The Forgotten War

Hostile cyberattacks on hospitals, energy infrastructure, and strategic ports. Retaliatory offensive cyber operations carried out by Five Eyes members. Ransomware bears many of the hallmarks of the kind of cyber conflict long imagined by academics, military planners, and policymakers, albeit one waged primarily by law enforcement agencies and financially motivated criminals rather than cyber commands. Indeed, the FBI recently announced that its agents have conducted over 30 disruption operations against ransomware criminals in 2024 alone, emphasising the importance of ransomware as a strategic challenge.

Despite this, scholars of cyber conflict largely overlook ransomware. This leaves policy debates about ransomware poorer. Given the increasing use of offensive cyber operations and other tools of statecraft in counter ransomware strategies, more scholars should seek to interrogate the assumptions and concepts that underpin their implementation.

Ransomware in cyber conflict studies

Historically, strategic studies has focused on cyber competition and conflict in interstate relations. Academics are split between framing cyber operations as an intelligence contest or using the US-driven lens of persistent engagement. This literature has successfully tempered inflated expectations about one-off, strategically decisive cyberattacks, and helped re-orient policymaking and the study of cyber conflict towards an approach focusing on the cumulative effects of campaigns. However, these debates remain narrowly tailored to state-centred dynamics.

To date, theorists on offensive cyber operations have not convincingly demonstrated how these frames – drawn upon to assess interstate cyber behaviour – can be applied to countering ransomware.

This disconnect is perhaps best illustrated in the widely influential cyber persistence theory, which maintains that the structural condition of interconnectedness, as well as continuous network exploitation below armed conflict, tacitly fosters an “agreed competition” between state adversaries. While proponents argue that “the strategic principle of initiative persistence remains valid against non-State actors”, there has been little sustained exploration of what value persistence can actually bring to countering ransomware actors.

This is despite repeated evidence that ransomware operators’ prioritisation of financial gain defies structured competition, not least in their frequent disregard of the risk calculations that otherwise shape geopolitically motivated state behaviour in cyberspace. Ransomware operators have brazenly disrupted US critical infrastructure – including hospitals, oil pipelines, and food production – at a tempo and scale that no state adversary has come close to.

Barring Max Smeets’ upcoming Ransom War book and a conference paper by legal researchers on the impact of Western cyber operations on the ransomware ecosystem, cybercrime and ransomware have been relegated to the periphery of strategic discussions on offensive cyber operations. Not a single prominent strategic studies or international relations journal has published an article focused on ransomware. Even when issues of cyber deterrence and non-state actors are raised, the focus of countermeasures has remained on traditional law enforcement levers like indictments and prosecutions.

In circles where states’ offensive cyber operations against ransomware actors have taken centre stage, US researchers have framed the discussion primarily around the question of authority. The debate has focused on whether such operations should fall within the purview of law enforcement or military action – of course with important implications for legal oversight and global cyber norms – rather than critically examining the strategic assumptions and efficacy of counter-ransomware cyber operations.

Is ransomware boring?

This lack of critical interrogation is symptomatic of a deeper issue: a cultural and strategic bias that downplays ransomware as less significant than state-sponsored cyber threats.

For many, ransomware lacks the geopolitical gravity and technical tradecraft typically associated with state-sponsored operations. As Ciaran Martin, former CEO of the UK National Cyber Security Centre, quipped earlier this year, ransomware may simply be “politically boring” in comparison to other cyber threats.

In a world preoccupied with great power rivalries, particularly US-China competition, researchers and policymakers have instead – to borrow the words of former US Cybersecurity and Infrastructure Security Agency director Chris Krebs – “fetishised” advanced persistent threats (APTs), state actors that conduct sustained campaigns.

This phenomenon goes beyond the study of cyber conflict. The cyber threat intelligence industry, with the exception of a few firms focused on cybercrime, has long prioritised reporting on advanced and persistent state actors. Although there are commercial incentives for this – as has been emphasised elsewhere – it also reflects the lived experiences and mindset of the ex-government and military intelligence professionals that dominate the industry. Given that theory-building in cyber conflict studies often relies on data-rich reports crafted by these vendors, the cyber threat intelligence industry’s preferences reinforce the academic emphasis on state activity.

Interrogating counter-ransomware strategies

Why does the lack of strategic studies focus on ransomware matter? In the simplest terms, because ransomware policy would benefit from the same type of theory-building and debate that has informed the development of strategic and operational concepts for state activity in cyberspace. Strategies to counter ransomware go beyond a mere collection of rules and decisions; they are rooted in a broader set of beliefs and assumptions that shape how policymakers define problems, interpret information, and choose solutions.

Consider the US counter-ransomware strategy, which increasingly emphasises law enforcement-led disruption operations through offensive cyber and other means. This is despite lingering questions about the theory of change for this approach and its underlying assumptions. Is it simply a version of persistent engagement, which the 2023 US National Cybersecurity Strategy nods to in asserting that “disruption campaigns must become so sustained and targeted that criminal activity is rendered unprofitable”? If so, does this mean that theories advanced for interstate competition and deterrence have simply been shifted onto ransomware? If that is the case, more discussion is required to understand how the goals, strategies, and risk calculus of criminals, particularly those harboured or tacitly endorsed by hostile states, are different from governments and intelligence agencies.

There are also unanswered questions about the unintended consequences of the current approach by the US, UK, and others.

In going after major ransomware-as-a-service (RaaS) providers – criminal groups that develop and rent out ransomware tools to affiliates – James Babbage, former commander of the UK National Cyber force and current director general for threats at the National Crime Agency, has observed that the “criminal industry is effective at amending its activities and business models dynamically”.

This has recently been highlighted by Europol, which noted that the damaging of RaaS reputations by law enforcement prompted high-level affiliates to “lessen their dependence on ransomware service providers’ infrastructure”, instead relying on increasingly decentralised and more elusive forms of partnerships.

These are just some of the questions and challenges that would benefit from more interrogation and debate by scholars and researchers.

The need for (academic) conflict on ransomware

As researchers at a national-security-focused think tank, we are ourselves part of the echo chamber that has largely treated cybercrime as an afterthought or distraction from cyber competition and conflict between states.

Yet this neglect comes with risks. First, without interrogation and challenge from those outside government, counter-ransomware strategies risk being built on shaky conceptual foundations. Second, strategic studies scholars could sideline themselves from policy debates about a cyber threat that arguably has a far greater impact on society and the economy than most state-backed cyber operations.

With a new US administration likely to put renewed emphasis on using offensive cyber operations to achieve its goals, now is a better time than ever for scholars to shine a light on the theories and assumptions of counter-ransomware strategies.

In doing so, scholars may reinvigorate increasingly tired debates about cyber deterrence and the utility of offensive cyber operations. They may also come to discover what we have: ransomware is one of the most compelling cyber strategy dilemmas of our time.

Sara Seppanen is a research analyst at the Royal United Services Institute (RUSI). Her work focuses on advancing the understanding of responsible cyber behaviour and examining the role of private actors in international cyber governance. She is particularly focused on how private companies influence the development of cyber statecraft and cloud policy.

Jamie MacColl is a Senior Research Associate at Virtual Routes. He is also a Research Fellow in cyber security at RUSI. His current research interests include ransomware, the UK’s approach to offensive cyber operations, and the role of private companies in global cyber governance. He has led a range of public and private projects for RUSI, with a particular focus on UK cyber policy.