SAN FRANCISCO — The US government is stepping up its efforts to disrupt the infrastructure hackers use to make money from breaking into and holding hostage computer networks, announcing sanctions against one virtual currency exchange and warning US companies it could be legally risky for them to pay off hackers that hit their systems.
The Treasury Department’s Office of Foreign Assets Control (OFAC) announced sanctions Tuesday against Suex, an exchange that lets people buy and sell virtual currencies with regular credit cards, according to its website. The government said as much as 40 percent of known transactions run by Suex were criminal. Other exchanges could be hit with sanctions, too.
“We are going to continue to look at the ecosystem and look for actors that are taking similar actions,“ Anne Neuberger, the White House’s deputy national security adviser on cyber, said during a call with reporters.
Ransomware attacks, where hackers lock out a company or organization from its computer system and demand a ransom payment to restore access, more than doubled from 2019 to 2020. The government sees them as both a criminal menace, and a national security threat. In February, a hack on the Colonial Pipeline fuel-delivery network led to fuel shortages up and down the East Coast. President Biden has told Russian President Vladimir Putin, whose country is known to host many of the ransomware gangs responsible for the surge, that he would take “any necessary action“ to defend critical infrastructure against cyberattacks.
Still, the hacks keep coming. On Monday, Iowa-based New Cooperative, a major buyer and distributor of grain and feed, said it had been hit by a ransomware attack, though it was able to find a workaround to keep most of its business running.
The announcement Tuesday is part of the government’s attempts to lower the frequency and profitability of ransomware attacks. It has urged companies to increase their cyber security practices, such as requiring all employees to use two-factor authentication. Legislators have proposed new rules requiring private companies that operate critical infrastructure to meet minimum security standards.
Sanctioning crypto exchanges might also make it riskier for companies to pay ransoms even if they want to. Right now, many companies hire third-party consultants to negotiate and help pay ransoms, ensuring that computer systems get back up and running quickly. But if the exchanges used to facilitate those ransom payments are sanctioned, the hacked companies and their consultants could now both be breaking the law by paying.
“Companies that facilitate ransomware payments to cyber actors on behalf of victims, including financial institutions, cyber insurance firms, and companies involved in digital forensics and incident response, not only encourage future ransomware payment demands but also may risk violating OFAC regulations,“ the Treasury Department said in its statement. “The US government strongly discourages all private companies and citizens from paying ransom or extortion demands.“
If companies feel they must make a payment, the best course of action is to tell law enforcement ahead of time, Deputy Treasury Secretary Wally Adeyemo said on the call.
“If a company determines that it’s in their interest to pay these demands, the OFAC guidance makes clear that the best way to protect that company from the risk of paying a sanctioned entity is to report the fact that they have been attacked to law enforcement,“ Adeyemo said.
The White House has also been pushing cyber insurance providers to craft policies that incentivize companies to take security more seriously. Some hackers have specifically targeted companies they know have robust cyber insurance. The government wants stricter rules on who gets to access that insurance.
“In order to get home insurance, you have to have installed smoke detectors or have an alarm system,“ Neuberger said. “So when we look at cybersecurity, what we’re grappling with is what seems to be the lack of incentives for companies to make the investment to have to modernize their defenses to meet the threat.“