The U.S. Department of the Treasury took action this week to disrupt criminal ransomware actors and virtual currency exchanges that launder the proceeds of ransomware.
“Ransomware groups and criminal organizations have targeted American businesses and public institutions of all sizes and across sectors, seeking to undermine the backbone of our economy,” Deputy Secretary of the Treasury Wally Adeyemo said. “We will continue to bring to bear all of the authorities at Treasury’s disposal to disrupt, deter, and prevent future threats to the economy of the United States. This is a top priority for the Biden Administration.”
Ransomware incidents have disrupted critical services and businesses globally, as well as schools, government offices, hospitals and emergency services, transportation, energy, and food companies. In the first half of 2021 alone, reported ransomware payments in the United States have reached $590 million, compared to $416 million in all of 2020.
Virtual currency remains the primary mechanism for ransomware payments, and certain virtual currency exchanges are an important piece of the ransomware ecosystem. One of the actions taken by the Treasury Department is to designate Chatex, a virtual currency exchange and its associated support network, for facilitating financial transactions for ransomware actors. Chatex, according to Treasury officials, has facilitated transactions for multiple ransomware variants. Further, the Treasuryʻs Office of Foreign Assets Control (OFAC) designated IZIBITS OU, Chatextech SIA, and Hightrade Finance Ltd for providing material support and assistance to Chatex.
“Unprincipled virtual currency exchanges like Chatex are critical to the profitability of ransomware activities, especially by laundering and cashing out the proceeds for criminals. Treasury will continue to use all available authorities to disrupt malicious cyber actors, block ill-gotten criminal proceeds, and deter additional actions against the American people,” Treasury officials said.
In addition, OFAC is designating Ukrainian Yaroslav Vasinskyi (Vasinskyi) and Russian Yevgeniy Polyanin (Polyanin) for their part in perpetuating Sodinokibi/REvil ransomware incidents against the United States. Vasinskyi deployed ransomware against at least nine U.S. companies. Polyanin also deployed ransomware, targeting several U.S. government entities and private-sector companies. These two individuals have received more than $200 million in ransom payments paid in Bitcoin and Monero.
All property and interests in property of the designated targets subject to U.S. jurisdiction are blocked, and U.S. persons are generally prohibited from engaging in transactions with them.