Hacker holding crypto showing crypto exchange sanctioned for ransomware payments

Ransomware Payments Prompt Treasury Department Sanction on Russian Crypto Exchange SUEX

The United States Treasury Department has handed down the first sanctions to a crypto exchange, hitting Russia-based SUEX.io for facilitating ransomware payments.

Founded in 2018, SUEX is not a surprising choice for this action given that it made quite clear that it specialized in illicit activities. The crypto exchange took in users by invitation only, required encrypted communications on Telegram and would only complete transactions in person at its office. The action enters new legal ground, however, as it represents the first formal restriction for use of a crypto exchange by US citizens.

Shady Russian crypto exchange receives first US ban

The sanctioning of SUEX is an early salvo in the Biden administration’s planned war against ransomware, something that became a high priority after attacks against JBS, Colonial Pipeline and others shut down pieces of US infrastructure for extended periods of time.

Though stopping short of outlawing ransomware payments, the administration has made clear that it wants to attack cyber criminals and their support structures through their avenues of finance. The Czech-founded and Russia-based SUEX is one of the more brazen of these clearinghouses for the illicit proceeds of cyber attacks. Deputy Treasury Secretary Wally Adeyemo told the media that the crypto exchange had processed at least eight ransomware payments that the agency was aware of.

With the exception of sanctioned entities, the US government does not forbid ransomware payments but it does encourage victims to immediately report the incidents to authorities. In some cases, including high-profile attacks such as Colonial Pipeline, federal agencies have been able to claw back substantial amounts of ransomware payments by cutting off the flow of money at crypto exchanges and other financial institutions it has legal access to.

SUEX is one of the more brazen crypto exchanges in terms of advertising its services to the criminal underworld, stopping just short of taking out billboards expressly promoting its ransomware-friendly features. It requires users to personally visit an office in Moscow to conclude all transactions, it cannot be accessed without an invitation, and all communications regarding money movements must be conducted using the encrypted Telegram messaging app. Cryptocurrency research firm Chainalysis reports that the sketchy crypto exchange has moved hundreds of millions of dollars in illicit transactions since 2018, including $160 million in Bitcoin. At least $13 million appears to have come from the notorious Ryuk and Maze ransomware organizations. The US Treasury said that at least 40% of SUEX’s transactions come from illegal activity.

SUEX now finds itself on the Treasury Specially Designated Nationals and Blocked Persons List, which means that Americans can be fined for doing business with it. President Joe Biden’s recent remarks to the United Nations General Assembly included an affirmation that the US intends to establish “clear rules of the road for all nations” in cyberspace and that it reserves the right to “respond decisively” to cyber attacks.

John Hammond, Senior Security Researcher at Huntress, feels that it will take some time to determine if this aggressive new approach: “This effort from the Treasury is one step forward. Right now, we can’t say for certain if it is a step in the right direction, but it is better than no step at all. It is too early to tell how or even if this will impact cybercrime — but something has to be done. Without this effort, or without any effort, cryptocurrency markets will continue to be used and abused by criminals like it is open season.”

Ransomware payments flowing through foreign facilitators targeted

A small but active set of crypto exchanges, SUEX included, provides outlets for ransomware payments to be converted into hard cash by the perpetrator. These illicit banking operations know their customers, setting terms and costs accordingly; SUEX reportedly will not process transactions that are any smaller than $10,000.

These criminal-friendly virtual crypto exchanges also take pains to protect their customers from prying eyes. They are essentially boutique vendors that plug into larger international crypto exchanges, putting a layer of obfuscation between the customer and more legitimate outfits. SUEX is also furnished with a large supply of cash-on-hand, with which it can presumably facilitate quick cash-outs for the customer while negotiating safe laundering of ransomware payments. It’s unclear where the cash comes from, but SUEX stakeholders include very wealthy individuals with ties to MTS (Russia’s largest telecommunications company) and Czech venture capital circles.

Chainalysis CTO Gurvais Grigg believes that this group of boutique criminal crypto exchanges is very small; analysis indicates that just five like SUEX were responsible for processing 82% of ransomware payments in 2020. The added pressure from the US government is unlikely to put an end to these processors, but Grigg believes that it will lead to changes among the criminal underworld and catalyze more action from the U.S. Treasury.

The Treasury’s Office of Foreign Assets Control (OFAC) has announced that more sanctions of this nature can be expected. While this aggressive approach may appear to be a necessary measure in the face of a problem that is growing out of control, James McQuiggan (Security Awareness Advocate for KnowBe4) points out that a campaign of sanctions and similar measures could wind up hurting victims as well: “The U.S. government is using sanctions as a primary way to slow down the cryptocurrency exchanges. At the same time, those impacted by ransomware attacks could be those more impacted by these sanctions … Suppose they cannot utilize the crypto exchanges to pay the ransom based on their policies and procedures. In that case, these sanctions remove the ability to collect the decryption keys and prevent cyber criminals from exposing their data online … While the sanctions are a way to restrict payments, organizations need to examine their environment and look at the root cause of ransomware attacks and determine a method to prevent the way cyber criminals are getting in via phishing or social engineering attacks.”