The finance industry continues to bang the drum around the idea that it can do its part to cut off ransomware the best it can: by eliminating how its funded in the first place, through cryptocurrency.

A recent report claims the average ransomware ransom payment in Q2 2021 was $136,576. That money goes directly into the pockets of criminals and more often than not, helps perpetuate the ransomware economy.

On the heels of the U.S. Treasury Office's warning last month that companies that facilitate ransomware payments could run afoul of sanctions, the Treasury’s Office of Foreign Assets Control (OFAC) issued compliance guidance for virtual currency companies last week.

The guidance is designed to keep companies that work in cryptocurrencies in line and ensure they’re familiar with sanction-related risks in their business.

“Members of the virtual currency industry are responsible for ensuring that they do not engage, directly or indirectly, in transactions prohibited by OFAC sanctions, such as dealings with blocked persons or property, or engaging in prohibited trade- or investment-related transactions," the guide reads.

The guide covers sanction-related risks - like unknowingly funding cybercriminals - gives tips for protecting their business from malicious actors, and how understand the OFAC's enforcement processes. to It also encourages companies follow a framework when putting together their sanctions compliance program, one that covers training, testing/auditing, risk asessment, internal controls, and management commitment.

OFAC’s guidance that incorporates the September warning is on page 5 of the guide:

“As sanctioned persons and countries become more desperate for access to the U.S. financial system, it is vital that the   virtual currency industry prioritize cybersecurity and implement effective sanctions compliance controls to mitigate the risk of sanctioned persons and other actors exploiting virtual currencies to undermine U.S. foreign policy interests and national security.”

As mentioned, the guide follows an advisory issued by OFAC in September that reiterated the problems associated with paying ransomware ransoms. Those drawbacks include the concept that paying doesn't necessarily mean a company will get their data back, that paying can encourage the attackers to carry out further attacks, and that the ransom money can ultimately fund activities that run counter to U.S. interests.

As part of that warning, OFAC designated sanctions against Suex, a Russian cryptocurrency exchange, for its connection to several ransomware actors. As part of its announcement, OFAC said Suex was responsible for facilitating transactions for at least eight different ransomware variants and that more than 40% of its transactions have been with threat actors.

OFAC's advisory didn't downplay the fact that when it comes to penalties, it can impose monetary penalties, even if a company feigns ignorance and claims it didn't know whether a payment was legally prohibited by the U.S. government.

It seems more likely that OFAC will take a calmer route, through a non-public resolution like a letter, to first time offenders and companies that have taken steps to mitigate ransomware attacks.

In the September advisory, OFAC said it would consider whether an organization has a regulatory compliance program in place, whether they have followed steps in Cybersecurity and Infrastructure Security Agency’s (CISA) Ransomware Guide, and if they self-reported the ransomware attack to the appropriate regulatory agencies, before deciding whether a civil monetary penalty or sanctions are necessary.