By Dr. Bruce Watson

Ransomware Is a Strategic Threat. We Need to Treat It Like One.

The industrialization of cybercrime demands a response that matches its scale—one that bridges the divides among governments, the private sector, and the technical community. Canada offers a playbook to lead that response.

Matt Chase Illustration for FP Analtyics

Earlier this year, a ransomware crisis simulation held alongside the Munich Security Conference reinforced a conviction many of us in national security have long held: The ransomware threat has outgrown the frameworks we built to contain it. And while the threats are intensifying—aided by artificial intelligence and critical gaps in the international response—there are opportunities to fight back. The countries best positioned to lead the fight are the ones with the right combination of technical depth, multilateral credibility, and institutional will. Countries like Canada.

An Industrialized Threat

The ransomware landscape of 2026 bears little resemblance to the opportunistic attacks of a decade ago. What we face today is an industrialized ecosystem that has created a division of labor in which developers build and maintain sophisticated tool kits, affiliates execute attacks, and brokers handle access, negotiation, and money laundering. The barrier to entry has collapsed. The scale has exploded. Publicly reported ransomware incidents increased nearly five-fold between the 2015–19 and 2020–24 periods, and in the first half of 2025, incidents grew a further 49 percent year-on-year.

These are not abstract statistics. They translate into hospitals diverting ambulances, schools shutting down, energy grids faltering, and millions of citizens losing access to the services they depend on. The health care sector alone accounted for roughly one-fifth of all recorded ransomware attacks over the past decade. In Germany, a ransomware-paralyzed hospital contributed to a patient’s death. In the United Kingdom, attacks on pathology services have had similarly devastating consequences. The Ransomware Threat Outlook 2025–2027 published by Canada’s Cyber Centre confirms that the threat is intensifying: Ransomware incidents in Canada have seen a 26 percent average year-over-year increase since 2021, with critical infrastructure consistently among the most targeted sectors.

What makes the current moment especially dangerous is the speed at which attacks now unfold. The interval between initial compromise and systemic disruption is measured in hours, not days. The growing prevalence of double extortion—in which attackers both encrypt systems and threaten to leak stolen data—compounds the pressure on victims handling sensitive personal information. This tempo fundamentally challenges the assumptions underlying most international cooperation frameworks, which were designed for threats that unfold over weeks or months.

Four Persistent Gaps

International cooperation on ransomware has improved in recent years, but four structural weaknesses continue to inhibit effective collective action:

1. Jurisdictional fragmentation—Despite important legal advances, including the United Nations Convention Against Cybercrime adopted in 2024 and the Budapest Convention’s Second Additional Protocol, mutual legal assistance processes remain too slow for the operational tempo of a ransomware campaign. By the time a formal request traverses diplomatic channels, the attackers have encrypted, exfiltrated, and moved on.

2. Safe-haven jurisdictions—Ransomware groups continue to operate from states that do not cooperate with international law enforcement or that tacitly tolerate cybercriminal activity. The absence of credible consequences for state tolerance of cybercrime remains the single most corrosive weakness in the current architecture.

3. The information-sharing gap—Multilateral platforms such as the Counter Ransomware Initiative and NATO’s Integrated Cyber Defence Centre represent genuine advances. But threat intelligence sharing between governments and the private sector remains uneven, impeded by classification barriers, liability concerns, and the absence of standardized protocols. Technology companies hold vast quantities of threat data; governments hold contextual intelligence and enforcement powers. Neither can succeed alone, and the interface between them is still underdeveloped.

4. The ransom payment dilemma—One question that policymakers across allied nations continue to grapple with is whether ransom payments should be prohibited. A payment ban is only credible if governments simultaneously invest in the resilience that makes payment unnecessary: robust backup systems, rapid incident response, and financial safety nets for organizations that suffer disruption. Without that investment, a ban simply transfers the cost of state failure onto the victims of cybercrime. The policy must be sequenced correctly, and the supporting infrastructure must come first.

Artificial Intelligence: The Great Accelerant

AI may represent the most consequential variable in the ransomware equation, and it is reshaping both sides of the cyber conflict simultaneously.

Threat actors are using AI to generate convincing deepfakes for social engineering, automate vulnerability discovery at machine speed, create synthetic identities, and scale phishing campaigns beyond anything previously possible.

What makes this moment particularly dangerous is the democratization of offensive capability. The ransomware-as-a-service (RaaS) model already lowered the barrier to entry for cybercriminals; AI is lowering it further still. Tasks that once required years of specialized expertise—such as scanning codebases for exploitable vulnerabilities, crafting phishing lures tailored to individual targets, or chaining multiple exploits into a working attack—can now be partially or fully automated. The pool of capable threat actors is expanding rapidly.

The recent arrival of Anthropic’s Claude Mythos Preview has brought this reality into sharp focus. Released in early April, Mythos demonstrated a striking ability to discover and exploit zero-day vulnerabilities in major operating systems and web browsers, including flaws that had survived decades of human review and millions of automated security tests. The model found a 27-year-old vulnerability in OpenBSD (traditionally one of the most secure and robust operating systems) and autonomously chained together several Linux kernel vulnerabilities to achieve full system compromise. The U.S. Treasury secretary and Federal Reserve chair convened an emergency meeting with major bank CEOs to discuss the implications. Anthropic has restricted Mythos to a limited group of defensive partners, a responsible decision, but one that underscores how rapidly AI is reshaping the threat landscape. When the next generation of models arrives, and it will, the window for defenders to prepare will be shorter still.

The Global Commission on Responsible Artificial Intelligence in the Military Domain (GC REAIM) is addressing this concern. Although the commission’s mandate is on military applications of AI, it is also managing with equal importance the cybersecurity domain, and it believes responsibility must be designed into AI systems from the earliest stage of development and through the entire life cycle. The GC REAIM published and presented to the U.N. Security Council in 2025, emphasized that norms and principles are insufficient on their own; they must be translated into actionable guidelines, technical standards, and institutional governance. The same is true for AI-enabled cyber defense. Without deliberate investment in governance frameworks, workforce capacity, and cross-sector coordination, the most powerful defensive tools will remain unevenly deployed and inadequately governed.

AI is the most promising defensive capability we have. AI-driven threat detection, behavioral analytics, and automated incident response can identify and contain attacks far faster than human analysts working alone. But we cannot deploy these defenses without people to build, operate, and oversee them. The 2025 ISC2 Cybersecurity Workforce Study found that economic uncertainty and budget limitations are straining the global talent pipeline at precisely the moment demand is surging. For all countries, a fully staffed national cyber workforce strategy is not a luxury—it is a strategic imperative.

And there’s even more on the horizon that will require the brightest minds on defense: Woven into the AI risk is the advance of quantum computing, which introduces a threat that compounds the ransomware crisis in ways that are already being exploited. Nation-state adversaries and sophisticated criminal enterprises are harvesting exfiltrated data today, including the vast quantities stolen in ransomware operations, with the expectation of decrypting it once quantum computers render current cryptographic protections obsolete. Intelligence assessments suggest that capability may arrive as early as 2028. For sectors targeted most heavily by ransomware, this means that data stolen in today’s attacks carries a second, deferred cost: future exposure of information that victims assumed was protected by encryption. The double-extortion model, already devastating, gains a quantum dimension. Preparing for this requires cryptographic agility—the capacity to transition rapidly to post-quantum algorithm—and it demands action now, before the vulnerability window opens.

Canada’s Efforts Can Be a Model for Others

Much of the international cybersecurity discourse is framed around great-power competition. But the countries that have done the most to build effective counter-ransomware cooperation are often middle powers—states with the technical depth to contribute meaningfully, the multilateral credibility to convene diverse partners, and the institutional discipline to sustain long-term commitments. Canada sits squarely in this category and can offer a playbook for other countries.

It’s important to start with the operational foundation. The Canadian Centre for Cyber Security is one of the most capable national cyber authorities among allied nations. Its threat outlook report provides a rigorous, forward-looking assessment of the ransomware threat landscape. Its pre-ransomware notification program—which issued 336 early warnings to more than 300 Canadian organizations in the past fiscal year alone—saved several million dollars in potential damages. And its ransomware playbook and tool kit on cyber security readiness goals have given Canadian organizations—including small and medium enterprises that lack dedicated security teams—practical tools to strengthen their defenses. These are not aspirational documents; they are operational instruments that reduce real risk.

Canada has also been strategic with its investments, which are substantial. Its 2024 budget committed CAD 917.4 million over five years to enhance intelligence and cyber operations programs. The country established the Canadian Armed Forces Cyber Command to strengthen both defensive and offensive cyber posture. It is a founding member of the Counter Ransomware Initiative, a Five Eyes partner, and an active contributor to NATO’s cyber defense architecture. And its National Security Centre of Excellence complements these institutional efforts by connecting government with private-sector and academic expertise through research, strategic advisory, and international engagement.

The country also made history in 2025 by appointing its first minister of artificial intelligence and digital innovation—a signal from the federal government that it recognizes AI as a crosscutting strategic priority rather than a narrowly technical one. In his first year in the role, Evan Solomon—whose portfolio encompasses quantum computing—has emphasized scaling Canadian AI companies, promoting responsible adoption of AI, and advancing digital sovereignty. He has provided a policy framework that, if adequately resourced, could position Canada to take the lead on the defensive AI capabilities the ransomware threat demands.

Looking Ahead

The ransomware threat is not going away. The RaaS model is too profitable, the attack surface is too vast, and the geopolitical dynamics that sustain safe havens are too entrenched for any single intervention to be decisive. But there are reasons for cautious optimism. The quality of allied cooperation is improving. National institutions like the Canadian Centre for Cyber Security are producing actionable intelligence at scale. And governments are making the institutional and budgetary commitments that sustained counter-ransomware efforts require.

What we need now is to translate those commitments into sustained operational impact. That means closing the gap between the speed of the threat and the speed of international legal cooperation. It means building public-private intelligence-sharing frameworks that are fit for purpose. It means investing in AI-enabled defense and the human capital to operate it. And it means holding states accountable when they harbor the criminal enterprises that target allied hospitals, schools, and democratic institutions.

Canada has the tools and expertise to lead, not merely participate, in the next phase of the counter-ransomware effort. The threat is not waiting. And neither should we.

Bruce Watson is a Research Professor at the University of Waterloo, Chief Advisor of Technology at Canada’s National Security Centre of Excellence, President of Qorsa Labs, and Co-Director of AI Research at the African Cybersecurity Centre of Excellence. He also served as a global commissioner with the Global Commission on Responsible Artificial Intelligence in the Military Domain. The views expressed in this essay are the author’s own and do not represent the official position of any institution or government.

Lisa Monaco

Ransomware Attacks Demand a Genuinely Global Response

Organizations should not be left to navigate ransomware alone.

Max Smeets

The Uncomfortable Truth About the Fight Against Ransomware

Many countermeasures used by governments to tackle cybercrime turn out to be only temporarily effective. Instead, defenders must find a way to disrupt how the ransomware ecosystem functions.