Better Ransomware Reporting Requirements Will Lead to Improved Sanctions, Witnesses Say

U.S. sanctions against a range of ransomware groups and facilitators over the past few years have been “very effective in shutting down the flow of funds to designated entities and individuals,” especially when “cryptocurrency addresses have been included as identifiers,” said Jacqueline Koven, head of cyberthreat intelligence for Chainalysis. She said sanctions against Suex (see 2109210031), Chatex (see 2111080041) and other virtual currency exchanges “have been catastrophic to their business, severely damaging their operations.”

Megan Stifel, chief strategy officer for the Institute for Security and Technology, said sanctions have been particularly effective in “reducing the ability for ransomware actors to cash out their proceeds.” But Stifel, a former National Security Council official, also said the government may need to revise its reporting requirements surrounding ransomware activity to better help it target exchanges and entities.

“Without an adequate picture of the scale and scope of this type of cybercrime,” Stifel said, “it inhibits the government's ability to identify and develop that sanctions package” and “have sufficient evidence to designate a particular entity.”

Law enforcement officials sometimes struggle to collect evidence from ransomware victims, which can take “months, sometimes years” and slow sanctions designations, said Bill Siegel, CEO of Coveware, a ransomware response firm. He said some ransomware victims don’t want authorities to recover their ransomware payments because they’re worried the attackers won’t honor the initial commitment they made to the victim in exchange for the payment. Siegel said the percentage of ransomware victims that voluntarily participate in government investigations is “very” low. “That is very frustrating to law enforcement,” he said.

But strengthened, mandatory reporting requirements could allow law enforcement to collect more accurate information and “secure the evidence necessary to achieve these indictments,” Siegel said. “A lot of the ability for our agencies to sanction these groups depends on these investigations,” he said. “And when those investigations can't conclude, we can't get to the finish line on imposing sanctions.”

Koven said it’s “vital that we improve ransomware reporting and information sharing,” adding there should be “clear guidance on when, what and where to report incidents, and this information should be shared swiftly with law enforcement agencies.”

This could lead to more additions to the Treasury Department’s Specially Designated Nationals List, Koven said. When ransomware attackers or virtual currency exchanges are added to the list, they become “less likely” to receive payments because of the “inherent risk of a sanctions violation,” she said, and the “capacity of compliant cryptocurrency businesses to screen for sanctioned individuals and their cryptocurrency addresses.”

She specifically pointed to the Office of Foreign Assets Control's 2020 guidance, which made industry aware of the sanctions risks of facilitating ransomware payments (see 2010010018). Koven said the guidance was important because there is a “robust industry of consultants” who help ransomware victims negotiate with ransomware attackers.

One of the most effective tools against ransomware attacks is sanctions compliance, Koven stressed. Once OFAC designates an entity, “funds associated with it can be broadly flagged to compliant participants in the network due to the transparency of the blockchain, and therefore easier to prevent further exposure to the designated network,” she said. “Compliant cryptocurrency exchanges have proven effective at stopping the flow of funds” to SDNs.