The move is part of a broader administration strategy to deter ransomware attacks, in which cybercriminals lock up victims’ computers with data-encrypting malware and then demand exorbitant fees to unlock them. Those fees are generally paid in cryptocurrency, a digital form of money traded through a series of private wallets and public exchanges that can be difficult to track.
Ransomware is now seen by the U.S. government as both a criminal menace and national security threat. Attacks this year attributed to Russia-based groups have led to the shutdown of a major fuel pipeline and the nation’s largest meat supplier. President Biden warned President Vladimir Putin in June that he expected Moscow to crack down on activity emanating from Russia, and renewed his warning in July, saying the United States would take “any necessary action” to defend critical infrastructure against cyberattack.
Despite such warnings, attacks continue, the FBI said.
The Treasury Department and White House declined to comment Friday.
The sanctions’ aim would be to disrupt the illicit financial underpinnings of the ransomware ecosystem, which often uses digital assets to facilitate the attacks, said one U.S. official.
Ransomware attacks in the United States more than doubled from 2019 to 2020. The fees demanded to unlock systems range from several thousand to tens of millions of dollars, making the enterprise highly lucrative for criminals. Some experts conservatively estimate that hackers received $412 million in ransom payments last year.
“There is a concerted effort to identify tools that can disrupt the flow of money to ransomware operators,” said a second U.S. official. Sanctions are one such tool. “This is a continuation of our effort to go after criminal enterprises and their money.” The Treasury Department’s planned move was first reported by the Wall Street Journal.
Former Justice Department prosecutor Brandon van Grack lauded the step Friday on Twitter, calling it the administration’s “first major proactive step” to stem ransomware attacks. “The sanctions could significantly impair the ability to make payments and further complicate the decisionmaking calculus for companies,” he tweeted.
The administration already has been moving to curb the attacks: After the ransomware assault on Colonial Pipeline in May — which forced the company to shut down its pipeline, disrupting nearly half the East Coast’s fuel supply — it launched an initiative that included the creation of a global coalition to target countries that harbor ransomware criminals. As part of that, the administration is working to strip the digital ransoms paid by victims of their anonymity.
Last October, Treasury’s Office of Foreign Assets Control issued guidance that companies that facilitate ransomware payments may be violating OFAC regulations if the hacker is a member of a sanctioned group. But the guidance drew complaints from organizations and businesses that were not sure if they were covered or what they needed to do to ensure compliance.
If the new initiative clarifies this guidance, it would be a “welcome” step, said Megan Stifel, global policy officer at the Global Cyber Alliance, a nonprofit organization working to reduce cyber risk. It should, for example, make clear that it extends to exchanges, she said. “There are lots of organizations that want to do the right thing” but aren’t sure how to comply, she said.
Partner nations should follow the U.S. lead, added Stifel, who served as co-chair of the Ransomware Task Force, a group of industry, government and academic experts that produced a report for the Biden administration in April on combating ransomware. “The effort will be challenged,” she said, “if the United States is the only country pursuing this policy approach.”
Treasury has sanctioned hackers over the years, including perpetrators of ransomware attacks. In 2013, a ransomware variant known as Cryptolocker was used to infect more than 234,000 computers, about half of which were in the United States.
OFAC added Cryptolocker’s developer, Evgeniy Bogachev, to the sanctions list in 2016, and the government is offering a $3 million reward for information leading to the Russian’s arrest. In late 2019, Treasury sanctioned the Russia-based hacker group Evil Corp, which created ransomware used to target hundreds of banks in more than 40 countries and that allegedly caused more than $100 million in theft.
Tory Newmyer contributed to this report.