Breaking Down Recent Updates In The US Treasury’s Fight Against Cybercrime
The payment of ransomware threat actors is governed in the United States by the Office of Foreign Assets Control (OFAC), a division of the Treasury Department. On October 15, 2021 OFAC released updated guidance related to the sanctions compliance for the cryptocurrency industry along with a brochure titled “Sanctions Compliance Guidance for the Virtual Currency Industry.” Additionally, on the same day the Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued a report on Ransomware Trends in Bank Secrecy Act data. This reporting covers the period from January to June 2021 and provides an excellent view into the ransomware economy.
OFAC’s Updated Sanctions Compliance Guidance – What’s New?
The OFAC guidance is mostly unchanged with the exception of two key updated Frequently Asked Questions
- Definitions of “digital currency,” “digital currency wallet,” “digital currency address,” and “virtual currency” (FAQ 559)
- How to block digital currency (FAQ 646)
Of note, the definition of the digital wallets defines “wallet provider” as an someone who ” provides the software to create and manage wallets, which users can download.” This definition could be intended to open anyone who creates cryptocurrency wallet software to regulated action from OFAC. More likely, it will be used to compel these providers to turn over download logs to identify potentially sanctioned users. The FAQ related to blocking digital currency states that cryptocurrency identified as blocked by OFAC may be consolidated into a single wallet and need not be converted to fiat currency.
The OFAC brochure reiterates the duty to perform Know Your Customer (KYC) checks to ensure transactions are not processed involving sanctioned entities. There are however two case studies linked in the sanctions compliance best practices section of the brochure that are worth investigating further.
Case Study – Risk Assessment
The first case study involves the cryptocurrency payment service provider BitPay and stresses the importance of a comprehensive risk assessment to identify potential sanctions issues. In this action, Treasury targeted BitPay because they facilitated cryptocurrency transactions for individuals located in sanctioned areas (Cuba, Iran, Syria, etc.). Treasury noted that BitPay allowed 2,102 transactions to be processed by individuals it reasonably should have known were in these regions based on IP address alone.
The case study summarizes that while BitPay did have adequate sanctions compliance controls in place to screen their direct customers (the merchants), they failed to screen readily available information on the customers of those merchants. This example underscores how a comprehensive risk assessment should be used to develop compliance controls that mitigate exposure to sanctions risk. In this case, had BitPay properly assessed its touchpoints to all foreign jurisdictions, they could have identified more appropriate screening standards.
Case Study – Internal Controls
The second case study involves the digital asset trust company and security company BitGo , and stresses the importance of implementing internal controls that address the potential sanctions issues identified in a risk assessment. In this case, Treasury alleged Bitgo processed 183 transactions for individuals in sanctioned locations. Again, Treasury notes that IP addresses should have been sufficient to know that the users were in a sanctioned location. In the case of BitGo, Treasury noted that IP addresses were tracked for security purposes but were ignored for compliance purposes.
The case study summarizes that BitGo failed to meet their sanctions compliance obligations when they failed to prevent individuals in sanctioned jurisdictions from using their digital wallet management service. This example underscores how risk-based sanctions compliance controls should be actively preventing potential activity that might violate sanctions. In this case, had BitGo implemented policies and procedures to screen the IP addresses in their possession, they could have prevented users in sanctioned jurisdictions from using their services
IP addresses are considered sufficient for determining geolocation
Taken together, these case studies indicate that Treasury believes IP addresses alone are sufficient to determine a given entity is sanctioned, therefore disqualifying a payment. Forensics and incident response firms would not have access to login and/or transaction data like BitGo and BitPay. But these firms regularly do have access to IP addresses used by threat actors for command and control and data exfiltration. While most forensic examiners might argue (correctly so) that IP addresses alone are not sufficient for attributing location, Treasury’s opinion seems to differ.
Don’t ignore geolocation information already in your possession
Based on the content in the case studies and that they are being referenced on the same day that FinCEN released its ransomware report, incident responders should take note. If investigators discover communications to IP addresses in any logs that geolocate to any OFAC sanctioned area, this should be considered before making payment. Investigators should consider firewall logs, EDR, and netflow at a minimum. Any IP addresses discovered should be detailed in the required Suspicious Activity Report (SAR) filing. OFAC notes that self-reporting can be a mitigating factor, even when regulations were violated.
OFAC Recommends IP blocking and keyword screening
OFAC recommends that organizations implement IP blocking and keyword screening to prevent interacting with restricted entities. The keyword screening requirement may have interesting incident response implications as well. The keyword screening requirement states that organizations should “ensure that screening tools are appropriately flagging geographic keywords in connection with KYC-related screening or other transaction screening.”
If ransomware were compiled with a Farsi language compiler (as identified by Rich Headers), perhaps that alone is sufficient to restrict payment based on the fact that it could be a sanctioned entity. Strings in malware could also be considered in scope to designate a sanctioned entity. Of course strings are often obfuscated on disk and then dynamically unpacked into memory. The level of due diligence required of incident responders for attribution to a potentially sanctioned entity remains unclear at this time.
Over here at BreachQuest, we’re still digging into the updated guidance and the FinCEN report. Keep an eye on the BreachQuest blog for more information as we finalize our analysis. There is certainly more to come on this.