Ransomware Attacks Aren’t Just Technical—They Are Profoundly Human
FRANCESCA BOSCO is the Chief Strategy Officer, CyberPeace Institute
Ransomware is an exponentially growing threat affecting a faceless and far-off country. Today, it systematically targets hospitals, schools, municipalities, and businesses worldwide. While headlines tend to focus on multimillion-dollar ransoms, the real story is about the people: the ambulances diverted, the patients denied care, the children locked out of classrooms, and the communities deprived of essential services.
The CyberPeace Institute centers its work on this human impact. Through direct support to targeted organizations and research, we see that ransomware is not merely an economic crime—it is a security crisis affecting real people that erodes trust, weakens resilience, and exacerbates inequality.
A Global and Growing Threat
The Institute’s new report, Ransomware: Follow the Threat Actor, analyzed information on over 250 ransomware threat actors. It found that an overwhelming number of threat actors can be connected to three countries: the Russian Federation, Iran, and China. In addition, the Institute has documented over 2,500 ransomware incidents (2020–2025) against entities in more than 20 sectors across over 100 countries.
The scale of these operations is staggering. Microsoft observed a 275 percent increase in ransomware operations over the past year. Another open-source tracker counted 3,546 publicly disclosed victims and 264 distinct gangs between January 1 and June 1, 2025—already more than any complete year. Operations like the late-2024 takedowns of ALPHV/BlackCat and LockBit disrupted certain threat actors, but law enforcement countermeasures had a limited overall impact, failing to stop or slow global ransomware operations. The United States remains the primary target, but the United Kingdom, Australia, France, and other nations have faced repeated campaigns. Health care, information technology, and professional services are among the most frequently targeted sectors, and communities are struggling to manage cascading disruptions to these essential services.
The Institute’s understanding of ransomware draws on three “tracers”—public online platforms designed with data compiled by in-house analysts—that monitor the various types of cyberattacks on health care, civil society, humanitarian organizations, and populations affected by conflict. Across all tracers, ransomware consistently emerges as one of the most harmful and disruptive threats, systematically undermining the institutions that communities depend on.
The Institute’s Cyber Incident Tracer #Health documented hundreds of ransomware operations against hospitals worldwide and the life-and-death consequences these fragile health systems repeatedly bear. Cyber Attacks in Times of Conflict tracked ransomware’s spillover into conflict zones, highlighting its impact on civilian infrastructure. CyberPeace Tracer monitors attacks on civil society, from humanitarian to human rights defenders. Collectively, these tracers provide an evidence base for understanding the human cost of ransomware.
The Human Toll
Numbers alone cannot convey the damage. The threat has also been linked to the loss of life. In Germany in 2020, a ransomware-paralyzed hospital had to divert an ambulance, resulting in a patient’s death. In the United Kingdom, a 2024 attack on a pathology provider contributed to a patient’s death, making it the country’s first confirmed ransomware-related fatality. Countries, especially those with low and middle incomes, are particularly vulnerable to the destructive force of ransomware. One prime example is the Conti and Hive ransomware operations, which crippled Costa Rica’s public administration and led to the declaration of a state of emergency.
Every incident represents a breakdown of trust—between patients and doctors, residents and governments, and consumers and businesses. When opportunistic threat actors successfully deploy ransomware against under-resourced hospitals, schools, and NGOs, the costs fall most heavily on those who are least able to absorb them, compounding pre-existing inequalities. In the United States, health care organizations reported a 256 percent increase in major breaches over the past five years, with ransomware as a leading driver. This trend aligns with the findings of the CyberPeace Institute, which show health care, education, and nonprofit among the sectors most frequently targeted by ransomware.
International Obligations, Missed Opportunities
Ransomware exposes gaps in international law and state responsibility. Over the past decade, the United Nations created a framework of responsible state behavior in cyberspace that includes 11 “norms,” or voluntary rules, including that states must not allow their territory to be used for internationally wrongful cyber acts and that they should coordinate and share information as well as respond quickly when their neighbors are under attack. Similarly, the U.N. Cybercrime Convention obliges governments to investigate, prosecute, and cooperate against cybercrime.
Meeting these obligations is not just about compliance—it is about protecting lives.
Greater diplomatic engagement, intelligence sharing, operational cooperation, and cyber capacity building could have an outsized impact by providing early-warning analysis, victim support, and advocacy.
There are also ways states can work to stymie the actual attacks. Ransomware groups often rely on overlapping infrastructure, reusing the same hosting providers across multiple operations. Along with researching the country connections of ransomware threat actors, the CyberPeace Institute also analyzed technical infrastructure from 17 different sources, which was allegedly used by 24 of these actors. The findings indicate that certain providers are highly likely favored by ransomware threat actors. Reuse of hosting providers or IP addresses creates chokepoints that law enforcement can exploit—if states act swiftly and in coordination.
Hosting providers, financial intermediaries, and service resellers all play a role, whether through negligence or complicity. Stronger due diligence, faster abuse takedowns, and greater transparency could reduce the safe havens that ransomware groups exploit.
A Collective Response: From Data to Action
No state, company, or organization can tackle ransomware attacks alone. That is why the CyberPeace Institute works with governments, researchers, industry, and civil society to enrich data, illuminate evolving threats, and support actionable solutions. Our research highlights four priorities:
Center victims in the response. Legal, technical, and psychological support must be accessible. Safe mechanisms for reporting and information-sharing are essential. Civil society is critical in reaching victims quickly, particularly in under-resourced regions.
Close infrastructure loopholes. Shared hosting infrastructure and cross-border networks should be opportunities for disruption. Coordinated action by law enforcement, regulators, and international partners can impose consistent standards and sanctions.
Invest in resilience and cyber capacity building. Schools, hospitals, and civil society should not be “soft targets” for threat actors. States should prioritize funds to improve capacity building and overall cyber resilience.
Foster international cooperation. Ransomware transcends borders. Partnerships among states, private-sector actors, and civil society are crucial for detection, joint response, and coordinated accountability. Initiatives that combine threat intelligence, operational guidance, and cross-border collaboration can significantly reduce the impact of attacks.
Ransomware reminds us that cyberthreats are never merely “technical.” They are social, political, and profoundly human. Ransomware thrives in the shadows of jurisdictional gaps and weak accountability. By closing these gaps, holding perpetrators and enablers to account, investing in cyber capacity, and prioritizing the protection of people and essential services, we can shift from crisis management to building a durable culture of cyber peace.
Francesca Bosco is Chief Strategy Officer at the CyberPeace Institute, an international nonprofit working to reduce the harms from cyberattacks on vulnerable communities and under-resourced organizations and ensure human rights are respected in cyberspace. With an international law and human rights background, Francesca has held senior roles at the United Nations and the World Economic Forum. Her work focuses on the Institute’s strategic development, including anticipating systemic risks and opportunities from emerging technologies such as artificial intelligence and quantum computing, and she has led programs addressing cybercrime, critical infrastructure protection, disinformation, and the misuse of technology.
Anne Marie Engtoft Meldgaard
Disrupting Ransomware Through Tech Diplomacy
Countries need to be nimbler to combat increasing and evolving cybercrime threats.
Amy Hogan-Burney
Ransomware Attacks Are No Longer Just About Profit. They’re Also About Politics.
Multistakeholder collaboration is crucial to stemming this evolving threat.