The Uncomfortable Truth About the Fight Against Ransomware
MAX SMEETS is the Co-Director of Virtual Routes
In October 2020, U.S. authorities and private-sector partners launched a high-profile operation to disrupt the TrickBot botnet, a key enabler of major ransomware attacks. The action disrupted the malware’s ability to communicate with infected machines and slowed criminal activity. Yet, the success was short-lived. Within weeks, operators rebuilt their infrastructure and resumed supporting campaigns by such ransomware groups as Ryuk and Conti. The episode illustrates the limits of many counter-ransomware interventions: They may disrupt infrastructure or operations but only long enough for the underlying ecosystem to adapt.
Over the past two decades, ransomware has evolved from a niche cybercrime into a more organized extortion model. Until 2020, government action against ransomware was limited and sporadic, usually centered on arrests or disruptions linked to specific operators or campaigns. As attacks grew in scale, responses became more frequent and varied—from infrastructure seizures and financial disruptions to sanctions and coordinated multistate operations.
The shift is evident in a new dataset built by Virtual Routes. The Ransomware Countermeasures Tracker is the first systematic effort to map official efforts, identifying more than 200 government interventions, about 85 percent of which have occurred since 2021. While the tracker shows that traditional responses, such as arrests and government advisories, became more frequent over time, it also shows a shift toward greater international coordination, with roughly half of all countermeasures involving cooperation across borders.
But a surge in activity does not necessarily mean success. The central challenge now is to judge whether specific interventions can produce lasting effects and not just short-term disruptions that end when groups resurface under new names.
The next phase of counter-ransomware policy will require a clearer strategic focus, sustained campaigns across agencies, and a more systematic approach to evaluating outcomes—whether they temporarily disrupt playbooks, impose operational friction, force groups to reorganize, or lead to more durable shifts in how ransomware operations are conducted.
How Counter-Ransomware Policy Developed
Government responses to ransomware did not emerge all at once. They evolved alongside the ransomware ecosystem itself.
In the early 2000s, ransomware was largely treated as a form of cyber-enabled fraud. Variants such as Archiveus or Gpcode targeted individual users, often locking computers and demanding relatively small payments. Government responses were limited. A handful of arrests and criminal investigations appear in the Countermeasures Tracker before the early 2010s, reflecting both the relatively small scale of ransomware activity and the absence of sustained government campaigns against these groups.
Ransomware was transformed into a scalable business model in the 2010s as cryptocurrency made it easier to collect payments anonymously and campaigns such as CryptoLocker demonstrated that attackers could infect thousands of victims globally. And while governments began responding more vigorously and in concert with other countries—in some cases by targeting the technical infrastructure of botnets and malware distribution networks—it was too late. Ransomware had begun to demonstrate its potential as an increasingly reliable revenue stream for criminals.
One turning point came in 2017, when the global outbreaks of WannaCry and NotPetya revealed the potential scale of disruption that ransomware—or malware disguised as ransomware—could cause. Hospitals in the United Kingdom were forced to cancel medical procedures during WannaCry, while NotPetya caused billions of dollars in economic damage worldwide. Governments began to frame ransomware as a national security issue, calling out and imposing sanctions on cyber actors, including measures targeting North Korean groups linked to WannaCry. But despite the growing political attention, concrete interventions were relatively limited. Across Virtual Routes’ dataset, fewer than 40 countermeasures occurred before 2021.
The early 2020s marked a clear escalation and started to bring a firmer response. Major incidents—including the Colonial Pipeline ransomware attack in 2021—added further political pressure, and authorities began deploying a wider range of tools, disrupting cryptocurrency payment channels, sanctioning cybercriminals, and coordinating multinational investigations. Efforts such as the International Counter Ransomware Initiative expanded international cooperation against ransomware networks.
More recently, some interventions have begun to focus on a less tangible—but promisingly effective—target: the reputations of ransomware groups. Operation Cronos against LockBit, for example, went beyond the seizure of infrastructure and Bitcoin wallets. Authorities took control of the group’s leak site, exposed internal communications, and publicly challenged the group’s credibility. The aim was not only to disrupt ongoing operations but also to weaken the brand on which future attacks depend.
These efforts exploit a central contradiction at the heart of the ransomware model: Ransomware operators rely on deception, yet the success of their business depends on convincing victims that in return for their payment, they will receive a working decryption key and the promise that the stolen data won’t be published. By attacking the reputations of ransomware groups, governments are attempting to erode the trust that makes digital extortion viable in the first place.
Measuring Impact, Confronting Lingering Questions
Even though we have seen a growing number of counteroperations, there is still no widely accepted framework for assessing the impact these efforts are having. One challenge is that governments still don’t have a firm grasp on how their interventions are shaping the broader environment in which ransomware groups operate. These analytical gaps matter because ransomware interventions rarely operate in isolation. Without a structured way to assess impact, it is difficult to judge whether such changes in the ransomware landscape represent progress, displacement, or unintended consequences.
A recent Pharos Series report addresses this problem by proposing a framework for assessing the impact of ransomware interventions. The framework does not attempt to provide precise measurement—something that is rarely possible in opaque criminal ecosystems—but instead offers a structured way to evaluate interventions across a small set of dimensions: severity (of the disruption on the threat actors and their criminal activities), scope (of the intervention’s effects on both the attacker and the ecosystem), longevity and reversibility (the duration of the impact and how easily the group recovers), and signaling value (the influence the intervention had on other actors).
This kind of critical impact assessment could help governments and other entities determine which interventions are most effective, but the next phase of counter-ransomware policy will require governments to confront other hard questions: What kind of ransomware ecosystem are we aiming for? And how can counter-ransomware campaigns be sustained over time across multiple governments and agencies?
Completely eliminating ransomware may be unrealistic. But governments can still influence how the ecosystem functions: They can intervene in ways that raise the cost of committing such an attack, increase uncertainty for criminals, weaken the credibility of ransomware brands, or disrupt the services that enable scaled cybercrime operations.
At the same time, these efforts may also have negative repercussions. Disrupting a dominant ransomware platform may fragment the market, leading to a proliferation of smaller groups and brands. In the short term, such fragmentation may weaken coordination and trust among criminal actors. Over longer periods, however, it may produce a more decentralized and adaptive ecosystem that is harder for governments to track and disrupt.
The fight against ransomware is entering a new phase. Governments are taking more action than ever, and maintaining momentum will require continued coordination among law enforcement agencies, intelligence services, regulators, and private-sector partners across jurisdictions. The challenge now is to ensure those actions are guided not only by operational opportunity but also by a clearer understanding of their impact.
Max Smeets is the Co-Director of Virtual Routes—which researches the impact of digital and emerging technologies on global affairs—and serves as Managing Editor of its publication, Binding Hook. He also holds research positions at ETH Zurich, the Royal United Services Institute, and Stanford University’s Center for International Security and Cooperation. Smeets is the author of Ransom War: How Cyber Crime Became a Threat to National Security and No Shortcuts: Why States Struggle to Develop a Military Cyber-Force.
Lisa Monaco
Ransomware Attacks Demand a Genuinely Global Response
Organizations should not be left to navigate ransomware alone.
Claudia Plattner
‘If You Hit One of Us, You Hit All of Us’
Sharing information when ransomware attacks hit is critical to protecting future victims
Darrin Eugene Jones
Responding to the Ransomware Threat Requires a Coordinated Global Response
That's where INTERPOL comes in, bridging fragmented legal frameworks and partnering internationally
Dr. Bruce Watson
Ransomware Is a Strategic Threat. We Need to Treat It Like One.
The industrialization of cybercrime demands a response that matches its scale—one that bridges the divides among governments, the private sector, and the technical community. Canada offers a playbook to lead that response.
Anne Marie Engtoft Meldgaard
Disrupting Ransomware Through Tech Diplomacy
Countries need to be nimbler to combat increasing and evolving cybercrime threats.
Amy Hogan-Burney
Ransomware Attacks Are No Longer Just About Profit. They’re Also About Politics.
Multistakeholder collaboration is crucial to stemming this evolving threat.
Francesca Bosco
Ransomware Attacks Aren’t Just Technical—They Are Profoundly Human
As countries around the world face these growing threats, it’s vital to prioritize the protection of people and essential services.