LISA MONACO is the President of Global Affairs, Microsoft
Lisa Monaco (LM): Hello, I am Lisa Monaco, Microsoft’s President of Global Affairs. At Microsoft, we are working every day to help protect customers, governments, and communities from cyberthreat—like ransomware. From our own data and from engagements with government partners around the world, we know what a pressing concern ransomware has become. That’s why we have partnered with Foreign Policy Analytics to bring attention to this issue as both a cybersecurity and national security priority—and that’s the focus in this edition of the Digital Front Lines report.
During this year’s Munich Security Conference, we brought key government officials and others together to conduct a ransomware crisis simulation. The findings from that simulation inform this report. We brought together leaders from across sectors and geographies to explore what happens in a ransomware attack and what are the challenges to an effective response. We explored the kind of cooperation that’s necessary to keep people safe—especially when time is of the essence.
Reflecting on the simulation, and our experiences as a company, I wanted to share a few thoughts on how Microsoft sees the ransomware landscape and how we can work together to reduce harms to victims around the world.
FP Analytics (FPA): How has the ransomware threat landscape evolved in recent years, and how are geopolitical tensions shaping threats?
LM: As with the rest of the cybercrime ecosystem, ransomware has become commoditized in recent years. Threat actors no longer need to be sophisticated cybercriminals. The barriers to entry have been lowered—bad actors can now purchase ready-made tools for conducting ransomware attacks. “Ransomware-as-a-service” is the order of the day. Products for sale include everything needed to conduct a ransomware attack, including the tools that enable illicit access to the actual code. And as with everything else these days—AI is allowing cybercriminals to better target victims and disguise their attacks at scale.
The other thing we are seeing is that cybercriminals are increasingly operating from de facto safe havens—they conduct their attacks with impunity—with no worry that they will be held accountable, because the country they are operating from won’t prosecute them—either because they can’t or more likely because they won’t.
In fact, the majority of ransomware groups Microsoft currently tracks operate from within just a small handful of countries—most notably Russia—while targeting victims abroad and from across geopolitical divides.
FPA: To that end, how do you think stakeholders can address this emerging threat landscape?
LM: International cooperation with law enforcement is essential to stopping ransomware attacks. While we can often identify cybercriminals, mitigate their attacks, and even disrupt their infrastructure, we still need law enforcement to hold them accountable. Otherwise, cybercriminals simply reconstitute and perpetuate their activity.
The safe haven challenge came up in the simulation. After working to stop a cascading ransomware attack in Europe, participants had to contend with a new attack just a few months later conducted by the same group.
This type of “Whac-A-Mole” can make combatting ransomware feel futile. The takeaway: Ransomware is not just a technological challenge; it’s a geopolitical and policy challenge—so we need diplomatic engagement as part of any enduring solution.
FPA: How can public and private stakeholders better support ransomware victims in the aftermath of attacks?
LM: In any crisis—organization and speed are everything. Preparation ahead of time is key. The key players, from the public and private sector, should already know and trust each other before a crisis happens. That’s the only way to have immediate and close coordination so everyone is focused 100 percent on the response and supporting victims.
Without that trust and familiarity, there can be an initial tendency to be skeptical or to work in isolation. That’s what we saw in the simulation, and barriers only came down once relationships had been established and shared priorities became clear.
The priority should be rapid response and victim support. Critical infrastructure sectors especially should know what to expect in terms of support and protocols for responding to ransomware attacks.
FPA: How do you think victims should engage with criminal groups regarding ransom payments?
LM: Microsoft strongly discourages victims from paying ransoms. It does not guarantee systems will be restored and may just incentivize more ransomware attacks. But, that said, we don’t support bans on ransom payments.
We understand that sometimes payment can appear to be the only option when critical services have been interrupted and lives may be on the line. Banning ransom payments also risks further punishing victims and may even discourage them from reporting a ransomware attack and cooperating fully with authorities.
FPA: As ransomware attacks rise globally, organizations face resource and technological constraints. How can the public and private sectors work together to strengthen global cyber resilience?
LM: One of the principal lessons from the simulation was the importance of planning ahead. When you are in the middle of a crisis, that’s not the time to identify critical points of contact, what issues to triage and who’s responsible for what. When the crisis hits, the focus needs to be on executing your plan.
So, it all starts with having a cyber incident response plan and exercising it before an incident occurs. The plan should lay out who is in charge, how decisions are made, and how the organization responds when something goes wrong. No plan is ever perfect, but when an incident happens, leaders don’t have time to improvise. Having a plan limits damage, confusion, and operational disruption. And ransomware is not something organizations should plan to navigate alone. It is essential to establish points of contact and trusted relationships in advance with appropriate government agencies and with your most critical IT vendors.
For example, if your organization is in the U.S., you should already know which FBI field office you will reach out to in the event of a ransomware attack or similar incident. Law enforcement can help mitigate challenges, navigate decision making, and support any necessary exchanges with attackers. And organizations should ensure they know their key vendors, and the individuals within them that will be responsible for providing support in a crisis.
FPA: How can national and international law enforcement more effectively counter ransomware groups?
LM: Ransomware is a global problem, and it demands a genuinely global response. Most countries already have laws on the books that criminalize cybercrime, but laws alone aren’t enough. What really matters is building operational capacity, and trusted relationships between counterparts, to act quickly across jurisdictions. This means national and international law enforcement need to deepen cooperation across borders and work much more closely with the private sector.
Industry also has a critical role to play. At Microsoft, our Digital Crimes Unit brings together legal, technical, and threat intelligence experts who work every day to disrupt cybercrime networks—through court actions, domain seizures, and partnerships with law enforcement.
FPA: How is Microsoft supporting international law enforcement to counter ransomware groups?
LM: In recent months, our collaborations with Europol and national authorities have helped dismantle multiple initial access broker networks, and we’ve supported successful investigations and prosecutions of cybercriminals.
But the scale of the ransomware threat means we need more sustained and more dynamic partnership. Innovative efforts like the International Counter Ransomware Initiative, which brings together more than 70 countries, show what is possible when governments, law enforcement, and industry align around a shared objective. That kind of collective effort—across borders, sectors, and institutions—is ultimately what it will take to turn the tide against ransomware.
FPA: To what extent are international frameworks and laws fit for purpose when it comes to addressing ransomware?
LM: For the most part, the necessary frameworks are already in place to combat ransomware, but that is not enough. We still need the capacity, as well as the political will, to leverage them.
Nearly all countries have laws that make ransomware illegal, and international treaties like the Budapest Convention and UN Convention on Cybercrime expressly support cooperation against ransomware gangs across borders. But attacks continue to grow in the absence of more robust cooperation to implement these frameworks.
Perhaps the single greatest factor enabling ransomware attacks today is the persistence of safe haven states, where ransomware gangs can operate with impunity. By providing safe havens, these states are also violating their express commitments under the UN framework for responsible state behavior online. These norms, agreed to by the entire UN General Assembly, call on all states to exercise due diligence to ensure that illicit cyber activity is not persisting from within their borders. More must be done to ensure that these states are called out and ultimately held accountable for enabling ransomware attacks that disproportionately impact vulnerable organizations and critical infrastructure.
Microsoft will continue its work across the tech sector and across borders to strengthen cybersecurity. We will continue to urge global cooperation for this global challenge. We’re all in this together.
Lisa Monaco is the President of Microsoft Global Affairs, where she leads the company’s global policy work and engagement with governments and international organizations around the world. Lisa joined Microsoft in 2025 after serving as the 39th Deputy Attorney General of the United States (2021–2025), the Department of Justice’s second-ranking official and Chief Operating Officer. In her more than 25-year career in government, Lisa has held several senior national security positions, including White House Homeland Security and Counterterrorism Advisor (2013–2017), where she advised the President and coordinated the U.S. government’s response to a wide range of security threats—including terrorist attacks, cyber incidents, and pandemics.
Max Smeets
The Uncomfortable Truth About the Fight Against Ransomware
Many countermeasures used by governments to tackle cybercrime turn out to be only temporarily effective. Instead, defenders must find a way to disrupt how the ransomware ecosystem functions.
Claudia Plattner
‘If You Hit One of Us, You Hit All of Us’
Sharing information when ransomware attacks hit is critical to protecting future victims
Darrin Eugene Jones
Responding to the Ransomware Threat Requires a Coordinated Global Response
That's where INTERPOL comes in, bridging fragmented legal frameworks and partnering internationally
Dr. Bruce Watson
Ransomware Is a Strategic Threat. We Need to Treat It Like One.
The industrialization of cybercrime demands a response that matches its scale—one that bridges the divides among governments, the private sector, and the technical community. Canada offers a playbook to lead that response.
Anne Marie Engtoft Meldgaard
Disrupting Ransomware Through Tech Diplomacy
Countries need to be nimbler to combat increasing and evolving cybercrime threats.
Amy Hogan-Burney
Ransomware Attacks Are No Longer Just About Profit. They’re Also About Politics.
Multistakeholder collaboration is crucial to stemming this evolving threat.
Francesca Bosco
Ransomware Attacks Aren’t Just Technical—They Are Profoundly Human
As countries around the world face these growing threats, it’s vital to prioritize the protection of people and essential services.