The Biden administration took action on Tuesday to address the growing problem of ransomware attacks, extending the use of sanctions to shut down digital payment systems that have allowed such criminal activity to flourish and threaten national security.
The Treasury Department said it was imposing sanctions on a virtual currency exchange called Suex in the government’s most targeted response to a plague that has disrupted U.S. fuel and meat supplies this year, when foreign hackers shut down company computer systems and extracted large sums of money. demanded to free them.
The illicit financial transactions underlying ransomware attacks have taken place with digital money known as cryptocurrencies, which the US government is still figuring out how to regulate.
The Treasury Department said Suex had facilitated transactions involving illegal proceeds from at least eight ransomware episodes. More than 40 percent of the exchange’s transactions were associated with criminal actors, the department said.
“Ransomware and cyberattacks are targeting businesses large and small across America and pose a direct threat to our economy,” Treasury Secretary Janet L. Yellen said in a statement.
The department offered few details about Suex and declined to say where the company was located or what kind of transactions it was involved in, although a Russian computer manager confirmed on Tuesday that he was the founder.
Treasury officials did say that while some virtual currency exchanges are exploited by criminals, Suex facilitated illegal activities for its own gain.
Cybersecurity experts see exchanges as a weak point for ransomware gangs that otherwise operate entirely on the internet’s ether, virtually untouchable by law enforcement. But the exchanges are an interface to the real world used to cash in cryptocurrency and public companies that are vulnerable to financial sanctions.
Vasily Zhabykin, a graduate of a prestigious Russian university that trains diplomats, said by telephone on Tuesday that he had founded Suex to develop software for the financial sector. He denied any illegal activity and said it was possible that the Treasury Department had wrongly targeted his company.
“I don’t understand how I got into this,” he said in a short interview. Suex, which is registered in the Czech Republic, was largely a failure, having completed only half a dozen transactions since 2019, Mr Zhabykin said, adding that he had three employees.
Russia is believed to be home to the most sophisticated ransomware groups, where they seem to operate with impunity. Other countries, such as Iran and North Korea, are hosting the groups, cybersecurity experts say.
Over the past decade, key technologies have come together in a toolkit for the ransomware industry: malware to encrypt victims’ computers, routers that anonymize communications, and digital currencies for payments.
A weak point, according to a study of ransomware published in 2019 in The Journal of Cybersecurity, is exchanges: the companies that convert digital currencies into cash, where criminals lurking in the digital world eventually have to show up to get paid.
In recent years, many stock exchanges have sprung up in Russia, often renting office space in the financial district of Moscow in addition to banks. Russia this year turned from trying to outright ban digital currencies to enacting regulations that allow ownership.
The Treasury Department’s move came three months after President Biden, during a meeting in Geneva with Russia’s President Vladimir V. Putin, demanded a crackdown on ransomware operators suspected of operating from Russian territory. Mr Putin has not promised anything. Before the meeting, an attack had knocked out the colonial pipeline, which supplies much of the east coast’s gasoline and jet fuel; another had broken into JBS, a major US meat supplier.
Attacks seemed to subside for a few months and a major ransomware operator, DarkSide, appeared to have stopped.
But at the end of this summer, the attacks started to increase again. Paul M. Abbate, deputy director of the FBI, which specializes in cybercrime, said at a conference last week that “there is no indication that the Russian government has taken action against ransomware actors operating in the permissive environment that they have.” have to tackle. created there.”
He added that few actions have been taken against those in Russia who are being charged in the United States.
Intelligence officials are reporting the same, saying they believe some Russian military and intelligence agencies are using the ransomware operators to hide actions that could be carried out on behalf of the state, or at least with its consent.
An attack on another food supplier took place on Monday while the Treasury Department was preparing its action. New Cooperative, an Iowa-based grain cooperative, said it is part of “critical infrastructure” and noted that BlackMatter, a relatively new ransomware group, had pledged not to attack such groups. But in comments that appeared in screenshots on Twitter, BlackMatter said it did not view New Cooperative as critical infrastructure. The two were in an open dispute over the definition of the category.
“We don’t see any critical areas of activity,” the ransomware group said.
BlackMatter demanded barely $6 million to decrypt the company’s files. That figure dropped dramatically over time.
The Treasury Department said that in 2020, ransomware payments reached $400 million, four times higher than in the previous year. The economic damage was much greater.