The Biden Administration has placed sanctions on a cryptocurrency exchange after alleging that it has been involved in enabling illegal payments from ransomware attacks.
But the move has been criticized by one cybersecurity expert, who fears the US will become embroiled in a never-ending “cat and mouse game”.
The Treasury Department has accused SUEX OTC, S.R.O, of facilitating payments made to gangs who extorted victims using eight different strains of ransomware - a type of malware that locks data until the victim pays a ransom.
Incorporated in Czechia (The Czech Republic) but operating in Russia, Suex is the first crypto organization to be hit with sanctions for its alleged links to ransomware.
"Exchanges like Suex are critical to attackers' ability to extract profits from ransomware attackers," said Treasury Deputy Secretary Adewale “Wally” Adeyemo.
He went on to say the sanctions are “a signal of our intention to expose and disrupt the illicit infrastructure using these attacks”.
Anne Neuberger, deputy national security adviser for cyber, also announced that ransomware payments reached more than $400 million in 2020 - four times as much as 2019.
Ransomware gangs have attacked many different targets in recent months, ranging from hospitals to critical national infrastructure such as the Colonial Pipeline, which led to fuel supply shortages across the East Coast.
President Vladimir Putin is often accused of turning a blind eye to ransomware gangs - or even “enabling” them.
In July, President Biden met with the Russian leader and told him that critical infrastructure must be considered “off-limits” in ransomware attacks.
The Treasury said its analysis of Suex transactions suggested 40% involved “illicit actors” and accused the exchanges of allowing gangs to "facilitate illicit activities for their own illicit gains”
The sanctions block Suex's access to all U.S. property and interests, as well as preventing Americans from making transactions with the company.
Treasury Secretary Janet L. Yellen said: “Ransomware and cyber-attacks are victimizing businesses large and small across America and are a direct threat to our economy. We will continue to crack down on malicious actors.”
“As cyber criminals use increasingly sophisticated methods and technology, we are committed to using the full range of measures, to include sanctions and regulatory tools, to disrupt, deter, and prevent ransomware attacks.”
However, the plans were heavily criticized by Josh Arsenio, director of the cybersecurity company Security Compass Advisory.
“Restricting the ability to pay for ransoms using cryptocurrencies won’t directly stop the attack; instead, it puts pressure on victims and IR service providers trying to help, and leaves them with very few legal options to restore their business operations,” he said.
“Additionally, attempting to force the decentralized finance community to enact restrictions against digital currencies, goes against their very nature and opens everyone up to a losing game of cat and mouse, which is clearly untenable to sustain. Further, the US cannot enact and enforce these sanctions on its own. There needs to be international cooperation.”
It is not entirely clear that Russia has the ability to control the ransomware gangs, but it is often accused of turning a blind eye to their activities.
“It’s well established that while the Russian and Chinese governments may not be performing the attacks themselves, they are permissive of criminal groups operating out of their countries and territories,” Arsenio added. “Not to mention governments like DPRK that are directly sponsoring the activities.
“American-based organizations may have no choice to follow the laws, particularly regulated industries, but that does not change the intentions of criminals. This may force them to change their playbook to target and extort other targets. For example, we may see a shift to extorting high-worth individuals.”
“If I were to speculate, I would say that this is only one visible component of a multi-pronged attack against the organized crime groups behind ransomware attacks. If the US were to applying the cyber offensive capabilities to individual groups to shut down their operations, in addition to capping their income stream at the knees, we may have a brighter future.”
The blockchain intelligence firm TRM Labs has released an analysis of Suex and said it “filled an essential niche in the ecosystem of underregulated exchanges that, either through willful ignorance or witting cooperation, facilitate the conversion of illicit crypto ransoms into real-world currency”.
SUEX largely communicated with its clients on the Telegram app and accepted new customers “on a system of referrals from trusted intermediaries”.
This means it could only be used by people with a lot of crypto, which could include wealthy whales - and ransomware extortionists.
“This was not the kind of business where a random person on the internet could open an account,” TRM wrote.
“Transactions were only completed in-person at SUEX's offices. While not explicitly explained on its website, SUEX also appeared to deal almost exclusively in high-value deals - its minimum acceptable transaction was $10,000.”
It said the sanctions would have a “wide-ranging effect” on the “criminal-servicing underbelly of the crypto industry”.
SUEX is a “nested exchange”, which means it does not directly hold its clients’ crypto.
“Instead, it used the infrastructure of a large, global cryptocurrency exchange to conduct its transactions,” TRM added.
“Nested exchanges often take advantage of the greater liquidity and lower transaction costs of big, multinational exchanges while presenting customers with a custom-made interface obscuring the connection to the larger service. Using this relationship with a large exchange, and access to cash from unknown sources, SUEX was able to convert the illicit monies of its clients to physical cash at an alarming scale.”
It added: “Today's action also highlights the collateral risks experienced by possibly legitimate businesses operated by the owners and investors of SUEX. These companies may not be named in this action, but their banks, investors, and clients will surely reconsider the wisdom of doing business with the operators of a sanctioned crypto exchange.”
