The Biden administration was preparing to take action on Tuesday to crack down on the growing problem of ransomware attacks, expanding its use of sanctions to cut off the digital payment systems that have allowed such criminal activity to flourish and threaten national security.
The sanctions, which the Treasury Department said it was imposing on a virtual currency exchange called Suex in a preview of its new approach, represent the administration’s most pointed response to a scourge that has disrupted America’s fuel and meat supplies this year as foreign hackers locked down corporate computer systems and demanded large sums of money to free them.
The illicit financial transactions underpinning ransomware attacks have been taking place with digital money known as cryptocurrencies, which the U.S. government is still determining how to regulate.
The Treasury Department said Suex had facilitated transactions involving illicit proceeds from at least eight ransomware incidents. More than 40 percent of the exchange’s transactions have been linked to illicit actors, the department said.
“Ransomware and cyberattacks are victimizing businesses large and small across America and are a direct threat to our economy,” Treasury Secretary Janet L. Yellen said in a statement.
The department offered few details about Suex, declining to say where the company was based or what kinds of transactions it facilitated. It did say that while some virtual currency exchanges are exploited by criminals, Suex was facilitating illegal activities for its own gain.
The action came three months after President Biden, meeting in Geneva with President Vladimir V. Putin of Russia, demanded that he crack down on ransomware operators suspected of working from Russian territory. Mr. Putin made no promises. Before the meeting, one attack had taken out Colonial Pipeline, which provides much of the East Coast’s gasoline and jet fuel; another had penetrated a major American meat supplier.
For a few months, attacks seemed to abate, and a major ransomware operator, DarkSide, appeared to break up.
But late this summer, attacks began to rise again. Paul M. Abbate, the F.B.I.’s deputy director, who specializes in cybercrimes, said last week at a conference that “there is no indication that the Russian government has taken action to crack down on ransomware actors that are operating in the permissive environment that they’ve created there.”
He said there also had been little action taken against those in Russia facing indictments in the United States.
Intelligence officials report the same, and say they believe that some Russian military and intelligence services make use of the ransomware operators to hide actions that may be conducted on behalf of the state, or at least with its acquiescence.
An attack against another food supplier was playing out on Monday, even as the Treasury Department was preparing its action. New Cooperative, a grain cooperative in Iowa, said it was part of “critical infrastructure,” and noted that the ransomware group, a relatively new one called BlackMatter, had promised not to attack such groups. But in responses that appeared in screenshots on Twitter, BlackMatter said it did not consider the cooperative to be critical infrastructure. The ransomware group and its victim got into an open dispute over the definition of that category.
“We don’t see any critical areas of activity,” the ransomware group responded.
BlackMatter demanded just shy of $6 million to decrypt the firm’s files. That figure declined dramatically over time.
The Treasury Department said that in 2020, ransomware payments topped $400 million, which was four times as high as the previous year. The economic damage, it said, was far greater.