Digital Front Lines

By FP ANALYTICS

Ransomware Rising

Confronting the fastest-growing cybercrime through international cooperation.

Klawe Rzeczy Illustration for FP Analytics

Ransomware attacks have surged nearly five-fold in the past five years, driven by increasingly sophisticated tools, rapid digitalization, and the emergence of safe havens where threat actors operate. Extortions through ransomware — malicious software that blocks access to computer data until a ransom is paid — increased almost five times from 474 publicly reported incidents between 2015 and 2019 to 2,326 public incidents between 2020 and 2024, making it the fastest-growing form of cybercrime. Striking without warning, these attacks increasingly represent a global systemic risk with paralyzing impacts on critical infrastructure, services, and facilities across sectors, akin to natural disasters but orchestrated with malicious and, at times, politically motivated intent. 

Attacks can disrupt essential public services and political and electoral processes in ways that harm civilians, undermine trust in governments, and sow public discord. In doing so, the scale and severity of ransomware attacks pose serious risks to national security, as these attacks potentially expose sensitive data, interfere with critical infrastructure, funnel money toward malign actors, and more. Ransomware attacks also threaten lives — health care systems comprise one-fifth of attacks recorded in the last 10 years. In the U.S., small and rural hospitals are especially vulnerable to ransomware, as they often lack the resources to strengthen cybersecurity and face heightened pressure to pay ransoms because of the life-saving services they provide. In a 2024 United Nations Security Council meeting, the World Health Organization stressed that ransomware attacks pose serious risks to global public health and security, requiring “whole-of-government responsibility” and international cooperation to combat ransomware operations. 

Indeed, experts have increasingly called for adopting a disaster-risk perspective to understand the broader socioeconomic impacts of ransomware attacks. Only a multisectoral response can mitigate the worst outcomes of these digital extortions. Yet, international cooperation remains elusive, hindered by geopolitical tensions, declining trust in multilateral institutions, and the accelerating race toward AI dominance.

As part of the Digital Front Lines series, this FP Analytics issue brief explores how ransomware threats are evolving and why combatting these attacks matters globally. The analysis surveys the current policy landscape at the national and international levels and highlights actionable takeaways for stakeholders toward deterring this global systemic threat. 

The ransomware threat landscape is complex and rapidly evolving

Ransomware has evolved from isolated incidents into a systemic and complex global threat. The first known ransomware attack targeted the participants of a 1989 World Health Organization (WHO) conference on AIDS. Attackers distributed malicious floppy disks to 20,000 attendees that, once installed, encrypted filenames on victims’ computers and demanded a USD 189 ransom for each attendee. Only a handful of victims sent the money at the time. Today, billions of dollars are at stake. Direct financial losses from ransomware attacks have averaged nearly USD 1 billion annually over the past five years, which does not include the psychological and societal costs that are harder to quantify but nevertheless damaging. In 2024, the highest-ever-recorded payment to a ransomware group was USD 76 million, paid by an undisclosed publicly traded U.S. company after perpetrators seized roughly 100 terabytes of corporate data. Over time, ransomware attacks have multiplied, with an expanding attack surface that increasingly includes low- and-middle-income countries. Without concerted efforts to prevent and contain ransomware threats, the trajectory of such attacks is set to worsen. In the first half of 2025, ransomware incidents grew by 49 percent year-on-year, signaling that various ransomware groups remain undeterred despite international efforts to dismantle their operations. 

Broadly, these attacks can be categorized into two main types of ransomware: crypto ransomware, which encrypts files by turning them into unreadable code, and locker ransomware, which completely locks the victims out of their devices or computers. Both types of attacks result in profound impacts on people’s lives. Perpetrators may deploy either type of ransomware and often combine them with other tactics, such as double extortion, where attackers threaten to expose stolen data in addition to encrypting it, making it harder for organizations to resist paying the ransom. All forms of ransomware essentially render data or systems inaccessible until payment is made. Understanding the drivers and enabling factors behind these types of ransomware attacks provides critical context for why combatting ransomware requires more than just information technology solutions but demands coordinated policy, legal, and enforcement responses across sectors and borders.

One key driver of the ransomware rise is the Ransomware-as-a-Service (RaaS) marketplace, typically hosted on the dark web. The RaaS model has significantly reduced the barrier to entry for anyone wishing to conduct ransomware attacks, readily equipping them with increasingly sophisticated off-the-shelf ransomware tools and support to conduct attacks.

The RaaS model generally functions as a subscription or profit-sharing scheme wherein operators provide ransomware kits to affiliates. These affiliates can then use ready-made ransomware kits to conduct an attack, even if they do not possess advanced coding skills. Large RaaS groups operate with an institutionalized, corporate-like structure, with employees on a payroll and tech support. They can set up a victim payment portal for their affiliates and assist them in securing the ransom payments. In the case of the LockBit ransomware group, RaaS operators also recruited freelance affiliates to conduct the actual attacks via a user-friendly control panel that the operators developed. This level of assistance has facilitated and provided greater incentives for perpetrators to conduct cyberattacks even without owning the infrastructure or developing their own tools; subscribing is sufficient.

International law enforcement operations, often in collaboration with the private sector, have had successes in weakening major ransomware groups. For instance, Operation Cronos — led by the UK’s National Crime Agency and the U.S.’ Federal Bureau of Investigation — disrupted the operations of one of the biggest ransomware groups, LockBit. However, these gains are temporary, as ransomware groups quickly shift tactics and find ways to regroup and resume operations so long as the core members of RaaS groups remain at large.

Contributing to the resilience of ransomware operations, certain jurisdictions have emerged as de facto safe havens for ransomware actors, with data from the Cyber Events Database and CyberPeace Institute both showing that most ransomware attacks today originate from Russia, Iran, North Korea, and China. Russia is linked to about 18 to 36 percent of total ransomware attacks, and, according to the CyberPeace Institute, at least 118 out of 291 reviewed ransomware groups can be traced to Russia. The Russian government appears to allow some cybercriminals to operate freely, provided they avoid attacking domestic organizations and remain available to offer their services to the state with plausible deniability. Although analyses reveal signs of instability and precarious leadership within certain Russia-based ransomware groups, the ransomware ecosystem in the country continues to regroup and evolve more rapidly than any international efforts to dismantle it.

Ransomware Safe Havens

Traced ransomware actors by country of origin, 2020–2025.

The United States had the most ransomware attacks; at least 93 countries have had ransomware incidents between 2014–January 2025.

Hover over United States, United Kingdom, Brazil, South Africa, Costa Rica, and Indonesia for ransomware examples

Data Sources: Cyber Events Database, Center for International and Security Studies at Maryland; CyberPeace Institute

Note: The authors filtered the Cyber Events Database from 2014–Jan 2025 by the word “ransom” and whether a data attack event was involved. Ransomware attack data only capture publicly recorded incidents. Ransomware actors information is based on those reviewed by the CyberPeace Institute.

Iran and North Korea, meanwhile, are reportedly receiving a percentage of ransom payments, with proceeds used to fund broader strategic operations. For instance, in 2024, the U.S. Department of Justice indicted a member of the North Korea-backed Andariel group for deploying ransomware against U.S. hospitals and health care providers and using the ransom proceeds to finance North Korea’s hacking campaigns against defense and technology targets worldwide.

Ransomware threats from actors operating out of safe havens are escalating and, in extreme cases, can bring an entire country to a standstill. In 2022, Costa Rica became the first country to declare a national emergency following coordinated attacks by Russia-based ransomware gang Conti against 27 Costa Rican government agencies. The attacks disrupted over 30,000 medical appointments, and businesses reported losses of over USD 125 million during the first two days of the attacks and additional losses of USD 30 million per day as the attacks continued. Increasingly, these ransomware groups are providing services to their host states, with one study showing a spike in attacks by Russia-based groups against democratic states in the lead-up to elections, interfering in political processes. Ransomware can serve as an instrument of statecraft, transcending criminal motives and complicating international cooperation by blurring the line between private and state-backed ransomware operations.

Beyond geographic safe havens, as countries digitize industries and public services and increasingly deploy AI, the attack surface for ransomware gangs is likely to grow, as are opportunities to profit. In the final report of the United Nations’ recent working group on Information and Communications Technologies (ICT) Security, member states raised concerns about rising ransomware attacks on critical digital infrastructure, noting that such attacks disrupt essential public services and may have implications for international peace and security. Meanwhile, threat actors have benefited from the decentralized nature of cryptocurrency transactions, which makes it difficult to trace, halt, and reverse payments. In addition, there is a risk of more advanced variants of ransomware emerging via developments in quantum computing, which means that defensive tools to combat these threats need to evolve and keep pace.

Ransomware endangers lives, disrupts critical infrastructure, and weakens institutions

Countries targeted are at risk of a range of devastating socioeconomic consequences. Beyond financial losses, ransomware attacks can cause reputational damage, psychological strain, and disruption of daily life. For example, the 2021 Colonial Pipeline attack, carried out by the Russia-based DarkSide ransomware group, halted gasoline distribution of the largest fuel pipeline in the United States and caused panic buying, fuel shortages, and price spikes. Such disruptions can severely impair the functioning of a society and fuel public distrust in institutions, with implications for national security and, broadly, international peace and security. Beyond critical infrastructure, ransomware attacks undermine global security by enabling the disruptive and destructive ambitions of hostile state and non-state actors. North Korea, for example, reportedly uses ransomware to fund its nuclear weapons program in violation of UN and U.S. sanctions.

The health care sector, in particular, has consistently seen the most ransomware attacks over the years, accounting for roughly one-fifth of recorded cases between 2014 and 2024. According to the WHO, ransomware groups operate on the logic that the more they can endanger patient safety and compromise confidential data, the higher the ransom they can demand. Hospitals, particularly those in rural areas, are easy targets due to limited financial capacity to invest in cybersecurity, leaving them unprepared for cyberattacks. There is immense pressure for hospitals to resolve issues as any downtime of essential services can cost lives. In an interview with FP Analytics and in her July 2025 U.S. Senate Testimony, Linda Stevenson, chief information officer of Fisher-Titus Medical Center in Ohio, stressed that rural and small hospitals in the United States are significantly resource constrained, spending only about 4 percent of IT resources on cybersecurity, compared to mid-to-large hospitals at 6 to 10 percent. She noted that rural hospitals struggle to attract and retain cybersecurity professionals, while the heavy regulatory burden in the U.S. health care sector further diverts resources that could otherwise be used for cyber defenses.

Ransomware attacks on the health care sector endanger human life. A study quantifying the impacts of ransomware attacks on U.S. hospitals between 2016 and 2021 found that these attacks likely contributed to between 47 and 67 deaths among Medicare patients. Ransomware groups have also targeted the health care sector in low- and-middle-income countries (LMICs), which can have cascading social and economic effects. For instance, in 2021, Brazil suffered multiple ransomware attacks, including one that deleted COVID-19 vaccination data from the Ministry of Health’s database and another that disrupted the administrative network of a company that runs two nuclear power plants. As LMICs continue to digitize, they also face higher cyberattack risks, as persistent gaps in infrastructure, resources, and governance leave health care systems vulnerable.

In 2023, Mt. Graham Regional Medical Center — a rural Critical Access Hospital — was the victim of a ransomware attack that disrupted operations for 11 days. All of our systems were encrypted, forcing staff to revert to paper processes in the middle of patient care. The attack underscored how ransomware in health care is not just a financial crime but a direct ‘threat to life.’ In a rural setting, even short interruptions can have an outsized impact on patient outcomes.”

Justin Millar, Vice President and Chief Information Officer, Mt. Graham Regional Medical Center in Arizona

Beyond the health care sector, nonprofit organizations are also frequent ransomware targets. CyberPeace Institute’s report shows that out of 2,754 publicly recorded attacks between 2020 and 2025, 281 (or 10 percent) were directed at nonprofits. Attacks on nonprofits, media, and advocacy groups weaken democratic institutions, particularly in lower-capacity states where civil society often fills critical service and accountability gaps. For instance, in 2023, German hunger relief charity Deutsche Welthungerhilfe was hit by ransomware, disrupting its food supplies across countries, including conflict zones such as Gaza, Ukraine, and Sudan. Although less frequently, ransomware groups also target multilateral organizations that deliver critical services. In 2024, the United Nations Development Programme was targeted by 8Base gang, and significant amounts of sensitive data were compromised. As these examples demonstrate, ransomware groups threaten lives and livelihoods, warranting proactive public-private coordination and inter-governmental cooperation to prevent and contain ransomware attacks.

Health Care Sector Suffers the Most Ransomware Attacks

The public and education sectors were also heavily targeted; financial losses at least USD 4.8 billion from 2014–Jan 2025.

Data Sources: Cyber Events Database, Center for International and Security Studies at Maryland; Chainalysis.com; Sophos.com

Note: The authors filtered the Cyber Events Database from 2014–Jan 2025 by the word “ransom” and whether a data attack event was involved. Direct financial losses were based on Chainanalysis’ tracking of crypto payments to ransomware actors. IT and cybersecurity leaders across 17 countries were surveyed by Sophos to derive average recovery costs per organization. Sophos’ survey question: “What was the approximate cost to your organization to rectify the impacts of the most significant ransomware attack (considering downtime, people time, device cost, network cost, lost opportunity etc.) excluding any ransom payments made?” n= 2,974 (2024), 1,974 (2023).

Mitigating ransomware attacks through systemic and sustained governance

Recently, heightened geopolitical tensions amid ongoing trade and armed conflicts have complicated efforts to build international consensus and cooperate on mitigating cyber threats. Still, some promising efforts to close legislative, governance, and enforcement gaps are underway. Building on the 2001 Budapest Convention on Cybercrime — the first international treaty on cybercrime that served as a model for national laws and fostered cooperation across borders — the United Nations Member States in 2024 adopted the UN Convention against Cybercrime, a more comprehensive and broadly supported framework. The new treaty expands the scope of cooperation, adding a dedicated chapter on strengthening preventive measures, providing technical assistance, and facilitating information exchange, with emphasis on supporting developing countries and protecting critical infrastructure.

The UN Convention affirms that states are “determined to deny safe havens to those who engage in cybercrime,” agreeing on measures to share evidence and extradite perpetrators. It also covers offences relevant to ransomware, such as illegal access and data and system interference, alongside provisions for tracing and freezing illicit financial flows derived from cyberattacks. These commitments reflect and reinforce the due diligence norm on responsible state behavior in cyberspace (see Figure 3), which holds that states should not allow their territory to be used for harmful cyberactivity, including as safe havens for ransomware groups.

The UN Convention marks progress, but differences on interpretation and implementation can hamper consensus toward mitigating cybercrime, particularly ransomware. In practice, its effectiveness depends on whether states have the political will and capacity to pursue offenders within their jurisdiction. Mutual trust among states and good-faith commitment to uphold the law are necessary for enhancing international cooperation on cybercrime and prosecuting perpetrators. States with strategic incentives to host ransomware groups can find ways to undermine enforcement even if they are treaty signatories, which diminishes the effectiveness of international agreements. The emerging international frameworks on cybercrime will be ineffective unless there is a concerted effort to hold those states that violate international law accountable.

Complementing the Convention, two notable multilateral initiatives aim to strengthen international cooperation on cyber threats and encourage responsible state behavior:

  • The UN Open-ended Working Group on ICT Security (UN OEWG) concluded its final report in July 2025, reaffirming the 11 voluntary and non-binding norms of responsible state behavior on cyberspace. Among these norms are refusing to allow one’s territory to be used for malicious cyber acts, due diligence in addressing the misuse of ICT, protecting critical infrastructure, and promoting supply chain cyber integrity. States will continue discussions in a future Global Mechanism, to be operationalized in March 2026, on a range of issues including the applicability of international law to the states’ use of ICT.
  • The International Counter Ransomware Initiative, established in 2021 after the U.S. Colonial Pipeline attack, is the largest international cyber partnership, comprising over 70 countries and organizations. The Initiative’s International Counter Ransomware Task Force (ICRTF), co-chaired by Australia and Lithuania, facilitates joint action against ransomware operations, enabling members to share information, strengthen cyber resilience, and develop collective best practices.

Countries are also stepping up to combat ransomware by advancing national strategies and policies. As of July 2025, the United Kingdom plans to ban ransomware payments by the public sector for attacks on critical national infrastructure, including mandatory reporting of cybercrime incidents. These bans may undercut the material incentive for ransomware attacks, but they could result in high costs to victims of ransomware, and may endanger public safety through disruption of critical services. Australia and Singapore have also implemented new measures. In May 2025, Australia began requiring certain businesses and critical infrastructure operators to report ransomware payments. In Singapore, the 2024 amendments to its Cybersecurity Act broadened the law’s scope, extending regulatory oversight to cloud-based and third-party critical information infrastructure. While many advanced economies are implementing policies to respond to ransomware and are advancing global initiatives, cybersecurity policy and response in many low- and-middle income countries (LMICs) are still nascent.

As of 2024, only 46 percent of lower-income countries had an operational computer incident response team. For many LMICs, cyber governance may be difficult to prioritize alongside a range of other social and economic issues, such as sustainable development. Yet, considering that LMICs are increasingly targeted by ransomware groups and may be particularly vulnerable given weaker institutional, technical, and enforcement capacities, it is critical that policies and public investments into improving cybersecurity and digital resilience are prioritized. These efforts are especially important to mitigate the risk of emerging economies becoming safe havens for cybercrime.

Much like the Hydra of Greek mythology, ransomware threats continue to multiply and mutate, even as law enforcement successfully cuts down individual groups. The most notorious ransomware groups, and their offshoots, are still operating at large. Disruptions are temporary, and without a systemic and sustained governance approach, new and/or reconstituted threat actors fill the void. Because these attacks transcend borders and sectors, international cooperation — through joint surveillance and evidence-gathering, joint efforts to apprehend criminals, and the establishment of common standards and frameworks — offers the strongest defense against ransomware. The UN Convention against Cybercrime, the UN OEWG, and other multilateral initiatives have laid the groundwork for international cooperation, but progress depends on reciprocity: States that are party to these laws need to be assured that participation yields tangible benefits, and non-cooperation carries substantial costs. Only then can the full cooperation of all states be possible.

The 11 Norms of Responsible State Behavior in Cyberspace

The UN OEWG reaffirmed the following norms in its final report, with talks set to continue on a voluntary actions checklist in a permanent UN mechanism.

Interstate cooperation on security

Participate, where relevant, in the work of regional and sub-regional organizations which foster cooperation between States on the use of ICTs in the context of international security

Consider all relevant information

Use multilateral, regional, bilateral and multistakeholder platforms to exchange practices and share information on national approaches to attribution, including how States can distinguish between different types of attribution, and on ICT threats and incidents.

Prevent misuse of ICTs in your territory

If an internationally wrongful act occurs within a State’s territory, the State would take reasonable steps within its capacity to end the ongoing activity in its territory through means that are proportionate, appropriate and effective, and in a manner consistent with international and domestic law.

Cooperate to stop crime & terrorism

Put in place national policies, legislation, structures and mechanisms that facilitate cooperation across borders on technical, law enforcement, legal and diplomatic matters relevant to addressing criminal and terrorist use of ICTs.

Respect human rights & privacy

Engage with stakeholders which contribute in different ways to the protection and promotion of human rights and fundamental freedoms online and offline.

Do not damage critical infrastructure

Cooperate with other States regarding the protection of critical infrastructure that provide services across several States such as the technical infrastructure essential to the general availability or integrity of the Internet.

Protect critical infrastructure

Promote partnerships among stakeholders, both public and private, to share and analyse critical infrastructure information in order to prevent, investigate and respond to damage to or attacks on such infrastructures.

Respond to requests for assistance

Engage in cooperative mechanisms that define the means and mode of ICT crisis communications and of incident management and resolution, including through establishing common and transparent processes, procedures and templates.

Ensure supply chain security

Participate in inclusive, transparent multilateral processes on cooperative measures such as exchanges of good practices on supply chain risk management; developing and implementing globally interoperable common rules and standards for supply chain security; and other approaches aimed at decreasing supply chain vulnerabilities.

Report ICT vulnerabilities

Put in place measures which facilitate international cooperation on the responsible reporting of ICT vulnerabilities including requests for assistance between countries and emergency response teams, consistent with domestic legislation.

Do no harm to emergency response teams

Facilitate cooperation and coordination among computer emergency response teams/cybersecurity incident response teams and other relevant security and technical bodies at the national, regional and international levels including through national ICT security incident management frameworks.

Sources: ASPI; disarmament.unoda.org; dig.watch; Note: Voluntary action examples were drawn verbatim from the proposed voluntary checklist in the UN OEWG on ICT Security’s third annual progress report.

Looking Ahead: Ransomware can only be effectively countered through consistent national enforcement and public-private partnerships

The world has entered an era in which ever more lives and livelihoods are being held hostage in cyberspace. Governments, the private sector, civil society, and academia at all levels need to collaborate to mitigate ransomware threats. Key strategies include:

  • Framing ransomware attacks as a national security threat. By recognizing the crisis-level impacts of ransomware and declaring it as a national security threat, especially as countries increasingly depend on digital infrastructure, policymakers can mobilize their national security arsenal, direct inter-agency collaboration, and promote anticipatory responses against ransomware.
  • Strengthening international commitment to hold safe havens accountable. Credible attribution, based on standards agreed upon by states, provides the evidence needed to justify proportional collective responses against states that shelter ransomware groups. Raising consequences while showing tangible benefits for cooperation can reduce incentives to act as safe havens.
  • Building ransomware warning systems and comprehensive, cross-sectoral risk reduction strategies, with a focus on essential public services. To aid preparedness across sectors, with particular focus on health care, public-private partnerships can establish cyber warning systems similar to weather forecast systems in the face of disasters, information-sharing hubs across sectors, and cyber exercises to expose vulnerabilities and improve resilience.
  • Strengthening the cybersecurity hygiene of critical infrastructure. Cybersecurity best practices, such as enforcing multifactor authentication and regularly updating software, are not widely adopted across critical infrastructure sectors. Meeting basic cyber standards is a critical first step toward preventing ransomware attacks.
  • Stemming illicit financial flows and supporting higher resistance to ransom payments. The Financial Action Task Force (FATF) recommends expanding anti-money laundering and counterterrorist financing rules to cover cryptocurrency platforms. Equipping law enforcers with blockchain-tracking tools and improving the reporting of suspicious transactions can help trace and recover ransom payments before they disappear.
  • Increasing incentives to develop secure-by-design technology value chains. The governments, as major buyers of technologies, can encourage tech vendors to embed stronger cybersecurity features, making secure-by-design the industry norm.
  • Strengthening international cooperation in data sharing, surveillance, capacity building, and law enforcement. Global initiatives, such as the World Bank’s efforts to support low- and-middle-income countries and the International Counter Ransomware Initiative, can help bridge capacity gaps and strengthen defenses collectively in the face of a transnational threat.

Weak defenses in any one sector generate vulnerabilities across the entire digital ecosystem; conversely, strong protections generate positive spillover effects across borders. Weak defenses against ransomware put lives at risk. Shared accountability, responsibility, and investments are vital to achieving collective cyber resilience, rooting out the most rapidly growing and ever-mutating cyber threat.

References

+

Asero. (n.d.). Costa Rica ransomware attack [Case study]. https://asero.com/case-studies/costa-rica-ransomware-attack/

Australian Department of Home Affairs. (2025, March 13). Counter Ransomware Initiative (CRI). https://www.homeaffairs.gov.au/cyber-security-subsite/Pages/counter-ransomware-initiative.aspx

Axios. (2025, January 10). How a ransomware attack works. https://www.axios.com/visuals/companies-ransomware-attack-affected-lockbit

Banque de France. (n.d.). Cybersecurity – International cooperation requires reciprocity. https://www.banque-france.fr/en/publications-and-statistics/publications/cybersecurity-international-cooperation-requires-reciprocity

BBC News. (2022, January). [Technology news related to ransomware]. https://www.bbc.com/news/technology-60378009

Burgess, M. (2022, March 16). The workaday life of the world’s most dangerous ransomware gang. Wired. https://www.wired.com/story/conti-leaks-ransomware-work-life/

Burgess, M. (2022, June 12). Conti’s attack against Costa Rica sparks a new ransomware era. Wired. https://www.wired.com/story/costa-rica-ransomware-conti/

Center for International and Security Studies at Maryland. (n.d.). Cyber Events Database. University of Maryland. https://cissm.umd.edu/cyber-events-database

Chainalysis Team. (2025, February 5). 35% year-over-year decrease in ransomware payments, less than half of recorded incidents resulted in victim payments. Chainalysis Blog. https://www.chainalysis.com/blog/crypto-crime-ransomware-victim-extortion-2025/

CISA. (2024, March 1). AA24-241A: Ransomware threats advisory. https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-241a

CISA. (n.d.). Advanced Persistent Threats: North Korea. https://www.cisa.gov/topics/cyber-threats-and-advisories/advanced-persistent-threats/north-korea

CISA. (n.d.). Secure by Design. https://www.cisa.gov/securebydesign

Conrad, R. (2024, June 5). Ransomware task force proposal. Wired. https://www.wired.com/story/ransomware-task-force-proposal/

CSIS. (2025, March 12). Creating accountability: Global cyber norms. CSIS Analysis. https://www.csis.org/analysis/creating-accountability-global-cyber-norms

CrowdStrike. (n.d.). Ransomware as a service (RaaS). https://www.crowdstrike.com/en-us/cybersecurity-101/ransomware/ransomware-as-a-service-raas/

CyberPeace Institute. (n.d.). CyberPeace Institute. https://cyberpeaceinstitute.org/

Davidson, N. (2024, September/October). Should state governments ban ransomware payments? GovTech. https://www.govtech.com/security/should-state-governments-ban-ransomware-payments

Dobell, A. (2024, March 15). Ransomware: ‘Costly and impactful’ and now a staple national security risk. Center for Cybersecurity Policy. https://www.centerforcybersecuritypolicy.org/insights-and-research/ransomware-costly-and-impactful-and-now-a-staple-national-security-risk

Elgan, M. (2024, December 5). Roundup: The top ransomware stories of 2024. IBM Think. https://www.ibm.com/think/insights/roundup-the-top-ransomware-stories-of-2024

Evans, M. (2023, October 16). Explaining organizational instability in Russian ransomware gangs. Jackson School of International Studies, University of Washington. https://jsis.washington.edu/news/explaining-organizational-instability-in-russian-ransomware-gangs/

Fadilpašić, S. (2025, July 11). Forget ransomware – most firms think quantum computing is the biggest security risk to come. TechRadar Pro. https://www.techradar.com/pro/security/forget-ransomware-most-firms-think-quantum-computing-is-the-biggest-security-risk-to-come

Financial Action Task Force. (2023, March). Countering ransomware financing. https://www.fatf-gafi.org/content/dam/fatf-gafi/reports/Countering-Ransomware-Financing.pdf.coredownload.pdf

FP Analytics. (2024, April 4). Cybersecurity + AI: Fortifying critical infrastructure in the digital era. https://fpanalytics.foreignpolicy.com/2024/04/04/cybersecurity-ai-fortifying-critical-infrastructure-in-the-digital-era/

FP Analytics. (2025, January 30). Hackers for hire. Digital Front Lines. https://digitalfrontlines.io/2025/01/30/hackers-cyber-mercenaries/

FP Analytics. (2025, June 3). Global Governance Reimagined: Reforming debt, development, and decision-making in a shifting world order [Special report]. https://globalgovernancereimagined.com/

Gatlan, S. (2024, August 28). Iranian hackers work with ransomware gangs to extort breached orgs. BleepingComputer. https://www.bleepingcomputer.com/news/security/iranian-hackers-work-with-ransomware-gangs-to-extort-breached-orgs/

Geneva Internet Platform (Digital Watch Observatory). (2025, July). UN OEWG 2021–2025 Final Report – Annex I: Additional elements for the global mechanisms. https://dig.watch/resource/oewg-report-2021-2025#Annex_I_Additional_elements_for_the_global_mechanisms

Geneva Internet Platform (Digital Watch Observatory). (2025, July). UN OEWG concludes, paving way for permanent cybersecurity mechanism. https://dig.watch/updates/un-oewg-concludes-paving-way-for-permanent-cybersecurity-mechanism

Government of Canada – Cyber Centre. (n.d.). National Cyber Threat Assessment 2025–2026. Canadian Centre for Cyber Security. https://www.cyber.gc.ca/en/guidance/national-cyber-threat-assessment-2025-2026

Google Threat Intelligence Group. (2025, February 11). Cybercrime: A multifaceted national security threat. Google Cloud. https://cloud.google.com/blog/topics/threat-intelligence/cybercrime-multifaceted-national-security-threat

Horschig, D. (2024, July 31). How are cyberattacks fueling North Korea’s nuclear ambitions? CSIS Analysis. Center for Strategic and International Studies (CSIS). https://www.csis.org/analysis/how-are-cyberattacks-fueling-north-koreas-nuclear-ambitions

International Counter Ransomware Initiative. (n.d.). About us. https://counter-ransomware.org/aboutus

International Counter Ransomware Initiative. (n.d.). Press release: Global Law Enforcement Effort. https://counter-ransomware.org/briefingroom/7dd39d9a-49ae-44bb-95df-21723cdfe5c6

Jarnecki, J., & MacColl, J. (2022, August 12). Ransomware now threatens the Global South. RUSI Commentary. Royal United Services Institute. https://www.rusi.org/explore-our-research/publications/commentary/ransomware-now-threatens-global-south

Kaltsounis, A. T., Kennedy, K. M., Wall, J. T., & Johnson, J. S. (2025, June 10). Australia’s new ransomware payment reporting law takes effect, covering both critical infrastructure and other entities. Data Counsel (Baker & Hostetler LLP). https://www.bakerdatacounsel.com/blogs/australias-new-ransomware-payment-reporting-law-takes-effect-covering-both-critical-infrastructure-and-other-entities/

Kodri, S. (2025, April 14). Toward a safer digital ASEAN: Building legal and law enforcement synergy. The Cyber Express. https://thecyberexpress.com/asean-building-legal-law-enforcement-synergy/

Lewis, J. A. (2025, January 21). Next steps for the International Counter Ransomware Initiative. Center for Strategic and International Studies (CSIS). https://www.csis.org/analysis/next-steps-international-counter-ransomware-initiative

Martin, A. (2025, July 2). Ransomware gang attacks German charity that feeds starving children. The Record. https://therecord.media/welthungerhilfe-german-hunger-relief-charity-ransomware-attack

Microsoft. (n.d.). What is ransomware? Microsoft Security. https://www.microsoft.com/en-us/security/business/security-101/what-is-ransomware?

National Institute of Standards and Technology. (n.d.). What is quantum cryptography? https://www.nist.gov/cybersecurity/what-quantum-cryptography

Natalucci, F., Qureshi, M. S., & Suntheim, F. (2024, April 9). Rising cyber threats pose serious concerns for financial stability. IMF Blog. https://www.imf.org/en/Blogs/Articles/2024/04/09/rising-cyber-threats-pose-serious-concerns-for-financial-stability

Nershi, K., & Grossman, S. (2023, July 13). New paper: Assessing political motivations behind ransomware attacks. Stanford Internet Observatory, Freeman Spogli Institute for International Studies, Stanford University. https://cyber.fsi.stanford.edu/io/news/new-paper-assessing-political-motivations-behind-ransomware-attacks

Neprash, H., McGlave, C., & Nikpay, S. (2023, November 17). We tried to quantify how harmful hospital ransomware attacks are for patients. Here’s what we found. STAT News. https://www.statnews.com/2023/11/17/hospital-ransomware-attack-patient-deaths-study/

Newman, L. H. (2021, May 14). Colonial Pipeline paid a $5M ransom—and kept a vicious cycle turning. Wired. https://www.wired.com/story/colonial-pipeline-ransomware-payment/

Reuters. (2025, July 22). UK plans to ban public sector bodies from paying ransom to cyber criminals. https://www.reuters.com/world/uk/uk-plans-ban-public-sector-bodies-paying-ransom-cyber-criminals-2025-07-22/

RHISAC. (n.d.). Different types of ransomware attacks. https://rhisac.org/ransomware/different-types-ransomware-attacks/

RiskIQ. (2020, April). Ransomware in the health sector: Intelligence brief. https://www.riskiq.com/wp-content/uploads/2020/04/Ransomware-in-Health-Sector-Intelligence-Brief-RiskIQ.pdf

Royal United Services Institute. (2022, August 12). Ransomware now threatens the Global South. https://www.rusi.org/explore-our-research/publications/commentary/ransomware-now-threatens-global-south

Security Review Magazine. (n.d.). [Article]. https://securityreviewmag.com/?p=28438

Seals, T. (2021, February 5). Ransomware attacks hit major utilities. Threatpost. https://threatpost.com/ransomware-attacks-major-utilities/163687/

Stevenson, L. (2025, July 9). Written testimony of Linda Stevenson, CIO of Fisher-Titus Medical Center. Senate Committee on Health, Education, Labor, and Pensions. https://www.help.senate.gov/imo/media/doc/c1e204ff-aec3-ace3-1827-376b7bed36bb/Stevenson%20Testimony.pdf

Swiss Cyber Institute. (2025, June 5). The 10 most notorious ransomware groups in 2025. Swiss Cyber Institute Blog. https://swisscyberinstitute.com/blog/10-most-notorious-ransomware-groups-2025/

The Record. (2025, July 22). Microsoft says Warlock ransomware deployed in SharePoint attacks. https://therecord.media/microsoft-says-warlock-ransomware-deployed-in-sharepoint-attacks

U.S. Department of Justice, Office of Public Affairs. (2024, July 25). North Korean government hacker charged for involvement in ransomware attacks targeting U.S. hospitals and health care providers. https://www.justice.gov/archives/opa/pr/north-korean-government-hacker-charged-involvement-ransomware-attacks-targeting-us-hospitals

United Nations Office for Disarmament Affairs. (2024, December 24). United Nations Convention against Cybercrime adopted by the General Assembly. [Press release via UNIS]. https://unis.unvienna.org/unis/pressrels/2024/uniscp1184.html

United Nations Office for Disarmament Affairs. (2022, March). The UN norms of responsible state behaviour in cyberspace. https://documents.unoda.org/wp-content/uploads/2022/03/The-UN-norms-of-responsible-state-behaviour-in-cyberspace.pdf

United Nations Office for Disarmament Affairs. (2025, July 10). Letter from OEWG Chair. https://docs-library.unoda.org/Open-Ended_Working_Group_on_Information_and_Communication_Technologies_-_(2021)/Letter_from_OEWG_Chair_10_July_2025.pdf

United Nations Security Council. (2024, November 8). Ransomware attacks on healthcare sector “pose a direct and systemic risk to global public health and security.” UN Press. https://press.un.org/en/2024/sc15891.doc.htm

Vergara Cobos, E., & Cakir, S. (2024). A review of the economic costs of cyber incidents. World Bank. https://documents1.worldbank.org/curated/en/099092324164536687/pdf/P17876919ffee4079180e81701969ad0a18.pdf

Welthungerhilfe. (2025, August 14). Cyberattack on Welthungerhilfe. https://www.welthungerhilfe.org/news/latest-articles/cyberattack-on-welthungerhilfe

Wired. (2024). Russia-Ransomware gang connections. https://www.wired.com/story/russia-ransomware-gang-connections/

World Bank. (2025, January 29). Enhancing cyber resilience in developing countries. World Bank Results. https://www.worldbank.org/en/results/2025/01/29/-enhancing-cyber-resilience-in-developing-countries

World Economic Forum. (2024, February 21). How Operation Cronos disrupted ransomware group LockBit. WEF Stories. https://www.weforum.org/stories/2024/02/lockbit-ransomware-operation-cronos-cybercrime/

Wright, R. (2025, January 16). The mystery of the $75 M ransom payment to Dark Angels. SearchSecurity (TechTarget). https://www.techtarget.com/searchsecurity/feature/The-mystery-of-the-75M-ransom-payment-to-Dark-Angels

Zetter, K. (2016, March 30). Why hospitals are the perfect targets for ransomware. Wired. https://www.wired.com/2016/03/ransomware-why-hospitals-are-the-perfect-targets/

 

By Angeli Juani (Senior Policy and Quantitative Analyst), Jack Ronan (Policy and Research Analyst), and Dr. Mayesha Alam (Senior Vice President of Research). Art direction by Sara Stewart and illustration by Klawe Rzeczy.

This issue brief was produced by FP Analytics, the independent research division of The FP Group, with support from Microsoft. FP Analytics retained control of the research direction and findings of this issue brief. Foreign Policy’s editorial team was not involved in the creation of this content.

Anne Marie Engtoft Meldgaard

Disrupting Ransomware Through Tech Diplomacy

Countries need to be nimbler to combat increasing and evolving cybercrime threats.

Amy Hogan-Burney

Ransomware Attacks Are No Longer Just About Profit. They’re Also About Politics.

Multistakeholder collaboration is crucial to stemming this evolving threat.

Francesca Bosco

Ransomware Attacks Aren’t Just Technical—They Are Profoundly Human

As countries around the world face these growing threats, it’s vital to prioritize the protection of people and essential services.