Better Ransomware Reporting Will Spur Better Sanctions, Say Witnesses

U.S. sanctions against a range of ransomware groups and facilitators over the past few years have been “very effective in shutting down the flow of funds to designated entities and individuals,” especially when “cryptocurrency addresses have been included as identifiers,” said Jacqueline Koven, Chainalysis head of cyberthreat intelligence. She said sanctions against Suex (see 2109210031), Chatex (see 2111080041) and other virtual currency exchanges “have been catastrophic to their business, severely damaging their operations.”

Megan Stifel, Institute for Security and Technology chief strategy officer, said sanctions are particularly effective in “reducing the ability for ransomware actors to cash out their proceeds.” But Stifel, a former National Security Council official, also said the government may need to revise its reporting requirements for ransomware activity to better help it target exchanges and entities. “Without an adequate picture of the scale and scope of this type of cybercrime,” she said, “it inhibits the government's ability to identify and develop that sanctions package” and “have sufficient evidence to designate a particular entity.”

Law enforcement sometimes struggles to collect evidence from ransomware victims, which can take “months, sometimes years” and slow sanctions designations, said Bill Siegel, CEO of Coveware, a ransomware response firm. He said some ransomware victims don’t want authorities to recover their ransomware payments because they’re worried the attackers won’t honor the initial commitment they made to the victim in exchange for the payment. Siegel said the percentage of ransomware victims that voluntarily participate in government investigations is “very” low. “That is very frustrating to law enforcement,” he said.

But strengthened, mandatory reporting requirements could allow law enforcement to collect more accurate information and “secure the evidence necessary to achieve these indictments,” Siegel said. “A lot of the ability for our agencies to sanction these groups depends on these investigations,” he said. “And when those investigations can't conclude, we can't get to the finish line on imposing sanctions.”

Koven said it’s “vital that we improve ransomware reporting and information sharing,” adding there should be “clear guidance on when, what and where to report incidents, and this information should be shared swiftly with law enforcement agencies.”

This could lead to more additions to the Treasury Department’s specially designated nationals list, Koven said. When ransomware attackers or virtual currency exchanges are added to the list, they become “less likely” to receive payments because of the “inherent risk of a sanctions violation,” she said, and the “capacity of compliant cryptocurrency businesses to screen for sanctioned individuals and their cryptocurrency addresses.” She specifically cited the Office of Foreign Assets Control's 2020 guidance, which made industry aware of the sanctions risks of facilitating ransomware payments.

Koven said the guidance is important because there's a “robust industry of consultants” who help ransomware victims negotiate with their attackers. One of the most effective tools against ransomware attacks is sanctions compliance, Koven stressed. Once OFAC designates an entity, “funds associated with it can be broadly flagged to compliant participants in the network due to the transparency of the blockchain, and therefore easier to prevent further exposure to the designated network,” she said. “Compliant cryptocurrency exchanges have proven effective at stopping the flow of funds” to SDNs.