Last week, the US sanctioned several groups and individuals because of their alleged association with “disinformation” campaigns that were reportedly coordinated by the Russian government.
Blockchain analysis firm Chainalysis points out that a few of the sanctioned utilized virtual currency in their “criminal endeavors,” and their crypto wallet addresses were included in their entries on OFAC’s Specially Designated Nationals and Blocked Persons List (SDN List).
As noted by Chainalysis, the case should serve as a reminder of the “sanctions risk” that exists where “adversarial” governments take advantage of digital currency, however, disinformation campaigns are not the only example. According to Chainalysis, ransomware attacks may also “carry a risk of sanctions violations.”
In October of last year, perhaps prompted by the “massive uptick” in ransomware attacks affecting the public and private sector, the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) issued an advisory alert warning that “making ransomware payments could be a sanctions violation for victims or companies that facilitate payments for victims,” Chainalysis noted in its blog post.
The blockchain firm added:
“The facilitation point is important, as there’s a robust industry of consultants who help ransomware victims negotiate with and pay ransomware attackers. The alert cited examples of ransomware creators and attackers who have been put on the OFAC sanctions list, such as the two Iranian nationals who laundered proceeds from the SamSam ransomware strain. October’s alert bolsters previous government guidance not to pay ransomware attackers, as this incentivizes future attacks. However, this alert goes a step further in warning that ransomware victims and consultants who help them make payments could face the heavy penalties associated with sanctions violations.”
But just how “big” is the sanctions violation risk when it involves ransomware? Chainalysis reports that it examined all ransomware payments (tracked since 2016) and determined the “percentage of payment volume that was associated with sanctions risks.”
Chainalysis reportedly counted all ransomware payments that meet certain criteria (as “constitutive of sanctions violation risk”):
- Payments to addresses “identified by OFAC as belonging to sanctioned individuals (note: this includes payments made before the addresses were actually sanctioned).”
- Payments to addresses “connected to ransomware strains whose creators have been sanctioned by OFAC.”
- Payments to addresses “connected to ransomware strains associated with cybercriminals based in heavily sanctioned jurisdictions such as Iran and North Korea.”
As noted by the blockchain firm, those criteria cover the following “ransomware strains”:
SamSam: OFAC designated cryptocurrency address.
Ouroboros: Linked to Iranian actors.
VoidCrypt: Linked to Iranian actors.
Sorena: Linked to Iranian actors.
Pay2Key: Linked to Iranian actors.
WannaCry 1.0, WannaCry 2.0: Linked to North Korean actors.
NotPetya: Associated with sanctioned actors in Russia.
CryptoLocker: Associated with sanctioned actors in Russia.
Bitpaymer: Speculated to be associated with sanctioned group Evil Corp.
Locky: Speculated to be associated with sanctioned group Evil Corp.
Doppelpaymer: Speculated to be associated with sanctioned group Evil Corp.
WastedLocker: Speculated to be associated with sanctioned group Evil Corp.
Clop: Disputed, but speculated to be associated with Evil Corp.
Based on those designations, Chainalysis was able to determine that 15% of all ransomware payments made last year actually “carried a risk of sanctions violations.” The company claims that this was “quite low compared to some previous years.”
Cryptocurrencies used for such transactions included Bitcoin Cash (BCH), Bitcoin (BTC), Ethereum (ETH), Tether (USDT).
Chainalysis clarified that all payments “to addresses associated with OFAC-sanctioned individuals or groups noted on [their chart and analysis] took place before those individuals or groups were added to the OFAC sanctions list.”
Although the rate of sanctions risk in ransomware payments has “declined from much higher figures in 2018 and prior, keep in mind how much ransomware payments overall increased in 2020.” According to Chainalysis, that means “the dollar figure for ransomware payments with sanctions risk skyrocketed last year.”
For more details from Chaianlysis on this update, check here.