By FP ANALYTICS

Ransomware Response and Resilience

International and cross-sector collaboration to confront cyber threats

MAY 2026

An FP Simulation in partnership with Microsoft

Ransomware attacks represent the fastest-growing form of cybercrime, targeting individuals, governments, and critical infrastructure such as health and energy facilities. Beyond financial losses, ransomware attacks disrupt public and other essential services and can leave victims with lasting psychological, physical, and reputational harms. AI, cryptocurrency, and the growth of Ransomware-as-a-Service (RaaS) marketplaces have further empowered ransomware in recent years. Transnational law enforcement operations against ransomware have emerged but remain disjointed and unable to address safe havens for ransomware groups that continue to flourish.

At the Munich Security Conference earlier this year, Foreign Policy and Microsoft partnered to host a crisis simulation, convening global leaders from across the public and private sectors and civil society and putting them all front and center as a devastating ransomware attack unfolded. During the simulation, participants responded to ransomware targeting electricity grids across Europe and water systems in the U.S. The attackers exploited weak cyber defenses and relied upon safe haven jurisdictions to avoid capture and reprisal. What emerged from the discussions was the clear need to build international frameworks to mitigate ransomware threats, strengthen cross-sectoral cooperation, and bolster cyber resilience at scale. This synthesis report distills key takeaways from the simulation and, together with expert contributions from Lisa Monaco, Claudia Plattner, Darrin E. Jones, Max Smeets, and Dr. Bruce Watson, forms the seventh installment of Digital Front Lines, highlighting opportunities for collaboration in the global fight against ransomware.

Key Takeaways

Resource constraints of critical infrastructure and law enforcement hinder effective and efficient response to ransomware.

Simulation recap: As ransomware attacks crippled critical infrastructure, participants grappled with financial, operational, and institutional hurdles that thwarted effective mitigation and shielded perpetrators from prosecution. Part of the challenge stemmed from outdated systems and software that make organizations more vulnerable to attacks—an acute issue in resource-constrained but critical sectors like healthcare and utilities. In addition, limited resources led law enforcement into a situation in which authorities targeted the largest ransomware groups only to see them reconstitute into smaller units and continue their operations.

As one simulation participant observed,“Law enforcement has limited resources and rightly goes after the biggest groups. But that leads to a ‘Whac-A-Mole’ strategy where going after the biggest group inevitably creates smaller ones. You see this with the implosion of Conti [ransomware group], which led to six or seven other groups.”

Analysis of implications: Without further investments in resilience, critical infrastructure will remain vulnerable to ransomware attacks, a challenge compounded by AI-enabled tools that increase the speed and scale of cyberattacks. A review of legacy IT systems used by the U.S. federal government found that, of the 11 systems most in need of modernization, seven had known cybersecurity vulnerabilities. Although the federal government spends USD 100 billion on IT each year, 80 percent of that is dedicated to maintaining legacy systems rather than modernizing them. Even in countries with strict cybersecurity requirements, like Germany, where the 2025 NIS-2 Implementation and Cybersecurity Strengthening Act greatly expanded the number of organizations required to adopt enhanced cybersecurity policies, compliance is difficult due to the time and costs associated with migrating from legacy systems to more secure ones.

The public and private sectors need to pool resources to strengthen cybersecurity, recognizing that underinvestment could carry debilitating costs in the long term. One way to do so is to grow and sustain funding for existing cybersecurity teams across the public and private sectors, many of which have suffered from budget cuts and downsizing. Additionally, organizations can leverage existing tools to strengthen cybersecurity, including implementing and improving cybersecurity incident response plans and leveraging emerging technologies to increase efficiency and efficacy. While AI can act as a catalyst for cyberattacks, it also has a crucial role in strengthening cyber defenses. For instance, AI can help accelerate threat detection by analyzing vast quantities of data for anomalies and support rapid response by informing decision makers, making it a vital tool in defending against ransomware. Closing resource gaps calls for cross-sectoral cooperation that leverages low-hanging opportunities, including AI, to strengthen cyber defense.

The lack of a coordinated and immediate response creates confusion and harms victims.

Simulation recap: When ransomware hit critical infrastructure, participants faced the urgent challenges of protecting victims, containing the attack, and keeping essential services running, all while managing reputational risk and complying with reporting expectations. Initially left to manage the crisis on their own, participants representing victim groups scrambled for guidance from authorities and received contradictory advice on whether to preserve evidence or restore systems immediately, exposing the lack of established rapid response mechanisms for cyber incidents globally. The simulation also raised questions about who should take the lead in containing a cyberattack, especially if the target is critical infrastructure affecting multiple sectors. Without clarity on roles, stakeholders could resort to duplicative and inefficient responses rather than combining and scaling attribution and mitigation efforts. Throughout the simulation, participant discussions gravitated toward the difficulties of cross-border coordination, at the expense of centering victim safety and continuity of care, mirroring a broader pattern in real-world ransomware response.

During the simulation, a participant recalled,“It’s been pure chaos, because we received paradoxical injunctions. Some offices are asking victims, mostly in healthcare and transport, to save data for investigation, while other offices are trying to put the computers back online, and we don’t know what to do.”

Analysis of implications: Recognizing the lack of a victim-centered approach, a recent report highlighted the need for a harms-based analysis of ransomware attacks. It classified impacts on victims into three harms—from direct, indirect, to societal—to create a common framework for assessing victim harms. Gathering data on victims and cyber preparedness clarifies the scope of the ransomware problem and enables the deployment of a clear response plan. This investment can help authorities identify cyber gaps, prioritize which victims need immediate assistance, and inform rapid response strategies to maintain essential critical services such as medical care and transit safety.

Top Sectors Targeted by Ransomware, January 2025–March 2026

Critical infrastructure accounted for 55% of attacks.

Data Source: EuRepoC, 2026

Moving forward, stakeholders across the public, private, non-governmental, and multilateral sectors need to work together toward a victim-centered approach to ransomware response, including by building clear communications channels so affected communities receive constant guidance after a critical infrastructure attack. Governments, in cooperation with private operators and vendors, also need to plan for alternative ways to sustain infrastructure services, such as securing backup power sources. For example, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has convened a cross-sectoral working group on power to identify best practices for ensuring continuity of operations, including comprehensive, risk-informed business continuity plans in line with the Federal Emergency Management Agency’s guidance. As the number of attacks on critical infrastructure, including health care, continues to climb, building resilience against cyberattacks through centering the victims’ experience must be a priority.

Victims need clear guidelines on ransom payments and how to respond to a ransomware attack.

Simulation recap: As attacks unfolded, participants struggled to decide whether to pay ransom, hindered by unclear or conflicting policy guidance. Participants acting as governments and law enforcement agencies opposed paying the ransom, warning that it incentivizes ransomware actors and does not guarantee the restoration of data or systems. For victims, however, paying ransom can appear to be the only path to avoid paying the staggering costs associated with manual recovery, and to shift action away from containment and into recovery. Additionally, negotiating with ransomware attackers buys precious time, carving out a critical window for victims to weigh options and mount a more effective response. They also discussed how engaging attackers can also support enforcement efforts by allowing stakeholders to collect more information about the perpetrators.

One simulation participant explained,“Negotiation doesn’t necessarily lead to payment, and there are other reasons to negotiate as well: buying time, better understanding what data was taken or not, what the payments are, etc.”

Analysis of implications: A ransomware attack on the City of Baltimore in 2019 highlighted how the financial impact of cyber extortion can far exceed the initial demand. The attack paralyzed the city’s online infrastructure, forcing the city to revert to manual processes for many of its operations. Although the city followed law enforcement guidance and refused to the pay the USD 100,000 ransom—focusing instead on forensic analysis and replacing systems—it was widely criticized as those efforts cost USD 18.2 million. The case reveals how, for victims with limited financial means or who handle sensitive data, the decision to negotiate with attackers or pay ransom is based on a risk calculus, one that considers the ransom amount, the credibility of ransomware groups, and the cost associated with restoring systems from scratch. In this context, one-size-fits-all solutions—like bans on ransom payments, as the U.K. is planning to enforce—could impose excessive costs on victims and could penalize victims for making the most prudent decision in difficult circumstances.

The absence of clear frameworks for ransomware response is costly. To mitigate it, stakeholders across all sectors need to develop policy guidelines that balance competing interests with historical lessons, while remaining flexible enough to account for the unique context of specific attacks. Despite the recurring nature of these threats—often perpetrated by the same actors using similar tactics—attacks are still frequently treated as isolated incidents. As one participant noted, this tendency to “forget the lessons learned” results in “a waste of brains, resources, and a waste of the already established mechanisms of cooperation.”

Safe havens and inconsistencies in national legislation undermine collective action.

Simulation recap: The stakes became higher when, after containing the first attack, the same ransomware group immediately reconstituted and launched another major critical infrastructure attack in the United States. Participants learned that the group was operating in Russia, which acts as a safe haven for many cybercriminals, permitting them to operate from within its territory. While relationships built after the first attack made subsequent cooperation easier, Interpol was unable to pursue the group, and more enduring solutions were needed. With limited legal options, the targeted states weighed invoking NATO’s Article IV or V to respond—a reflection of how cybercrime is increasingly recognized as a national security threat. Ultimately, the exercise demonstrated that domestic legislation is unfit for purpose, as it incorrectly assumes that cybercrime is confined by national borders when it is often transnational, capable of targeting multiple countries at once, and able to shift across different jurisdictions.

According to one simulation participant,“We cannot do anything in law enforcement, especially when these safe haven countries are not cooperating. That’s why we need to rethink our procedures and criminal justice: How do we organize it in the cyber world?”

Analysis of implications: Multilateral efforts to address cybercrime are undermined by safe haven countries, like Russia, North Korea, China, and Iran, which provide environments where cybercriminals operate with impunity, provided their targets remain abroad. This pattern creates a major obstacle as these states often refuse to cooperate with international bodies like Interpol, which can only operate in collaboration with local law enforcement. Furthermore, a coherent, multilateral response to ransomware is impaired by lack of alignment even among like-minded countries. EU legislation encourages member states to undertake regular critical infrastructure threat assessments and create recovery plans in case of attack, but not all countries have done so. Mismatched legislation and approaches to ransomware preparation and response enable cross-border attackers, including RaaS groups, to evade capture due to a lack of shared international norms or policies.

These challenges all underscore the importance of international consensus on responses to ransomware and cyber warfare, which includes accountability for states ignoring cybercriminals operating within their borders in violation of their due diligence responsibilities under international norms. Best practices on threat assessment, impact analysis, and response policies should also be shared among cyber threat intelligence experts and the various government agencies responsible for preparing for and responding to attacks, as a first step toward negotiating an international ransomware framework. The private sector will also be a key actor to include in these knowledge-sharing exercises and discussions, given the amount of critical infrastructure it provides and the significant role it plays in attributions of cyberattacks.

Prevention and response require building international consensus and cross-sectoral trust.

Simulation recap: A lack of trust across sectors and among allied countries undermined a unified response to the series of ransomware attacks. When under pressure, participants representing countries and the private sector often reflexively prioritized shielding themselves from liability rather than fully collaborating and jointly developing solutions. Geopolitical friction further complicated the picture, as fractured alliances weakened cyber cooperation and slowed critical data-sharing and decision-making during a series of transnational ransomware attacks. Participants observed that rifts in transatlantic cybersecurity efforts allowed ransomware actors and the states that enable them to flourish. As one participant noted, “A lack of trust is going to slow down decision-making. It’s going to impede data sharing. It’s going to give a tangible advantage to our adversaries.” Another participant observed, “We all tend to forget the lessons learned. We tend to reinvent the wheel, starting all over again from scratch on every single subject. We forget that an attack in [one] sector can also happen in a completely different geography or sector.” Several participants emphasized the need to leverage established mechanisms of cooperation.

Analysis of implications: Building trust between the public and private sectors begins with recognizing that, despite different priorities in pursuing cybersecurity, both share an interest in a secure and stable digital economy. Private-sector support as part of Ukraine’s wartime cyber defense has shown the value of trusted information-sharing and rapid coordination among governments and technology companies. Drawing on wartime lessons, the public and private sectors need to strengthen information-sharing protocols and plans for joint action before an attack occurs, ensuring that when one does arise, the machinery of collaboration is already in motion. CISA’s biennial Cyber Storm exercises are one example of an initiative to align cyber defense capabilities across sectors, as is the Trump administration’s March 2026 executive order on Combatting Cybercrime, Fraud, and Predatory Schemes Against American Citizens. The executive order directs multiple government agencies to review existing frameworks and develop an action plan on transnational cybercrime, and it establishes an operational cell within the National Coordination Center (NCC) responsible for coordinating federal efforts, including with the private sector. Other states need to follow this example and develop a multifaceted toolkit involving diplomatic pressure, legal innovation, and shared technological investment—a toolkit that is impossible without the involvement of all relevant public- and private-sector stakeholders.

At the international level, rebuilding trust among states involves strengthening intelligence-sharing mechanisms, reinforcing cooperation among national law enforcement agencies and computer emergency response teams (CERTs), and treating cybersecurity as a collective defense obligation, including under the auspices of NATO. The International Counter Ransomware Initiative is an example of an existing framework, but it requires stronger engagement and investment. Overcoming trust deficits will be central to effective cross-border cooperation against ransomware, and other stakeholders, particularly the private sector and civil society, could help bridge these divides among states and demonstrate the mutual benefits of collective action against cyber threats.

Beyond the Simulation

Expanding whole-of-society approaches to ransomware

In response to increases in ransomware attacks with cross-border impacts, transnational law enforcement actions have surged to 69 countermeasures in 2025, up from just five in 2019, signaling that states are reaching a more coordinated approach. However, states continue to be largely reliant on the leadership of the United States in dismantling ransomware infrastructure, instead of distributing and sharing responsibility among affected states. This approach may be unsustainable in the medium-term as the country continues to be embroiled in various geopolitical conflicts, potentially diverting resources away from ransomware countermeasures. Beyond state responsibility, it will be vital to collaborate with the private sector, particularly given the extent to which critical infrastructure and government technology systems are operated by, or rely on, the private sector. Looking ahead, in addition to the simulation’s key takeaways, this section maps the roles of a broader set of stakeholders to strengthen shared ransomware response globally and diffuse preparedness and resilience across the whole of society.

One priority is strengthening the role of local governments, particularly in cities, in cyber response, similarly to preparation for, and response to, natural disasters and other emergencies. As the first point of contact for residents and local businesses when services are disrupted, local governments are often where victims turn first for guidance and support, and are themselves an increasingly common target for ransomware. Clear rapid response systems and risk-reduction strategies can help in reducing victim harms and maintaining continuity of local public services in the early phase of an attack. In this way, national governments, working with their international partners, can focus greater resources on disrupting and apprehending ransomware groups. For their part, civil society groupscan support local governments in building capacity and in raising public awareness and volunteerism through initiatives such as CyberPeace Institute’s CyberPeace Builders.

To further scale cyber defense efforts, the private sector can expand operational coordination within industry, including by establishing mechanisms for coordinated takedowns of hacker groups and threat intelligence and cyber incident data-sharing. As attackers increasingly adopt AI, there is scope for various technology companies to align on guardrails and joint disruption mechanisms to reduce the frequency of AI-enabled cyberattacks. At the 2026 Munich Security Conference, companies launched the Trusted Tech Alliance, a coalition that commits to responsible and transparent corporate governance practices, which is a step in the right direction for greater collaboration within the industry.

Low- and middle-income countries (LMICs) are also sounding the alarm on increasing cyber risk, as their societies and systems become increasingly digitized. For instance, amid increases in AI-enabled cyberattacks, Nigeria plans to bolster its cyber defenses after recording financial losses due to cyberattacks amounting to NGN 1.1 trillion between 2017 and 2023. Stronger participation by LMICs in transnational operations and norm-setting against ransomware groups could enable these countries to gain more experience in handling cyberattacks, particularly in their regions. Given that many LMICs are also targets of cyberattacks, they could cooperate with most targeted states, such as the United States and Canada, through multilateral forums, to raise the costs for jurisdictions that provide safe haven to ransomware groups. The International Telecommunication Union (ITU) and development banks can continue to strengthen LMICs’ capacity to respond to cyberattacks and overall digital resilience. Bringing more LMICs in as operational partners could increase pressure on safe havens and make global cyber defense more durable as more countries are able to participate in the dismantling of ransomware networks.

Share of Countries With National Computer Incident Response Teams

In 2024, only 46 percent of lower-income countries had an operational computer incident response team, making them vulnerable to ransomware and other forms of cybercrime.

Data Source: ITU, 2024

At the multilateral level, the United Nations has become a forum for establishing international norms related to cyberspace. In the near-term, however, the UNODC can facilitate cross-border cyber operations against ransomware groups to reduce the tendency for countermeasures to depend on a country’s leadership and instead enable actions through a multilateral institution. The UN can also help standardize evaluation assessments of ransomware interventions to help identify gaps and strengthen counter-ransomware strategy. Ransomware threats and other cross-border cyber risks are a collective action problem that requires an intergovernmental body such as the UN to coordinate and enforce shared solutions and frameworks, but that body must reimagine its current ways of working to overcome the internal bottlenecks that impede transnational cooperation. To address gaps in current approaches, global cooperation needs to be broad-based, spanning national and local levels and involving different sectors, with clearly defined roles and organized in ways that scale the defense while reducing fragmented and duplicative efforts.

Looking Ahead

Responding to the rise in ransomware

The results of the FP-Microsoft simulation on the sidelines of the 2026 Munich Security Conference, and existing research and coverage of ransomware threat, exposed the gaps in policy and approaches to ransomware attacks, including lack of cross-sectoral coordination, variation and mismatches in national and international legislation, and a lack of policy consensus or international framework. As cyberattacks rise in frequency and complexity, and given the development and application of emerging technologies that will likely assist cyber criminals, even as they offer cyber defense capabilities, the time to collectively act and reach greater defenses against cyber threats is now.

Moreover, rising substate and interstate conflicts heighten the need for anticipatory strategies that account for the possible use of ransomware to conduct state-sponsored operations and escalate into broader national security risks. For instance, recent warnings that the Iranian Revolutionary Guard Corps (IRGC) could launch ransomware and other cyberattacks as part of a hybrid response to U.S. and Israeli strikes on Iran echo how geopolitical conflicts intensify and complicate the cyber threat environment. Upcoming convenings, such as the NATO summit and the UN global mechanism on cybersecurity, provide timely opportunities to foster durable, broad-based cooperation among stakeholders globally and to strengthen multilateral and multisectoral efforts on ransomware response and resilience.

References
+

Barrett, T., Horlock, J., Lewis, E., & Rance, A. (2025, April 3). Ransomware: The final frontier. Royal United Services Institute. https://www.rusi.org/explore-our-research/publications/commentary/ransomware-final-frontier

Chainalysis Team. (2026, February 26). Crypto ransomware: 2026 crypto crime report. Chainalysis. https://www.chainalysis.com/blog/crypto-ransomware-2026/

Coker, J. (2026, October 6). Will the UK’s ransomware payment ban work? Infosecurity Europe. https://www.infosecurityeurope.com/en-gb/blog/regulation-and-policy/will-the-uk-ransomware-payment-ban-work.html

Counter Ransomware Initiative. (n.d.). Home. https://counter-ransomware.org/

CyberPeace Institute. (n.d.). Home. https://cyberpeaceinstitute.org/

Cybersecurity and Infrastructure Security Agency. (n.d.-a). Cyber Storm: Securing cyber space. https://www.cisa.gov/resources-tools/programs/cyber-storm

Cybersecurity and Infrastructure Security Agency. (n.d.-b). Nation-state threats. https://www.cisa.gov/topics/cyber-threats-and-advisories/nation-state-cyber-actors

Cybersecurity and Infrastructure Security Agency. (2022, November). Fact sheet for resilient power best practices. https://www.cisa.gov/sites/default/files/2023-10/Fact_Sheet_for_Resilient_Power_Best_Practices_CISA_v2.pdf

Digital Watch Observatory. (n.d.). UN Global Mechanism on ICT security. https://dig.watch/processes/un-gge

Donciu, A., & Guy, M. (2025, November 27). Crypto: The ultimate enabler of corruption? [Blog post]. Basel Institute on Governance. https://baselgovernance.org/blog/crypto-ultimate-enabler-corruption

Editorial Team. (2024, August 26). Beyond ransomware bans: Alternative strategies to address corporate ransomware payments. Maurer Global Forum. https://blogs.iu.edu/maurerglobalforum/2024/08/26/beyond-ransomware-bans-alternative-strategies-to-address-corporate-ransomware-payments/

European Commission, Migration and Home Affairs. (2026, January 13). Critical infrastructure resilience at EU-level. https://home-affairs.ec.europa.eu/policies/internal-security/counter-terrorism-and-radicalisation/protection/critical-infrastructure-resilience-eu-level_en#policy-timeline

Federal Bureau of Investigation. (n.d.). Ransomware. https://www.fbi.gov/how-we-can-help-you/scams-and-safety/common-frauds-and-scams/ransomware

Federal Bureau of Investigation, Cyber Division. (2022, March 30). Ransomware attacks straining local US governments and public services [Cyber security advisory]. https://www.ic3.gov/CSA/2022/220330.pdf

Federal Emergency Management Agency. (2025, December 29). Continuity guidance circular. https://www.fema.gov/emergency-managers/national-preparedness/continuity/circular

FP Analytics. (2023, June 28). Cross-cutting responses to strengthen Ukraine’s digital resilience. Digital Front Lines. https://digitalfrontlines.io/2023/06/28/cross-cutting-responses-to-strengthen-ukraines-digital-resilience/

FP Analytics. (2025, September 3). Ransomware rising. Digital Front Lines. https://digitalfrontlines.io/2025/09/03/ransomware-rising/

Georgiou, M., Giebels, E., Oostinga, M. S. D., & Spithoven, R. (2026). Engaging with cybercriminals: Phases and influence strategies in ransomware negotiations. Computers in Human Behavior, 181, Article 108506. https://www.sciencedirect.com/science/article/pii/S0747563226000506

Global Governance Reimagined. (2025). Home. https://globalgovernancereimagined.com/

Goodman, P. S. (2026, January 20). A.I., big tech, and Trump shine most brightly at the Davos spectacle. The New York Times. https://www.nytimes.com/2026/01/20/business/davos-trump.html

Hofmann, T. (2020). How organisations can ethically negotiate ransomware payments. Network Security, 2020 (10), 13–17. https://doi.org/10.1016/S1353-4858(20)30118-5

International Telecommunication Union. (2024, September 4). Global cybersecurity index 2024. https://www.itu.int/en/ITU-D/Cybersecurity/Documents/GCIv5/2401416_1b_Global-Cybersecurity-Index-E.pdf

INTERPOL. (n.d.). About Red Notices. Retrieved April 24, 2026, from https://www.interpol.int/en/How-we-work/Notices/Red-Notices

ISC2. (2025, December 4). 2025 ISC2 cybersecurity workforce study. https://www.isc2.org/Insights/2025/12/2025-ISC2-Cybersecurity-Workforce-Study

Iyengar, R. (2026, January 5). Cyberdefense enters a dangerous new phase. Foreign Policy. https://foreignpolicy.com/2026/01/05/cybersecurity-ransomware-united-states-cyberattack-china-hacking/

Kolatchev, M., & Kolesnikova, L. (2025, November 27). Germany’s critical infrastructure protection (KRITIS). CIP Association. https://www.cip-association.org/germanys-critical-infrastructure-protection-kritis/

Lee, F. (2021, July 29). How state and local governments can prepare for ransomware. R Street Institute. https://www.rstreet.org/commentary/how-state-and-local-governments-can-prepare-for-ransomware/

Lewis, J. A. (2025, January 21). Next steps for the international counter ransomware initiative. Center for Strategic and International Studies. https://www.csis.org/analysis/next-steps-international-counter-ransomware-initiative

Lostri, E., Lewis, J. A., & Wood, G. (2022, March 22). A shared responsibility: Public-private cooperation for cybersecurity. Center for Strategic and International Studies. https://www.csis.org/analysis/shared-responsibility-public-private-cooperation-cybersecurity

MacColl, J., Hüsch, P., Mott, G., Sullivan, J., Nurse, J. R. C., Turner, S., & Pattnaik, N. (2024, January 16). The scourge of ransomware: Victim insights on harms to individuals, organisations and society. Royal United Services Institute. https://static.rusi.org/ransomware-harms-op-january-2024.pdf

Mamadiyarov, Z., Khamdamov, S. J., Nazarova, R., Rashidov, S., Kadirova, I., Izzatillayev, A., & Turayeva, G. (2025, July 2). Cybersecurity challenges in the expanding digital economy. In ICFNDS ’24: Proceedings of the 8th International Conference on Future Networks & Distributed Systems (pp. 138–145). Association for Computing Machinery. https://doi.org/10.1145/3726122.3726144

Microsoft. (n.d.). What is AI for cybersecurity? https://www.microsoft.com/en-us/security/business/security-101/what-is-ai-for-cybersecurity

Microsoft. (2026, February 13). Global technology leaders launch Trusted Tech Alliance. https://news.microsoft.com/source/2026/02/13/global-technology-leaders-launch-trusted-tech-alliance/

National Cyber Security Centre. (n.d.). What you need to know about ransomware. https://www.ncsc.gov.uk/ransomware/home

NATO. (2025, September 23). The consultation process and Article 4. https://www.nato.int/en/what-we-do/introduction-to-nato/the-consultation-process-and-article-4

NATO. (2025, November 12). Collective defence and Article 5. https://www.nato.int/en/what-we-do/introduction-to-nato/collective-defence-and-article-5

Palmer, D. (2026, March 2). Expect Iran to launch cyber-attacks globally, warns Google. Infosecurity Magazine. https://www.infosecurity-magazine.com/news/iran-cyber-attacks-global-google/

Petcu, A. G. (2026, March 4). The curious case of the Baltimore ransomware attack: What you need to know [Blog post]. Heimdal Security Blog. https://heimdalsecurity.com/blog/baltimore-ransomware/

Pohle, J., Schefold, C., Wascher, L., & Winter, N. (2025, August 1). Germany’s new cybersecurity law expands scope and increases obligations—with new sanctions [Legal alert]. Dentons. https://www.dentons.com/en/insights/alerts/2025/august/1/new-cybersecurity-law-in-germany-nis2umsucg

Prucková, M. (n.d.). Cyber attacks and Article 5—A note on a blurry but consistent position of NATO. NATO Cooperative Cyber Defence Centre of Excellence. https://ccdcoe.org/library/publications/cyber-attacks-and-article-5-a-note-on-a-blurry-but-consistent-position-of-nato/

Regeski, B. (2022, May 23). Conti ransomware shuts down operation, splinters into smaller groups [Threat intelligence brief]. Residential and Health Care ISAC. https://rhisac.org/threat-intelligence/conti-ransomware-gang/

Reiber, J. (2019, December 17). A public, private war: How the U.S. government and U.S. technology sector can build trust and better prepare for conflict in the digital age. Center for Long-Term Cybersecurity. https://cltc.berkeley.edu/wp-content/uploads/2019/12/PublicPrivateWar_J_Reiber.pdf

Sherman, J. (2025, May 20). Unpacking Russia’s cyber nesting doll. Atlantic Council. https://www.atlanticcouncil.org/content-series/russia-tomorrow/unpacking-russias-cyber-nesting-doll/

Smeets, M., MacColl, J., Williams-Dunning, S., & Herczeg, B. (2026, March 3). Assessing the impact of ransomware interventions and countermeasures: A framework (Pharos Report No. 4). Virtual Routes. https://virtual-routes.org/wp-content/uploads/2026/03/Pharos-Report-No.-4_Assessing-the-Impact-of-Ransomware-Interventions-and-Countermeasures_A-Framework.pdf

Stevens, E. (2025, December 3). Paying the ransom: A short-term fix or long-term risks? [Blog post]. BitSight. https://www.bitsight.com/blog/paying-ransom-for-ransomware

U.S. Government Accountability Office. (2025, July 17). Information technology: Agencies need to plan for modernizing critical decades-old legacy systems (GAO-25-107795). https://www.gao.gov/products/gao-25-107795

United Nations Office for Disarmament Affairs. (2022). The UN norms of responsible state behaviour in cyberspace. https://documents.unoda.org/wp-content/uploads/2022/03/The-UN-norms-of-responsible-state-behaviour-in-cyberspace.pdf

United Nations Office on Drugs and Crime. (n.d.). Home. https://www.unodc.org/

Valenzuela, I. (2026, February 12). From operations to policy: Contributing to the global fight against ransomware [Blog post]. Arctic Wolf. https://arcticwolf.com/resources/blog/contributing-to-the-global-fight-against-ransomware/

Vicens, A. J. (2026, February 25). Google disrupts Chinese-linked hackers that attacked 53 groups globally. Reuters. https://www.reuters.com/sustainability/boards-policy-regulation/google-disrupts-chinese-linked-hackers-that-attacked-53-groups-globally-2026-02-25/

Vidović, N., Cvetković, V. M., Beriša, H., & Milašinović, S. (2025). Understanding ransomware through the lens of disaster risk: Implications for cybersecurity and economic stability. International Journal of Disaster Risk Management, 7(1), 247–264. https://doi.org/10.18485/ijdrm.2025.7.1.14

White House. (2026, March 6). Combating cybercrime, fraud, and predatory schemes against American citizens. https://www.whitehouse.gov/presidential-actions/2026/03/combating-cybercrime-fraud-and-predatory-schemes-against-american-citizens/

By Angeli Juani (Senior Policy Analyst and Quantitative Research Manager), Jack Ronan (Policy and Research Analyst), Isabel Schmidt (Associate Director of Research), and Dr. Mayesha Alam (Senior Vice President of Research). Art direction by Sara Stewart and illustrations by Klawe Rzeczy.

This synthesis report was produced by FP Analytics, the independent research division of The FP Group, with support from Microsoft. FP Analytics retained control of the research direction and findings of this issue brief. Foreign Policy’s editorial team was not involved in the creation of this content.

Lisa Monaco

Ransomware Attacks Demand a Genuinely Global Response

Organizations should not be left to navigate ransomware alone.

Max Smeets

The Uncomfortable Truth About the Fight Against Ransomware

Many countermeasures used by governments to tackle cybercrime turn out to be only temporarily effective. Instead, defenders must find a way to disrupt how the ransomware ecosystem functions.

Claudia Plattner

‘If You Hit One of Us, You Hit All of Us’

Sharing information when ransomware attacks hit is critical to protecting future victims

Darrin Eugene Jones

Responding to the Ransomware Threat Requires a Coordinated Global Response

That's where INTERPOL comes in, bridging fragmented legal frameworks and partnering internationally

Dr. Bruce Watson

Ransomware Is a Strategic Threat. We Need to Treat It Like One.

The industrialization of cybercrime demands a response that matches its scale—one that bridges the divides among governments, the private sector, and the technical community. Canada offers a playbook to lead that response.