A Q&A with AMY HOGAN-BURNEY

Ransomware Attacks Are No Longer Just About Profit. They’re Also About Politics.

Multistakeholder collaboration is crucial to stemming this evolving threat.

Brian Stauffer illustration for FP Analytics

For more than a decade at Microsoft, Amy Hogan-Burney has seen the cybercrime landscape morph and become increasingly complex. In a conversation with FP Analytics, Hogan-Burney, Microsoft’s Corporate Vice President for Customer Security and Trust, talked about what enables ransomware attacks, how industry leaders can work with governments to dismantle cybercriminal networks, and why tools to combat cybercrime aren’t enough—what’s also needed is the political will of the international community to use them. The following transcript has been edited for length and clarity.

FP Analytics (FPA): From your vantage point, how has the ransomware threat landscape evolved in recent years, especially in this era of heightened geopolitical fragmentation and strategic competition? To what degree do increasing geopolitical tensions impact cybercrime?

Amy Hogan-Burney (AHB): The ransomware threat landscape has dramatically transformed over the past five years—expanding in scope, scale, and impact. What began as isolated, financially motivated attacks has evolved into a complex ecosystem of ransomware-as-a-service (RaaS) platforms, affiliate networks, and state-tolerated or even state-sponsored actors. The result is a global proliferation of ransomware attacks.

Ransomware groups now operate like professional enterprises, complete with customer support, negotiation teams, and marketing strategies. Their targets have shifted from individuals to critical infrastructure, health care systems, and government agencies, with attacks capable of causing paralyzing outages on par with natural disasters. The 2022 attack in Costa Rica, for example, brought the country to a standstill.

While the majority of attacks are driven by criminal groups seeking profits, geopolitical tensions increasingly blur the lines between criminal and state-sponsored operations. The 2022 attack against the Albanian government, widely attributed to Iranian government actors, exemplifies this convergence.

Today, ransomware can serve dual purposes: generating illicit revenue and advancing political agendas, as some states either directly sponsor ransomware groups or turn a blind eye to their operations, creating de facto safe havens. Early in Russia’s full-scale invasion of Ukraine, for example, a ransomware group named “Conti” pledged to target the enemies of Russia. Microsoft has even observed Russian nation state threat actors directly using ransomware against Ukrainian targets to disguise the disruptive attacks as unrelated criminal activity.

Ransomware is therefore a two-fold challenge—technical and political. Like all types of cybercrime, ransomware attacks occur across borders and require international cooperation by law enforcement agencies and the private sector to thwart bad actors and restore systems. However, such efforts are undermined when cooperation between states is at odds with geopolitical priorities.

FPA: How should countries leverage multilateral bodies to better prepare for, and respond to, cyber threats that are driven by criminal organizations with geopolitical motivations or state affiliations?

AHB: Cybercriminal actors exploit safe havens, jurisdictional gaps, and weak enforcement capacities to conduct ransomware and espionage and sabotage campaigns. To counter this, countries must leverage multilateral bodies across five key dimensions:

Strengthen norms and accountability mechanisms for states: Countries should adopt harmonized global legal frameworks that enable prosecution and cross-border cooperation. Existing instruments, such as the United Nations’ norms of responsible state behavior in cyberspace and associated due diligence obligations, should be used to hold states accountable when they harbor or sponsor cybercriminal groups. Legal and diplomatic pressure must be applied to reinforce consequences for noncompliance.
Operationalize multilateral law enforcement collaboration: Joint operations like Operation Serengeti 2.0, which involved 19 countries and led to more than 1,200 arrests and $97 million recovered, demonstrate the power of coordinated enforcement. Nations should expand participation in efforts such as the International Counter Ransomware Initiative and develop rapid-response protocols for dismantling ransomware infrastructure across jurisdictions.
Build coalitions for cyber deterrence: Deterrence of malicious cyber activities must be multidimensional—combining diplomatic, economic, and technical responses. It is most effective when executed in partnership, enabling collective attribution, coordinated sanctions, and shared intelligence. Coalitions can also amplify the reputational and operational costs for state-affiliated cyber actors.
Invest in capacity building and resilience: Multilateral bodies play a critical role in bridging capability gaps, particularly in developing countries. Initiatives such as the Global Forum on Cyber Expertise provide technical assistance, training, and policy support to enhance national cyber resilience. Investment in cyber ranges, public-private innovation hubs, and harmonized legal frameworks is essential.
Foster inclusive multistakeholder engagement: Effective cyber response requires deep collaboration with the private sector, civil society, and academia. Partnerships for sharing threat intelligence and infrastructure disruption—such as Microsoft’s takedown of Lumma infostealer infrastructure with Europol and Japanese authorities—demonstrate the value of coordinated action. Multistakeholder engagement also strengthens norm development and trust-building across sectors.

FPA: What can and should industry do to help tackle the challenges posed by escalating cybercrime around the world, including ransomware?

AHB: Across the technology sector, industry leaders must fortify product security and forge partnerships with government agencies to dismantle cybercriminal networks and disrupt illicit operations. From 2022 to2024, Microsoft saw a threefold drop in ransomware attacks reaching the encryption stage, thanks to advanced security measures like artificial intelligence-driven adaptive protection, phishing-resistant multifactor authentication, and token protection technologies.

Microsoft’s recent takedown of threat actor RaccoonO365, which we track as Storm-2246, is a prime example of how industry can collaborate to disrupt cybercriminal operations. In September 2025, Microsoft seized hundreds of RaccoonO365 websites—disrupting the operation’s technical infrastructure and denying criminals’ access to victims—and sent a criminal referral for the lead actor to international law enforcement.

This type of work helps us protect our customers and improve the safety of the global internet community so that all users—enterprises, consumers, and governments—can trust the technology and online services on which they rely for commerce and communication.

FPA: When it comes to working with partners, what are the strengths and limitations of current international initiatives to tackle ransomware? What key gaps need to be addressed, and what kinds of international collaboration are required?

AHB: Global partnerships and coordinated law enforcement action all move the needle on disrupting ransomware operations, but the persistence of de facto safe havens where cybercriminals thrive remains a barrier to lasting progress. Safe haven jurisdictions enable groups to reconstitute quickly after disruptions, maintain operational continuity, and evade prosecution. For example, following a disruption in 2022, the Russia-aligned group Conti was back online within 10 days. Between 2022 and 2025, Conti splintered and rebranded itself several times while extorting nearly $400 million in ransom payments.

The tools needed to effectively combat cybercrime exist. What does not always exist is the political will among the international community of states to use them. To effectively counter ransomware, the international community must:

Hold states to account: Governments should recognize ransomware as a form of extortion and reinforce states’ commitment to uphold existing U.N. norms of responsible state behavior in cyberspace, including due diligence obligations.
Increase support and diplomatic pressure: Provide greater international backing to governments working to combat cybercrime and apply diplomatic pressure on those turning a blind eye to criminal activity within their borders.
Designate state sponsors of ransomware: As a next step, consider formal designations of “state sponsors of ransomware” to drive accountability and signal consequences for states that refuse to act.

FPA: What should be the top priorities for governments, industry, and civil society to turn the tide on ransomware in the years ahead?

AHB: We are living in the AI era. While responsible users are harnessing this transformative technology to improve people’s lives, bad actors are using it to accelerate harm—developing new methods of disruption and monetizing chaos. Earlier this year, Microsoft initiated a legal action against a criminal group abusing Azure OpenAI Service to help others generate harmful and illicit content, a small example of threats to come. But the security advantages of AI are also astounding—enabling secure code development and automated monitoring, and supporting patching and incident response. The successful diffusion of AI-first cybersecurity systems will be a game changer in thwarting cybercrime of all kinds, but it requires more inclusive growth.

To build durable and responsive solutions, we must bring more voices into the conversation. Industry is at the forefront of technological development. Civil society provides insight into the human impact of ransomware and early warning of future trends. Governments can use these perspectives to both craft appropriate legal, policy, and enforcement responses and ensure accountability for violations.

The net result of that collective work will be a safer digital world.

Amy Hogan-Burney serves as Corporate Vice President for Customer Security and Trust (CST) at Microsoft. Prior to her role leading CST, Hogan-Burney headed the Cybersecurity Policy and Protection Team and played a pivotal role during the implementation of the EU’s General Data Protection Regulation, leading the Privacy Compliance team. Her career at Microsoft began with managing the Law Enforcement and National Security team, ensuring compliance with legal obligations related to law enforcement and national security. Before transitioning to the private sector, Hogan-Burney served as an attorney at the U.S. Department of Justice, Federal Bureau of Investigation.