There’s been yet another devastating ransomware attack. This one, right before the Fourth of July holiday weekend, was reportedly carried out by the hacker group REvil, believed to be operating in Russia, targeting an IT operations tool used by about 40,000 companies worldwide. Estimates suggest that the number of affected organizations is about 1,500, some of them smaller businesses that can ill afford to pay either the ransom or the significant IT costs associated with recovering their data and restoring their networks.

To keep such destructive attacks from becoming routine, President Biden was wise to deliver a forceful demand to Russian President Vladimir Putin on Friday: Putin must put an immediate stop to this activity, or Biden’s administration will take “any necessary action” to stop it.

This year has seen a string of major cyber-breaches: ransomware attacks on the Colonial gas pipeline and JBS meat processing facilities; the SolarWinds hack; and a major email server breach, reportedly by Chinese government-sponsored hackers. Unlike many previous attacks, which often affected high-profile companies, this new ransomware campaign targeted small organizations all over the world that lack a dedicated IT staff and instead hire managed service providers to run their networks. According to reports, a Swedish supermarket chain had to shut down 800 stores, and 11 New Zealand schools were hit in the attack. The culprits demanded $70 million for across-the-board data restoration.

While we won’t know the full scope of the latest attack for some time, its nature and timing make it significant for the Biden administration. Because smaller and medium-size businesses and organizations were targeted, it represents a chance for Biden to make good on his promise of “a foreign policy for the middle class” and his pledge that “economic security is national security.” It is also an important test for his evolving approach of tough engagement with Russia. In remarks immediately following his June summit with Putin, Biden said, “Responsible countries need to take action against criminals who conduct ransomware activities on their territory.” If, indeed, this latest attack was launched at least in part from Russia, then Biden’s own strategy demands forceful action consistent with his Friday warning.

In responding to these attacks, Biden is taking into account the potential connections between the Russian security services and REvil hackers. Although it’s quite plausible that top Russian officials neither directed nor even had prior knowledge of REvil’s latest attack, it’s certainly conceivable that lower- and mid-level officials are aware of the hackers and their activities. If Putin chose to take the problem seriously, Russian security officials could quickly identify and interdict the attackers and force them to unlock the data to stop the damage to businesses worldwide, including in the United States.

Moscow’s typical practice is to deny any responsibility for such attacks and to avoid taking action unless it is in its own perceived interest. In this case, Putin may see an advantage in allowing the ransomware problem to fester, since it has created potentially valuable negotiating leverage. Putin may think that the more disruption these ransomware attacks create, the more Washington will give up to secure Moscow’s cooperation against the criminals behind them. This view may underestimate American resolve to resist such pressure and to retaliate for the increasing economic pain these attacks are causing, but in the absence of credible consequences for inaction, Putin is unlikely to expend any resources to stop attacks that principally harm Western businesses and citizens.

Biden, however, can push Putin to act by sending, and reinforcing, a clear message, proffered privately and directly, as he did in the two leaders’ Friday call: Moscow must immediately identify the responsible individuals operating in its territory or subject to its control, produce the encryption keys necessary to unlock the victims’ data, and put a halt to future ransomware attacks from within its borders.

If not, Washington could hit Russia where it hurts by sanctioning its largest gas and oil companies, which are responsible for a significant portion of the Russian government’s revenue. Biden can expand sovereign debt sanctions already in place, making it harder for Russia to raise funds from international creditors. And Biden should insist that the response from Russia come within days, not weeks or months. U.S. businesses and consumers cannot afford to wait.

Even faced with such a threat, Putin may not cooperate. He may think Biden is bluffing, since some U.S. allies have become increasingly reliant on Russia-supplied energy and would be hurt by the sanctions. Putin may also hope to extract concessions from the United States in exchange for cooperation — for instance, acquiescence to Russia’s domestic Internet censorship as a cybersecurity issue, a long-standing Russian priority. Putin may not even try to avoid future sanctions, which he probably considers an inevitable and even acceptable cost of forcing Washington to deal with Moscow as a great power. Putin also faces an assortment of domestic political challenges, including a new wave of coronavirus cases, potential inflation and upcoming elections in the Duma, the lower house of Russia’s legislature, in September. He may hope to delay any serious negotiations with Washington until he is in a stronger position at home.

Putin’s possible reluctance to make concessions means that Biden will have to be prepared to follow through, including by working urgently to reassure and assist European and Asian allies whose economic interests would be affected by sanctions. Since Moscow has long anticipated new sanctions, the Russians have contingency plans in place, such as last month’s announcement by Russia’s finance minister that the country’s National Wealth Fund would “reduce investments . . . in dollar assets.” Trading partners in Europe and Asia — which import considerable amounts of Russian energy — could face a painful choice between winding down energy contracts impacted by sanctions and losing access to Russia as an export market, or losing access to U.S. markets and currency.

Some might argue that instead of or in addition to threatening sanctions, Biden should pull out of cybersecurity talks that he and Putin agreed to last month. That would be a mistake. Five American presidents have negotiated with Putin. Their experience demonstrates that success comes from adopting a focused agenda, clear conditionality and direct, private communication — not public chest-thumping.

Stopping ransomware attacks is an urgent problem with consequences for all Americans, not just big companies and tech interests. Biden was right to raise the issue with Putin in Geneva. He was right to set the tone now by delivering a clear ultimatum directly to Putin, and, if necessary, he should be prepared to follow through on it. If Biden misses this opportunity to draw a bright line, these attacks risk becoming Russia’s asymmetric weapon of choice against the United States.


An earlier version of this story gave the wrong timing for an announcement by Russia's finance minister that the country's sovereign wealth fund would reduce its investments in dollars. The move was announced last month, not last week.