Treasury and DOJ announce sanctions and charges in ransomware attacks, FinCEN updates ransomware guidance
On November 8, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions pursuant to Executive Order 13694 as amended against two ransomware operators and a virtual currency exchange network. According to OFAC, the virtual currency exchange, and its associated support network, are being designated for allegedly facilitating financial transactions for ransomware actors. OFAC is also designating two individuals allegedly associated with perpetuating ransomware incidents against the U.S., and who are part of a cybercriminal group that has engaged in ransomware activities and has received over $200 million in ransom payments. As a result of the sanctions, “all property and interests in property of the designated targets that are subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them” and “any entities 50 percent or more owned by one or more designated persons are also blocked.” According to OFAC, the sanctions are a part of a set of actions focused on disrupting criminal ransomware actors and virtual currency exchanges that launder the proceeds of ransomware, which “advance the Biden Administration’s counter-ransomware efforts to disrupt ransomware infrastructure and actors and address abuse of the virtual currency ecosystem to launder ransom payments.” Additionally, the DOJ announced charges against the sanctioned individuals under OFACs designations, seizing approximately $6.1 million in alleged ransomware payments.
The same day, FinCEN issued an advisory, which updated and replaced its October 1, 2020 Advisory on Ransomware and the Use of the Financial System to Facilitate Ransom Payments (covered by InfoBytes here). The updated advisory is in response to the recent increase in ransomware attacks against critical U.S. infrastructure. The updated advisory also reflects information released by FinCEN in its Financial Trend Analysis Report, which discusses ransomware trends and includes information on current trends and typologies of ransomware and associated payments as well as recent examples of ransomware incidents. Additionally, the updated advisory describes financial red flag indicators of ransomware-related illicit activity to assist financial institutions in identifying and reporting suspicious transactions related to ransomware payments, consistent with obligations under the Bank Secrecy Act.