Risks to Those Who Facilitate Ransomware Payments

On November 8, 2021, the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) announced that it had designated virtual currency exchange Chatex, and three companies that provided support to Chatex, for facilitating financial transactions for ransomware groups. In the same release, OFAC announced the designation of two individuals, Yaroslav Vasinskyi and Yevgeniy Polyanin, who also were separately charged by the Department of Justice (“DOJ”) for deploying REvil ransomware to attack businesses and government entities in the United States. Vasinskyi is allegedly responsible for the July 2021 ransomware attack against the software company Kaseya, which infected more than 1,000 businesses and 40,000 computers worldwide.

We previously wrote in the post linked here about OFAC’s September 2021 actions designed to counter ransomware, principally by discouraging ransomware payments, and recommended guidelines for companies considering whether or not to pay the ransom. Below we describe the latest steps taken by OFAC and DOJ to counter ransomware and how it reinforces the risk to companies that facilitate making ransomware payments.

I. The Kaseya Attack and Latest Enforcement Actions

On July 2, 2021, Kaseya’s Incident Response team learned of a potential cyberattack affecting its VSA software. In response, Kaseya immediately shut down its servers and began warning customers. While Kaseya estimated that only about 40 of its more than 36,000 customers were victimized, more than 30 of those victim customers were service providers, which, in turn, infected their customers. Security analysts believe that those responsible for the attack leveraged multiple vulnerabilities in the VSA software to push a fake update to software users, which automatically delivered the ransomware. By design, the VSA software has administrator rights down to the client systems, meaning that an infected service provider likely automatically infected their clients’ systems. The attack was catastrophic to many of those infected. One of the publicly identified victims—Swedish grocery chain Coop—for a time had to close down more than 800 stores because the attack had crippled payment terminals.

The DOJ publicly charged Vasinskyi for the Kaseya attack. According to the Indictment, Vasinskyi caused the deployment of REvil ransomware on Kaseya’s computer network. REvil (also known as Sodinokibi) is a notorious ransomware group that has been identified as the perpetrator of numerous other recent high-profile attacks, including against food processing giant JBS USA Holdings Inc. Polyanin is also alleged to have deployed REvil ransomware against several victim companies. As part of those attacks, victims were provided a virtual currency address to pay the ransom. If a victim paid the ransom amount, they were provided the decryption key to access their files. If a victim did not pay the ransom, their stolen data was posted online or allegedly sold to third parties.

In parallel with the DOJ’s announcement, OFAC sanctioned Vasinskyi, Polyanin, and Chatex. Chatex is alleged to have facilitated transactions for multiple ransomware variants with over half of its known transactions traced to illicit or high-risk activities such as darknet markets, high-risk exchanges, and ransomware. OFAC noted that Chatex conducted transactions using the services of SUEX OTC, S.R.O., another entity previously sanctioned for facilitating ransomware payments. OFAC also sanctioned three companies—IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd.—for “providing material support and assistance to Chatex.” According to OFAC, those three companies “enabled” Chatex’s operations by setting up its infrastructure.

II. Virtual Currencies At Heightened Risk of Enforcement Actions

The actions taken by OFAC and DOJ highlight the risks facing companies that facilitate ransomware payments. OFAC and DOJ have limited options in combatting these attacks. Though Vasinskyi was arrested in Poland, most ransomware criminals operate anonymously and/or from countries that do not cooperate with U.S. law enforcement. The DOJ, OFAC, and other law enforcement and regulatory bodies strongly discourage paying ransomware demands as a way to deter future attacks, but victim companies are highly unlikely to face an enforcement action for making a payment (and none have).

OFAC’s recent actions highlight the risk facing companies, especially virtual exchanges, that facilitate ransom payments. OFAC likely views sanctions as the best available option for discouraging companies from paying ransomware demands and deterring ransomware groups from committing future attacks. As a result, virtual currency exchanges must ensure that they have appropriate sanctions and anti-money laundering procedures and practices in place so that they do not facilitate such a payment. As noted, OFAC also sanctioned companies that enabled the operations of the sanctioned virtual currency exchange. Thus, even companies that do not directly facilitate payments face risks if they provide services that help the exchange facilitate payments.

OFAC’s recent actions have implications for victim companies as well. We wrote in the linked post about payment mechanics for a victim company that decides to pay a ransom. A victim must have a plan in place for paying the ransom, which generally requires access to cryptocurrency or a relationship with another organization that can broker payment. In light of recent enforcement actions against virtual currency exchanges, victim companies are likely to find it more difficult to find an exchange to facilitate payment to a ransomware group. Victim companies should also avoid currency exchanges that are sanctioned, which would unnecessarily increase the risk of an enforcement action against the victim company.