunately, it's really the victim's money that would be stolen."

Liska said that ransomware actors are not visibly panicked about the sanctions, but have at least taken notice. Ransomware-focused crime forums don't tend to carry a lot of discussion about the money laundering aspect of the industry, he said, but after next to no posts on Suex over past couple of years, around 40 sprung up in the last twenty-four hours – mostly links to stories about the sanctions.

Sanctions against a single exchange could be a successful starting point for a broader strategy of disrupting the cryptocurrency ecosystem currently fueling ransomware, said. Philip Reiner, CEO of the Institute for Security and Technology and co-chair of the Ransomware Task Force, an influential multistakeholder group devoted to ransomware deterrence.

"I think it's realistic to expect to see more sanctioned entities, probably in rapid succession over the course of the coming months," he said. "It's reasonable to expect to see more seizures of wallets and reasonable to expect to see actions not just against exchanges, but against individuals and mixers [services making cryptocurrency harder to track]. I think those would be the kinds of things that I would want to see as part of an overall effort to disrupt the abuse of these cryptocurrency tools."

Law enforcement, for example, was able to seize back $2.3 million in cryptocurrency from the criminals' wallet taken as ransom from Colonial Pipeline after a high-profile extortion earlier this year.

"Sanctions are a significant step forward. But they will be insufficient, because of the obvious ephemeral nature of exchanges and digital currencies," said Tom Kellermann, head of cybersecurity strategy at VMware and a member of the Secret Service's Cyber Investigations Task Force. "I hope that they will take further steps."

Said Kellermann, ideal additional steps would start with a detailed standard of care for exchanges to follow including not transfering money to known ransomware groups, creating the ability to freeze and return illegally procured funds, and the ability to provide a customer name when called upon by law enforcement to do so.

"Anyone who refuses to do that should be sanctioned, especially the ones that advertise on their websites they exist outside of extradition treaties with Western world," he said. "I know people won't appreciate what I just said, but enough is enough."

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.
Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds