UK’s Ransomware Sanctions

Introduction

On 9 February 2023, the UK and US governments jointly sanctioned seven members of Conti/Trickbot, a ransomware group responsible for attacks against at least 149 UK individuals and businesses. The move marked the UK government’s entry into the ransomware sanctions arena. Over the years since, the ransomware sanctions regime has expanded and has become a core component of the UK’s counter-ransomware strategy. The government aims to use sanctions to expose ransomware criminals’ identities, undermine their ability to monetise ransomware, and degrade other criminals’ trust in key ransomware services.

However, there are significant challenges posed by designing, implementing and enforcing ransomware sanctions in a way that achieves the government’s goals. In this context, in February 2025, as part of ongoing work through its UK Sanctions Implementation and Strategy Taskforce, RUSI convened an online workshop to discuss the UK’s experience with ransomware sanctions to date. The workshop was jointly organised by the Centre for Finance and Security and the Cyber and Tech research group at RUSI. A select group of 35 expert stakeholders from the UK, US and Canada attended the workshop. Participants represented a diverse range of professional backgrounds. These included incident responders, ransomware payment brokers, cryptocurrency tracers, lawyers, academics, law enforcement officers and UK government officials.

The first section of this report provides an overview of the discussion relating to the implementation of UK cyber sanctions. The second section focuses on the discussion pertaining to the sanction regime’s “theory of change”. The third section describes the impact of sanctions on ransomware threat actors. The fourth section articulates participants’ perspectives on the state of play with respect to compliance and enforcement. Finally, the report outlines policy implications for the UK’s role as a cyber sanctions proponent in a dynamic international context. None of the discussions at the event are attributable.

The UK Cyber Sanctions Regime

The first session began by outlining the context for the initial development and implementation of the UK’s ransomware sanctions regime. A representative from the UK government noted that the broader cyber sanctions regime was designed when the UK was still a member state of the EU. The UK’s regime, introduced in 2020, is thus modelled similarly to the EU’s. The participant also emphasised that the sanctions regime was an opportunity to collaborate with international partners, namely the US and Australia.

Participants discussed differences between the UK, US and EU approaches to implementing cyber sanctions. Participants described how there was a close alignment between the UK and US approaches, which prioritised operational impact by naming sanctioned individuals relatively quickly. Participants also recognised that there was a disparity in resources between the UK and US, with the latter being able to operate at greater speed and scale. Comparatively, while the UK’s regime was modelled in line with the EU’s regime, the EU was described as facing challenges in coordinating cyber sanctions across the 27 member states. The result of this in-built deliberation meant that decision making on sanctions implementation, prioritisation and information-sharing was relatively delayed.

More broadly, it is of note that many countries do not have dedicated cyber sanctions regimes. Participants noted that the UK continues to push for broader international action, particularly through partnerships such as the Counter Ransomware Initiative. At the time of writing, no sanctions had been lifted by the US, but participants expressed uncertainty about whether cyber sanctions will continue to be a priority for the US under the Trump administration.

The Theory of Change for Ransomware Sanctions

Participants from the government emphasised that the UK uses ransomware sanctions as part of a cross-government counter-ransomware strategy. This strategy is derived from the UK’s 2022 National Cyber Strategy and is coordinated by the cross-Whitehall Senior Ransomware Steering Group led by the Home Office. The workshop highlighted several different ways in which the UK government is using ransomware sanctions to try to further the three strategic objectives identified by participants.

As the primary objective, authorities aim to change the behaviour of criminals by altering their calculation of risk and undermining their ability to monetise ransomware. There are two ways that sanctions might contribute to this objective.

First, sanctions enable law enforcement to “name and shame” individual criminals and remove their anonymity. The government hopes that this will deter ransomware threat actors and force them to operate in a more constrained environment. One workshop participant noted that for UK authorities, sanctions are the best means of attributing ransomware operators and affiliates, as prosecutors will not charge foreign hackers without a reasonable chance of prosecution. This is a contrast to the US, which has frequently indicted both intelligence officers from hostile states and foreign cybercriminals.

Second, sanctions are part of a range of measures that law enforcement uses to attempt to disrupt criminal networks by sowing distrust. The ransomware ecosystem is a collection of individuals, groups and services that rely on some degree of trust to function effectively. Many of the most impactful ransomware strains are run as a service: operators develop ransomware, maintain infrastructure to run it and then sell access to it to affiliates for a cut of ransom payments. Some participants argued that sanctioning key ransomware-as-a-service (RaaS) operators may cause affiliates to lose trust that these services are safe. This was the premise of Operation Cronos, an operation led by the National Crime Agency (NCA) that compromised the infrastructure of cybercriminal group LockBit and sanctioned its main administrator. Participants also discussed the more recent sanctioning by US, UK and Australian authorities of ZServers, a Russia-based “bulletproof” hosting provider used by ransomware criminals to host servers and domains.

A secondary objective of UK authorities is to use sanctions to change victim behaviour and reduce the number of ransom payments made by UK individuals and businesses. One participant argued that sanctions inject “friction” into victim decision making because of the need to carry out due diligence checks before a payment is made. At the same time, several workshop participants noted that the government is keen not to “re-victimise” ransomware victims by completely removing their ability to pay. Participants highlighted that balancing these competing desires is one of the reasons US and UK authorities have designated individual criminals rather than ransomware strains. The latter approach would completely remove the ability of victims to make payments to designated strains.

Some workshop participants also suggested that the UK government is using sanctions as a mechanism for increasing reporting of ransomware incidents in the UK. One industry representative at the workshop highlighted that the guidance from the Office of Financial Sanctions Implementation (OFSI) on ransomware sanctions notes that reporting to the National Cyber Security Centre and NCA will be treated as a mitigating factor if a victim pays a sanctioned ransomware threat actor.

Finally, an underlying objective across the UK’s cyber sanctions mission is to enhance international coordination. Cyber threats are inherently transnational, requiring a collaborative approach to sanctions and enforcement among international partners. Participants highlighted that the UK has been working closely with allies such as the US and Australia to coordinate sanctions and intelligence-sharing efforts. The effectiveness of these measures is amplified when multiple nations align their policies and enforcement actions. However, international alignment efforts are hindered by the EU’s divergent approach; participants observed that in the EU, the use of cyber sanctions is viewed as a tool more for countering mis/disinformation than for targeting ransomware attacks.

The Impact of Sanctions on Ransomware Threat Actors

After discussing the theory of change for using ransomware sanctions, the workshop focused on the effects of sanctions on criminal behaviour to date. This discussion covered the impact of not only UK designations on threat actors, but also designations by the US Office of Foreign Asset Control (OFAC). There was broad agreement that sanctions have increased distrust in RaaS offerings and disrupted some individuals’ ability to monetise ransomware. Representatives from the public and private sectors at the workshop emphasised, however, that it remains challenging to accurately measure these effects and disaggregate them from both other counter-ransomware measures and internal strife in the ransomware ecosystem.

Participants noted that it is likely that sanctions have sown distrust in some ransomware groups and services. This has two effects. First, one participant used the example of Conti/Trickbot and suggested that designating individual members has had a psychological impact and reduced their risk appetite for high-profile ransomware operations. Second, participants noted that sanctions and associated travel bans probably also cause designated individuals to reconsider travelling abroad to spend their profits. Although these measures do not change the central problem of Russia being a safe haven for threat actors, they do constrain the actors’ freedom. Even more significant, however, is the reputational harm that sanctions cause to criminal brands, both for individuals and RaaS strains. One participant argued that key members of Conti/Trickbot, Evil Corp and LockBit have all failed to recover their influence in the ecosystem since being designated.

There was widespread agreement that sanctions have affected designated individuals’ ability to monetise ransomware. Victims – and the third parties such as insurers, payment brokers and lawyers that support them – are less likely to pay sanctioned threat actors because of the fear of being punished by authorities. One participant highlighted reporting by Chainalysis, which shows that payments to LockBit dropped 79% in the second half of 2024 following Operation Cronos and the designation of LockBit’s core administrator. It is also likely that reputational harm caused to sanctioned RaaS and malware-as-a-service operators such as Conti/Trickbot has undermined their ability to attract new customers and affiliates. One workshop participant also noted that sanctioned ransomware affiliates (such as Evil Corp) may find it harder to access RaaS services because of increased scrutiny from administrators.

The workshop also highlighted that sanctions of both key individuals and cryptocurrency and money laundering services have made it challenging for threat actors to launder the proceeds of ransomware. This aligns with analysis conducted by Chainalysis in early 2025, which assessed that sanctions and law enforcement operations have resulted in “insecurity among threat actors where they can safely put their funds”.

Sanctions have probably also had broader effects on the ransomware ecosystem and the operating models and tactics of key groups and individuals. One workshop participant highlighted how Evil Corp had adapted its business model after being designated by OFAC in 2019: rather than running its own in-house ransomware operations, its members became affiliates of RaaS strains to evade the additional scrutiny and restrictions put on them. However, it is unclear if this dramatically affected its ability to monetise ransomware. Other participants argued that sanctions (along with other counter-ransomware measures) have contributed to the fragmentation of the ransomware ecosystem, with monopolistic RaaS strains like LockBit giving way to smaller players and more “lone wolves”. However, participants noted that an unintended consequence of this may be worse outcomes for victims, with less established threat actors less likely to provide reliable decrypters and more willing to use very aggressive extortion tactics. This may be because they are less constrained by the rules imposed by some RaaS operators and administrators. Additionally, third-party incident responders and ransomware negotiators are less able to draw on battlecards – intelligence and playbooks to guide engagement with different ransomware threat actors – and past precedent when handling incidents caused by splinter groups or groups with no name. This may create uncertainty and/or delays in the victim’s remediation efforts.

Although the workshop was broadly positive about the effects of sanctions on threat actors, it also highlighted that there is uncertainty and scepticism about the ability of law enforcement and industry to accurately measure those effects. Part of this challenge is due to a lack of visibility: as one participant highlighted, it is difficult to know when criminals feel vulnerable, even in cases when their communications may be compromised. It is also a methodological challenge: the effects of sanctions cannot be disaggregated from other counter-ransomware activities such as offensive cyber operations and arrests. However, since these measures are designed to complement one another, ultimately it may not matter if authorities are unable to assign specific effects to sanctions. This also emphasises that sanctions will probably be more effective if used in concert with other tools.

Compliance, Enforcement and the Impact on Ransomware Victims

In the final session, workshop participants discussed cyber sanctions compliance at length and in depth. The discussion also reflected on the impact that sanctions checks had on the ransomware victim experience and threat actors’ ability to monetise ransomware.

If a ransomware victim is considering a prospective payment of a ransom, they have a responsibility to make reasonable efforts to identify whether the payment may – either in part or in full – go to a sanctioned individual. Industry participants at the workshop explained that, in practice, the sanctions compliance checks are often undertaken by third-party firms – specifically, ransomware intermediaries, which are firms that facilitate ransom payments in cryptocurrencies to cybercriminals. This ransomware intermediary function, participants explained, may be a bolt-on to a wider cyber incident response and/or ransomware negotiation service. Some firms may also offer ransomware payments as a standalone service. Ransomware intermediaries are an attractive solution in part because they have the capability to procure or draw upon large sums of cryptocurrency.

The sanctions checks will be undertaken before a payment is signed off by the ransomware victim and, where applicable, their third-party support. This support may include an incident response firm, legal services provider and/or a cyber insurer. Previous RUSI research has identified that the decision to pay or not pay a negotiated ransom lies with the senior leadership at a victim organisation. This decision may be informed by advice and guidance from third-party support, but the decision ultimately rests with the victim organisation. Participants emphasised that, at present, a red flag from a sanctions compliance check is the only legal impediment to a prospective ransom payment in the UK.

According to industry participants, there is significant scope for ambiguity with respect to ransomware sanctions checks. While ransomware groups are typically keen to establish and maintain the reputation of their “brand name”, they will obfuscate the personal identities of those in the group. However, the UK’s ransomware sanctions regime targets named individuals rather than groups. Contemporary ransomware payments are likely to go to multiple individuals within a given group. The prevalence of RaaS means that it is common for ransomware payments to be divided on a ratio basis between affiliates and operators. There is also a growing incidence of “lone wolves” operating without branding, as observed by private operators at the workshop.

Industry representatives at the workshop described that the entity responsible for sanctions compliance therefore has to try to ascertain whether there is a reasonable risk of a prospective ransom payment going to a named sanctioned individual. They will typically use a range of identifiers to make this judgement call. These may include but are not necessarily limited to: the cryptocurrency wallet address; IP addresses; Tox chat IDs; the computer code used to conduct the attack; and the language expressions used by the criminals in ransom notes and negotiations. One participant emphasised that each individual facilitator needs to determine their own risk tolerance. They argued that an ideal sanctions check would follow a typology using code, syntax and linguistic overlap. However, the judgement call on the degree of overlap is highly likely to be inconclusive and there is a risk of false positives and false negatives. Building on this point, participants described how the judgement call felt like “rolling the dice”.

Ultimately, the workshop highlighted that ransomware sanctions checks are, at present, more of an art than a science, with, as one workshop participant put it, “no silver bullet for due diligence”. There is inadequate clarity on what constitutes a sufficient sanctions check. Guidance from governments including the UK’s was described as “intentionally ambiguous”. Participants explained how they had attempted to get clarity from government entities such as OFAC and OFSI, but that this was not forthcoming. Additionally, at the time of writing, there had not been any fine or censure for any ransomware sanctions breach that could provide further insights into what the regulator found to be insufficient checks, despite publicly known instances of alleged sanctions breaches.

Workshop participants who offer ransomware intermediary services described how they took a “conservative approach” to sanctions checks and would clearly explain their risk assessment to clients. These participants noted that they had refused to facilitate payments that they believed carried a sanctions risk. One participant referred to a case that they had supported where they believed there was a high sanctions risk; they refused to make the payment, but the client then went to another firm who ultimately completed the transaction. In the participant’s view, the 80/20 RaaS payment split (80% to the affiliate; 20% to the operator) for that payment included money going to a sanctioned entity.

Participants agreed that this anecdotal case highlights a challenge. The ambiguity in the sanctions regime enables ransomware intermediaries – and ransomware victims – to determine their own judgement call based on their own risk tolerance. This means that there may be a spectrum across the market, ranging from “conservative” approaches at one end, through to “permissive” approaches at the other. Previous reporting has also indicated the presence of extreme outlier practices, wherein intermediaries discreetly pay a ransom to the attackers and present this as an “IT solution” to the client.

What this means is that ransomware victims are, in the words of one workshop participant, able to “shop around for lower standards” so that they may ultimately be able to proceed with a payment. However, one participant noted that the workshop probably had an inherent selection bias; intermediaries who are moderated in their approach to sanctions compliance were more likely to attend a workshop on ransomware sanctions.

It is important to emphasise that the workshop discussion did not label ransomware sanctions regimes as paper tigers. On the contrary, workshop participants emphasised that ransomware victims and ransomware intermediaries often have a genuine fear of the potential repercussions of breaching sanctions. Participants described how this fear had a tangible influence on the decision making journeys of ransomware victims by creating friction in the payment process. A participant described how it was good to create “inertia” and “make the victim jump through some hoops and think rationally about the situation”. Another participant agreed, noting that the introduction of the sanctions regimes had caused victims to “think twice” before proceeding with a payment. A ransomware intermediary participant suggested that they had seen increased “fear of OFAC” following the start of the Russia–Ukraine conflict, which had prompted increased demand for due diligence.

Overall, the workshop discussions indicated a mixed picture with respect to ransomware sanctions compliance. Participants outlined their approaches to sanctions compliance based on risk-averse practices. However, the obfuscated nature of ransomware forensics – combined with ambiguity in the sanctions regime – means that sanctions compliance is imprecise. Practitioners are having to rely, at least in part, on a subjective value judgement. Workshop participants argued that if clarity were needed, it would ultimately need to come from governments and regulators.

Key Takeaways and Policy Recommendations

The workshop discussion highlighted that cyber sanctions have had several impacts on the ransomware criminal ecosystem, ransomware victim behaviours and the activities of ransomware intermediaries.

With respect to the criminals, cyber sanctions add some complexity to their operations – for instance, with respect to their conversion of cryptocurrency assets or their ability to travel internationally. There are also suggestions that sanctions carry a stigma for named individuals, which may foster consternation and distrust within RaaS communities. Where a figurehead of a ransomware group is named as a sanctioned entity, the whole group may become “unpayable” if there is a likely risk that a portion of any payment would go to the named individual.

It is clear from the workshop discussion that, even though no censure or fine has thus far been made against cyber sanctions breaches, the time lag of making a sanctions check and the fear of potential future penalties has added friction into the payment decision making process. Participants noted that the UK government is in an unenviable position of trying to sustain an impactful cyber sanctions regime while avoiding double-victimisation of victims of serious organised crime. This may, at least partially, explain the hesitancy for clarity from OFSI and the lack of censure to date.

Ultimately, in the absence of effective prosecutions of international ransomware perpetrators, sanctions regimes are one of the few lighter-touch tools that the UK and like-minded countries can use to directly or indirectly affect known serious organised cybercriminals. However, at present, cyber sanctions are an imperfect tool. There may be opportunities for the UK and like-minded countries to refine their regimes. The workshop concluded with the identification of the policy considerations proposed below:

• Enhance transparency from OFSI. Industry participants expressed frustration about the lack of transparency and guidance from governments and regulators. Participants described how they had proactively reached out to relevant government entities for clarity and had either received slow, nondescript and/or unhelpful responses, or no response at all. It is possible that this ineffective feedback risks disenfranchising well-meaning ransomware intermediaries and ransomware victims. The UK government should reflect on the status quo and assess whether the current approach is primed to achieve the government’s objectives.

• Promote standardisation for sanctions checks. Guidance should be calibrated to encourage more standardisation for sanctions checks. Outside of extreme cases, cyber sanctions checks are inherently inconclusive, with the risk of false positives and negatives. Two different sanctions compliance checkers – with differing experience and risk appetites – may come to opposing conclusions about the sanctions risk of a given ransomware payment. The government should consider how it can support increased standardisation for sanctions checks. This could include, for instance, clear guidance on which technical indicators should be used to make a check, and how they should be meaningfully assessed. Given that the UK government is currently proposing a “payment authorisation regime”, which would require victims to both request permission to pay a ransom and perform their own sanctions checks, spreading best practice and transparency on sanctions checks will become more important.

• Designate more targets at a faster pace. If ransomware sanctions do have tangible – if limited – impacts on the criminals perpetrating and monetising attacks, the UK government should be bold and implement more sanctions, more efficiently.

• Upturn the bargain bucket. Ransomware intermediary participants described how they were regulated as money service businesses, proactively sought external scrutiny through auditing, proactively reported incidents and shared information on request, and took a deliberately conservative approach to sanctions risk assessments. However, not all ransomware intermediaries proactively engage in such good citizenship. Some firms may adopt a “permissive” approach to sanctions compliance. Others may surreptitiously engage with the criminals, process a payment, and present this as a technical solution to a client. Research should be commissioned to understand the scope and scale of such behaviour among unscrupulous providers. Where such firms are based in the UK or like-minded partner countries, efforts should be made to scrutinise their activities and, where necessary, hold them to account.

• Strengthen alignment with international partners. The UK has successfully collaborated with the US and Australia, but the EU has been less active in leveraging its cyber sanctions regime. The uncertainty about the prioritisation of cyber sanctions under the new US administration also raises concerns. The UK must ensure that international partners collaborate closely to enhance the effectiveness of designations and achieve consistent enforcement.

In summary, while the use of sanctions was welcomed by workshop participants, their effectiveness has been limited by a number of shortcomings that could be addressed by some simple, focused actions.

Jamie MacColl is a Research Fellow in the Cyber and Tech research team at RUSI. His current research interests include ransomware, the UK’s approach to offensive cyber operations, cyber insurance and the role of private companies in global cyber governance. He has a led a range of public and private projects for RUSI, with a particular focus on UK cyber policy. He is also currently a Senior Research Associate at the European Cyber Conflict Research Initiative and a Project Fellow at the Research Institute for Sociotechnical Cyber Security.

Gareth Mott is a Research Fellow in the Cyber and Tech research team at RUSI. His research interests include governance and cyberspace, the challenges (and promises) of peer-to-peer technologies, developments in the cyber risk landscape, and the evolution of cybersecurity strategies at micro and macro levels.

Gonzalo Saiz is a Research Fellow at the Centre for Finance and Security at RUSI, focusing on sanctions and counter-threat finance. His research focuses on sanctions implementation, circumvention and evasion tactics, and sanctions enforcement. He leads the research of SIFMANet (the Sanctions and Illicit Finance Monitoring and Analysis Network) and RUSI’s UK Sanctions Implementation and Strategy Taskforce and Maritime Sanctions Taskforce. Gonzalo’s research on counter-threat finance includes work on the abuse of non-profit organisations for terrorist financing, crime-enabled terrorist financing, and the financing of right-wing extremism.