Ransomware is hitting American organizations harder, and more often, than anywhere else in the world. The average total cost of a ransomware breach in America runs $10.22 million—roughly double the global average—according to data compiled by Searchlight Cyber

Threat-intelligence firm Cyble found the United States accounted for 57% of all global ransomware incidents in the first half of 2025 alone—1,814 attacks—even as global ransomware volume overall rose 50% year-over-year. Against that backdrop, U.S. Treasury action Monday targeting ransomware infrastructure providers making these attacks possible is welcome relief.

Ransomware doesn’t run on malware alone. It runs on infrastructure: VPNs to hide behind, “cryptors” to slip past antivirus, and a quiet marketplace of enablers who never touch a keyboard during extortion. This week, the U.S. Treasury’s Office of Foreign Assets Control (OFAC) went after this supply chain, and it’s a move worth applauding.

What Treasury Did

OFAC sanctioned First VPN Service (1VPNS), a VPN provider that spent over a decade marketing itself to cybercriminals with a simple pitch: no logs, no cooperation with law enforcement, no questions asked. Alongside 1VPNS, Treasury designated its administrator, Dmytro Rashevskyi, a Ukrainian national who reportedly used fake identities to keep buying server infrastructure even after providers noticed abuse complaints piling up against him. Treasury also sanctioned Yegeniy Vladimirovich Silayev, a Belarusian national who sells “cryptors”—tools built for disguising ransomware as harmless software so security systems wave it through.

Neither Rashevskyi nor Silayev ever had to write a line of malicious code themselves—and 1VPNS didn’t need to write the ransomware either. That’s precisely why Treasury’s action matters.

Why Targeting Enablers Is the Right Call

Ransomware gangs are notoriously difficult to arrest—many operate from jurisdictions that won’t extradite. But they still need Western-adjacent financial rails, hosting, and anonymization services to function. Sanctions freeze U.S.-linked assets and criminalize U.S. businesses—banks, hosting companies, payment processors—knowingly enabling designated parties. This targets the middlemen who make ransomware profitable.

This is a coordinated move: the UK’s Foreign, Commonwealth & Development Office issued parallel sanctions the same day. This follows a May European law enforcement takedown of 1VPNS’s own infrastructure, supported by the FBI’s Boston Field Office. This type of multinational alignment is what actually disrupts these networks, rather than just scattering them to the next bulletproof host.

The U.S. Bears an Outsized Share of the Bill

The $10.22 million average breach cost for U.S. organizations reflects bigger ransom demands, steeper recovery bills, and heavier regulatory exposure than victims face elsewhere. Treasury’s own announcement points to the kind of victims driving this number: U.S. hospitals, financial services firms, and municipal governments with 1VPNS infrastructure used against them.

Cybersecurity Ventures projects global ransomware damages at $74 billion in 2026, and the U.S. is estimated to account for somewhere between 46% and roughly half of global ransomware incidents, according to Bluefire Redteam and Bright Defense.

That puts a rough estimated U.S. aggregate cost at $34–37 billion annually. Given that U.S. breaches run nearly double the global per-incident average ($10.22 vs. global $5.08 million), America’s true share of the dollar total could plausibly run higher than its share of incident count—meaning $34–37 billion is likely a floor, not a ceiling.

The Bottom Line

Every dollar figure above traces back to real victims, including many taxpayers. Sanctions won’t end ransomware overnight, but choking off the anonymization and evasion tools enabling these gangs to operate at scale is a powerful way to raise the cost of doing business for the ransomware ecosystem. Given the trajectory of the numbers, more actions like this one—not fewer—are exactly what’s needed.