The Biden administration took action on Tuesday to crack down on the growing problem of ransomware attacks, expanding its use of sanctions to cut off digital payment systems that have allowed such criminal activity to flourish and threaten national security.
The Treasury Department said it was imposing sanctions on a virtual currency exchange called Suex, in the administration’s most pointed response to a scourge that has disrupted U.S. fuel and meat supplies this year, when foreign hackers locked down corporate computer systems and demanded large sums of money to free them.
The illicit financial transactions underpinning ransomware attacks have been taking place with digital money known as cryptocurrencies, which the U.S. government is still determining how to regulate.
The Treasury Department said Suex had facilitated transactions involving illegal proceeds from at least eight ransomware episodes. More than 40% of the exchange’s transactions had been linked to criminal actors, the department said.
“Ransomware and cyberattacks are victimizing businesses large and small across America and are a direct threat to our economy,” Treasury Secretary Janet Yellen said in a statement.
The department offered few details about Suex, declining to say where the company was based or what kinds of transactions it dealt with, though a Russian computer executive confirmed on Tuesday that he was the founder.
Treasury officials did say that while some virtual currency exchanges are exploited by criminals, Suex was facilitating illegal activities for its own gain.
Cybersecurity experts see exchanges as a weak point for ransomware gangs that otherwise operate wholly in the ether of the internet, all but untouchable by law enforcement. But the exchanges are an interface with the real world used to cash out cryptocurrency and public-facing companies that are vulnerable to financial sanctions.
Vasily Zhabykin, a graduate of a prestigious Russian university that trains diplomats, said by telephone Tuesday that he had founded Suex to develop software for the financial industry. He denied any illegal activity and said it was possible that the Treasury Department had mistakenly targeted his company.
“I don’t understand how I got mixed up in this,” he said in a brief interview. Suex, which is registered in the Czech Republic, was mostly a failure and had conducted only a half-dozen or so transactions since 2019, Zhabykin said, adding that he had three employees.
Russia is believed to be home to the most sophisticated ransomware groups, where they seem to operate with impunity. Other countries such as Iran and North Korea host the groups, cybersecurity experts say.
Over the past decade or so, key technologies came together in a tool kit for the ransomware industry: malware to scramble victims’ computers, routers that render communication anonymous and digital currencies for payments.
A weak point, according to a study of ransomware published in 2019 in The Journal of Cybersecurity, is exchanges: the businesses that convert digital currency into cash, where criminals lurking in the digital world eventually have to make an appearance to be paid.
Many exchanges have popped up in Russia in recent years, often leasing office space in Moscow’s financial district alongside banks. Russia pivoted from trying to ban digital currencies outright to enacting regulation this year allowing ownership.
The Treasury Department’s action came three months after President Joe Biden, meeting in Geneva with President Vladimir Putin of Russia, demanded a crackdown on ransomware operators suspected of working from Russian territory. Putin made no promises. Before the meeting, one attack had taken out Colonial Pipeline, which provides much of the East Coast’s gasoline and jet fuel; another had penetrated JBS, a major U.S. meat supplier.
Attacks seemed to abate for a few months, and a major ransomware operator, DarkSide, appeared to have shut down.
But late this summer, attacks began to rise again. Paul M. Abbate, the FBI’s deputy director, who specializes in cybercrimes, said at a conference last week that “there is no indication that the Russian government has taken action to crack down on ransomware actors that are operating in the permissive environment that they’ve created there.”
He added that few actions had taken against those in Russia facing indictments in the United States.
Intelligence officials report the same, and they say they believe that some Russian military and intelligence services make use of the ransomware operators to hide actions that may be conducted on behalf of the state, or at least with its acquiescence.
An attack against another food supplier was playing out Monday, even as the Treasury Department was preparing its action. New Cooperative, a grain cooperative in Iowa, said it was part of “critical infrastructure” and noted that BlackMatter, a relatively new ransomware group, had promised not to attack such groups. But in responses that appeared in screenshots on Twitter, BlackMatter said it did not consider New Cooperative to be critical infrastructure. The two were in an open dispute over the definition of the category.
“We don’t see any critical areas of activity,” the ransomware group responded.
BlackMatter demanded just shy of $6 million to decrypt the company’s files. That figure declined drastically over time.
The Treasury Department said that in 2020, ransomware payments topped $400 million, four times as high as they were in the previous year. The economic damage, it said, was far greater.