“Are they going to act?” President Biden asked after his meeting with President Vladimir Putin in Geneva about whether the Russian government would finally crack down on ransomware gangs. His answer to his own question: “We’ll find out.” Now we have.

A massive attack by hacking group REvil struck up to 1,500 businesses in the United States, Europe and Asia late last week — reportedly the single largest such salvo in history, and only the latest in a series of encroachments by collectives based in or otherwise linked to Russia. Thankfully, the breach of IT software firm Kaseya appears to have caused less damage and disruption to critical industry than the recent compromises this spring of food processor JBS and oil transport network Colonial Pipeline. But that the incursion occurred at all is a troubling sign that Mr. Putin has not heeded Mr. Biden’s exhortation to stop the cybercriminals who currently operate in his country from wreaking havoc worldwide.

The White House is sprinting toward a strategy on ransomware, the malicious software that takes a target’s systems and information captive until a sum has been paid — with the captors sometimes also threatening to release any sensitive data unless their demands are met. Such a strategy is surely necessary: It should include dissuading ransom payments, regulating cryptocurrency exchanges to extend know-your-customer and anti-money-laundering requirements, and mandating minimum security standards along with other best practices for beefing up defenses. But the Kaseya breach is a dispiriting reminder that companies can never perfectly protect themselves. The firm was aware of the vulnerability that hackers exploited, and was working to patch it; the problem was the hackers got there first.

Defense, in other words, isn’t enough. Offense is necessary, too. And the most effective offense could come from Mr. Putin if he had any interest in running a play. Many cybercriminals located in Russia collaborate directly with the regime and its security services. Others operate in accordance with what they believe to be official wishes, knowing that’s a near-guarantee against punishment. The Kremlin is very effective in enforcing the law, or its version of the law, when it wants to be: Just ask jailed opposition leader Alexei Navalny. Does anyone really believe this same institution is incapable of doing anything at all about even the most prolific and prominent hackers within its borders?

Mr. Biden shouldn’t believe it. Mr. Putin won’t act in the absence of credible consequences for inaction, and now it’s on the White House to make clear what those consequences could be. These should include not merely the typical menu of sanctions, asset freezes or trade restrictions, and not merely attempts to incapacitate any criminal infrastructure, including cloud-based services, outside of Russia. The consequences must also include the aggressive disruption of these gangs where they are: in Russia, on its Internet, throughout the cyberspace over which it claims sovereignty — and where Mr. Putin would likely prefer U.S. authorities not prowl. The least acceptable answer is to wait longer to “find out” what everyone already knows.

Read more: