Building Ransomware Resilience: A Proactive Strategy For Businesses And Regulators – Fin Tech | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #ransomware

The rise of ransomware attacks has prompted the international
community to explore a range of approaches to deter these attacks,
including the use of sanctions, the further development and
instantiation of norms governing cyberattacks, and the promotion of
cybersecurity best practices.

Sanctions have been an important part of the toolkit used by
government agencies to impose costs on ransomware actors. In
February 2023, regulators in the UK and the US Treasury
Department’s Office of Foreign Assets Control (OFAC) sanctioned seven members of the Russian-based
cybercrime gang TrickBot, associated with Russian Intelligence
Services, for deploying ransomware to target critical
infrastructure in both countries. In August 2022, OFAC sanctioned Tornado Cash, a decentralized
cryptocurrency mixer, for allegedly facilitating the laundering of
$7 billion in virtual currency (VC). In a similar move, in
September 2021, OFAC designated SUEX OTC, S.R.O. (SUEX), a Russian
cryptocurrency exchange, as an entity on the Specially Designated
Nationals and Blocked Persons list, which restricts US dealings
with certain entities posing national security threats.
Concurrently, OFAC issued a ransomware advisory (September 2021
Advisory) highlighting the sanctions risks associated with
ransomware payments in connection with malicious cyber-enabled
activities. SUEX was found to have moved hundreds of millions of
dollars of cryptocurrency from illicit sources, including more than
$160 million from ransomware actors.

While these designations are important, a comprehensive approach
is necessary to continue to deter and degrade ransomware networks.
This proactive and broad-based approach may involve targeted
sanctions, information sharing, public-private partnerships, and
empowering businesses and individuals to protect themselves from
ransomware attacks. By focusing on foreign regulators that
emphasize financial crimes compliance, this approach could more
effectively supervise virtual asset service providers (VASPs) in
their jurisdictions to reduce risks as they process payments for
ransomware actors.

I. Understanding the Ransomware Ecosystem

Ransomware is a form of malicious software (malware) designed to
block access to computer systems or data, often by encrypting data
or programs. Cyber actors demand ransom payments, usually in VC, in
exchange for a key to decrypt files and restore victims’ access
to their information. In recent years, OFAC has been targeting
various actors in the ransomware ecosystem, including:

  1. TrickBot: TrickBot is a modular malware suite
    operated by a Russian-based cybercrime gang that has targeted
    hospitals and healthcare centers. In February 2023, OFAC and
    regulators in the UK sanctioned seven members of the “TrickBot
    Group,” current members of which OFAC stated were associated
    with Russian Intelligence Services for deploying ransomware to
    target critical infrastructure in both countries.

  2. SUEX: SUEX is a Russian VC exchange designated
    by OFAC in September 2021 for facilitating transactions with
    illicit proceeds, including more than $160 million from ransomware
    actors. While SUEX has allegedly facilitated transactions with
    illicit proceeds from at least eight ransomware variants and more
    than 40 percent of its transaction history is associated with
    illicit actors, OFAC has acknowledged that “the action against SUEX does not implicate a
    sanctions nexus to any particular Ransomware-as-a-Service (RaaS) or
    variant.” Therefore, the impact of this action on
    ransomware attacks and associated payments remains uncertain.

  3. Tornado Cash: Tornado Cash, sanctioned by OFAC in August 2022, is a
    decentralized cryptocurrency mixer that OFAC said facilitated the
    laundering of $7 billion in cryptocurrency and $1.5 billion in proceeds from crimes such as ransomware
    attacks. Mixers like Tornado Cash increase privacy but have also
    been used by illicit actors. OFAC alleged that Tornado Cash was
    used to launder more than $455 million stolen by the Lazarus Group,
    a Democratic People’s Republic of Korea state-sponsored hacking
    group, in the largest VC heist known to date. OFAC advises US persons to consider mixers
    “high risk” and to use a “risk-based approach”
    to assess and mitigate VC-related risks, such as those posed by
    mixers’ anonymizing features. Going forward, OFAC intends to “investigate the use of mixers for illicit
    purposes [in response] to illicit financing risks in the [VC]

II. OFAC’s September 2021 Advisory

In addition to designating a range of actors involved in the
ransomware ecosystem, OFAC has also issued compliance guidance to
help firms manage risks around ransomware transactions specifically
and VC transactions generally. OFAC’s September 2021 Advisory notes that the US
government “strongly discourages all private companies and
citizens from paying ransom or extortion demands.” The
September 2021 Advisory explains that under the International
Emergency Economic Powers Act or the Trading with the Enemy Act,
businesses can be held accountable for breaking OFAC rules by
paying ransoms to sanctioned persons, even if they were unaware
they were doing so. Furthermore, to avoid sanctions violations,
OFAC suggests businesses implement a “risk-based compliance
program to mitigate exposure to sanctions-related violations,”
which can be supplemented through training, offline backups,
response plans and other efforts to protect a company’s
technical infrastructure. OFAC also emphasizes the importance of
prompt reporting, noting that it views a “self-initiated and
complete report of a ransomware attack to law enforcement” as
a significant mitigating factor in an enforcement context. This
guidance is consistent with OFAC’s broader guidance about how
companies should build effective risk-based compliance


Overall, OFAC’s sanctions campaign reflects its commitment
to combating ransomware through targeted sanctions and partnerships
with other government agencies and international partners.

III. Key Compliance Considerations for Ransomware Attacks

To comply with OFAC regulations and mitigate sanctions risks
when faced with ransomware payments, companies should implement
risk-based compliance programs. These programs are essential for
avoiding potential pitfalls associated with ransomware payments and
maintaining a strong security posture. Key elements of these
programs may include:

  1. Thorough due diligence: Conduct screening of
    names, wallet addresses and email addresses linked to potential
    ransomware actors to ensure no transactions inadvertently occur
    with sanctioned entities. Moreover, since civil penalties can still
    be imposed for unknowingly making payments to sanctioned actors on
    a strict liability basis, due diligence is essential to mitigating
    ransomware risk.

  2. Robust incident response plan: Establish a
    solid incident response plan that trains employees to recognize and
    report ransomware attacks, maintains offline backups of critical
    data and systems for swift recovery, and implements a clear
    communication strategy for internal stakeholders, coordinating with
    external partners like law enforcement agencies and cybersecurity
    firms. Promptly reporting ransomware attacks to relevant
    authorities is considered a mitigating factor by OFAC, emphasizing
    the value of collaboration and communication with law

  3. Engaging expertise: Collaborating with expert
    third parties who can help companies navigate cyber incidents and
    comply with OFAC guidelines is essential. By enlisting the
    assistance of these experts, businesses can better manage the
    complexities associated with ransomware incidents and minimize
    operational disruptions as well as the potential legal and
    financial consequences of possible OFAC violations. These
    professionals possess up-to-date knowledge about the latest
    ransomware groups and payment methods, and they have relevant
    contacts, such as those within the FBI, enabling them to provide
    informed guidance and support during a crisis.

IV. Beyond Sanctions: A Comprehensive Strategy for Ransomware

A whole-of-sector, holistic approach is
necessary to effectively combat ransomware threats.

A. Operationalizing the Approach

Sanctions are an important—a necessary but not
sufficient—component of an overall strategy to combat
ransomware. US regulators should prioritize collaboration with
foreign counterparts to implement sanctions measures.1
In addition, OFAC and others can build preventative principles by
offering best-practice training and focusing on education in
vulnerable regions such as Latin America, the Caribbean and Eastern Europe, strengthening global defense
against ransomware, and mitigating its negative impact on
businesses and individuals.

US regulators such as OFAC can take the lead in the responsible
development and design of compliance standards, knowledge and tools
for their international counterparts to effectively monitor and
regulate VC exchanges and VASPs for financial crimes compliance
purposes. To further deter the inadvertent facilitation of
transactions to ransomware actors, this approach could also draw on
lessons learned from counterterrorism finance efforts, which have
emphasized an international whole-of-sector approach involving
investment and collaboration with private-sector partners and other
stakeholders to prevent attacks before they happen.

By supervising VASPs and empowering foreign regulators and
companies with the necessary training and resources, implementing
risk-based compliance programs, and collaborating with expert third
parties, we can create a robust global defense against ransomware.
Adopting this multifaceted approach goes beyond the imposition of
sanctions on specific bad actors—it reduces the prevalence of
ransomware, shielding governments and businesses from its
devastating consequences.


1. The International Counter Ransomware Initiative
Summit hosted by the White House in November 2022 and the Biden
Administration’s March 2023 National Cybersecurity Strategy are important
steps in implementing this kind of multifaceted

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.


Click Here For The Original Source.

National Cyber Security