SAN FRANCISCO -- The U.S. government is stepping up its efforts to disrupt the infrastructure hackers use to make money from breaking into and holding hostage computer networks, announcing sanctions against one virtual currency exchange and warning U.S. companies it could be legally risky for them to pay off hackers that hit their systems.
The Treasury Department's Office of Foreign Assets Control (OFAC) announced sanctions Tuesday against Suex, an exchange that lets people buy and sell virtual currencies with regular credit cards, according to its website. The government said as much as 40% of known transactions run by Suex were criminal. That's more than $370 million, according to the cryptocurrency-tracking firm Elliptic.
Other exchanges could be hit with sanctions, too.
"We are going to continue to look at the ecosystem and look for actors that are taking similar actions," Anne Neuberger, the White House's deputy national security adviser on cyber, said during a call with reporters.
Ransomware attacks, where hackers lock out a company or organization from its computer system and demand a ransom payment to restore access, more than doubled from 2019 to 2020. The government sees them as a criminal menace and a national security threat.
The threat that has surged over the past year, crippling corporations, schools, hospitals and critical infrastructure, including a major fuel pipeline. Ransomware payments reached more than $400 million in 2020, the costliest year on record.
The goal is to go after the "financial enablers" of ransomware gangs, Deputy Treasury Secretary Wally Adeyemo told reporters. "Today's action is a signal of our intention to expose and disrupt the illicit infrastructure using these attacks."
In February, a hack on the Colonial Pipeline fuel-delivery network led to fuel shortages up and down the East Coast.
President Joe Biden has told Russian President Vladimir Putin, whose country is known to host many of the ransomware gangs responsible for the surge, that he would take "any necessary action" to defend critical infrastructure against cyberattacks.
Still, the hacks keep coming. On Monday, Iowa-based New Cooperative, a major buyer and distributor of grain and feed, said it had been hit by a ransomware attack, though it was able to find a workaround to keep most of its business running.
The announcement Tuesday is part of the government's attempts to lower the frequency and profitability of ransomware attacks. It has urged companies to increase their cybersecurity practices, such as requiring all employees to use two-factor authentication. Legislators have proposed new rules requiring private companies that operate critical infrastructure to meet minimum security standards.
PAYING RANSOM A RISK
Sanctioning cryptocurrency exchanges might also make it riskier for companies to pay ransoms even if they want to. Right now, many companies hire third-party consultants to negotiate and help pay ransoms, ensuring that computer systems get back up and running quickly. But if the exchanges used to facilitate those ransom payments are sanctioned, the hacked companies and their consultants could now both be breaking the law by paying.
"Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations," the Treasury Department said in its statement. "The U.S. government strongly discourages all private companies and citizens from paying ransom or extortion demands."
If companies feel they must make payments, the best course of action is to tell law enforcement ahead of time, Adeyemo said.
The White House has also been pushing cyber insurance providers to craft policies that incentivize companies to take security more seriously. Some hackers have specifically targeted companies they know have robust cyber insurance. The government wants stricter rules on who gets to access that insurance.
"In order to get home insurance, you have to have installed smoke detectors or have an alarm system," Neuberger said. "So when we look at cybersecurity, what we're grappling with is what seems to be the lack of incentives for companies to make the investment to have to modernize their defenses to meet the threat."
Through the Office of Foreign Assets Control, the Treasury Department has previously sanctioned ransomware developers and distributors -- though periodic retirements and rebrandings of ransomware strains have complicated those efforts. Officials say more such designations are possible.
Suex is among the biggest and most active of a small group of illicit services that handle most money laundering for cybercriminals including scammers and darknet market operators, crypto transaction-tracking firm Chainalysis said in a blog post. Such firms work closely with law enforcement to track criminal money laundering online.
Chainalysis said Suex claims that it can convert cryptocurrency holdings into cash and even real estate, cars and yachts.
Information for this article was contributed by Gerrit De Vynck and Aaron Schaffer of The Washington Post; and by Eric Tucker and Frank Bajak of The Associated Press.