Stay in touch

This field is for validation purposes and should be left unchanged.
Choose newsletter(s) you'd like to sign up to:

Assessing the impact of counter-ransomware interventions

Binding Edge

Counter-ransomware interventions are becoming increasingly common, but judging whether those interventions ‘work’ remains difficult. Understanding impact means considering more than a single outcome and moving towards a more structured view of disruption and durability.

Image: Christiaan Colen

Max Smeets
Jamie MacColl
Sophie Williams-Dunning
Bob Herzceg
05 March 2026

As ransomware has become an ever more disruptive element of the cybersecurity landscape, governments have likewise become increasingly ambitious in their interventions against it. Over the past five years, counter-ransomware activity has shifted from sporadic law-enforcement actions to sustained campaigns involving infrastructure seizures, cyber operations, arrests, sanctions, and coordinated international partnerships. These interventions reflect an important reorientation: ransomware is no longer treated as a niche cybercrime issue, but as a problem with national security implications.

Despite ambitious intentions, however, our understanding and assessment of ransomware’s impact remains underdeveloped.

Debates about counter-ransomware policy often collapse into a blunt question: Does it work? That question is usually answered by citing individual outcomes – whether a group disappeared, a botnet was dismantled, or payments declined in a given quarter. But these answers obscure more than they clarify. Ransomware interventions are complex, multi-layered, and heterogeneous by design. Treating impact along a single dimension risks flattening that complexity and drawing the wrong lessons from otherwise consequential operations.

The issue is not that governments lack impact. It is that they lack a shared way to describe, compare, and learn from it.

Impact is not a single outcome

A recurring problem in counter-ransomware policy is the implicit assumption that the effect of an intervention can be captured in a single, binary judgment of success or failure. Yet ransomware operations can be affected in fundamentally different ways depending on what is targeted, the sequence of interventions, and which parts of the ecosystem are engaged.

Some actions primarily degrade operational capability. Others disrupt organisational cohesion. Still others shape incentives, expectations, or trust across the wider virtual environment. These forms of impact are not interchangeable. An intervention can have a substantial impact along one dimension while remaining limited along another, and those trade-offs matter for developing a sustainable counter-ransomware strategy.

The operations against REvil in 2021 and 2022 illustrate this differential impact clearly. The compromise of the group’s infrastructure – combined with follow-on actions that compounded uncertainty for its affiliates and operators – resulted in the permanent collapse of the REvil brand. In operational terms, the outcome was severe and durable. Despite this result, the broader ransomware ecosystem adjusted. Affiliates migrated. Other groups expanded. While the intervention was effective at incapacitating a specific actor, its ecosystem-wide impact was necessarily more constrained.

By contrast, Operation Ladybird – directed against the Emotet botnet – targeted a shared service that underpinned many ransomware campaigns. The scope of impact was therefore much broader, disrupting initial access for multiple downstream actors simultaneously. The long term effects were more mixed, however, because alternative loaders and distribution services existed. The operation succeeded in reshaping part of the access landscape, but it also demonstrated how quickly substitution can occur when interventions focus on widely shared infrastructure.

These cases point to a central insight: durable impact is not an automatic consequence of disruption. It must be engineered.

The durability question

Across major counter-ransomware interventions, one pattern recurs: immediate disruption is increasingly achievable, but durable constraint is harder to attain.

Ransomware ecosystems are adaptive. Groups rebuild infrastructure, rebrand operations, and reconfigure relationships. Whether an intervention produces lasting effects depends less on the initial shock than on whether it constrains reconstitution. That constraint can take several forms: persistent uncertainty about compromised access, erosion of trust between operators and affiliates, exposure of intermediaries, or sustained pressure on monetisation pathways.

The intervention against Hive ransomware highlights this distinction. By covertly accessing Hive’s systems and distributing decryption keys over an extended period, authorities deprived the group of ransom revenue and prevented significant harm to victims. Although this was a meaningful outcome, the operation largely avoided direct action against Hive’s personnel and support networks. The Hive brand disappeared, but related actors appear to have re-emerged elsewhere. The impact here was real, but bounded by design.

The UK’s National Crime Agency Operation Cronos against the ransomware group LockBit is often interpreted as a turning point precisely because it combined multiple forms of constraint. Infrastructure was seized, affiliates were exposed, financial channels were targeted, and reputational claims central to LockBit’s business model were publicly undermined. Post-operation data suggest that LockBit’s ability to operate at scale was significantly degraded, with fewer affiliates, negotiations, and payments. What distinguishes Operation Cronos is not simply its breadth, but the way its components reinforced each other to limit LockBit’s recovery.

Why impact keeps being misread

Despite increasingly sophisticated interventions, impact assessments remain uneven. Part of this is structural. Data availability varies across jurisdictions. Classified insights rarely feed into shared evaluation, and time horizons differ. What looks impactful after weeks may look different after months.

But there is also a deeper, conceptual problem. Impact is often inferred from proxies rather than assessed directly. Changes in ransomware payments, for example, are frequently cited as evidence that particular interventions worked, even though many factors, including insurance practices, regulatory guidance, and victim awareness influence behaviour. Conversely, the reappearance of activity under a new brand is sometimes treated as proof of failure, even when an intervention succeeded in degrading trust, coordination, or scale.

Without a structured way to separate these effects, assessments oscillate between overconfidence and scepticism.

The lack of a system for shared evaluation also complicates international coordination. Counter-ransomware activity remains concentrated among a small number of states, with the United States involved in the majority of recorded disruptive actions. While this concentration enables capability, it also reinforces fragmented assessment practices. Agencies and countries evaluate impact according to their own priorities, often without synthesis. The result is a growing body of experience without a cumulative analytical framework.

Toward a more usable notion of impact

If ransomware is to be addressed as a strategic problem rather than a series of cases, impact must be distinguished more carefully. That does not require more precise measurement, but consistency. Ransomware interventions generate different kinds of effects, unfold over different time horizons, and involve trade-offs that are easily obscured when impact is reduced to a single judgment.

One way to address this gap is to treat impact as multi-dimensional. In a recent report assessing the impact of ransomware interventions, we propose evaluating countermeasures across four elements: severity – the degree of operational damage inflicted; scope – whether effects are confined to a single group or ripple across the ecosystem; longevity and reversibility – how durable those effects are and how easily actors can recover; and signalling value – the messages an intervention sends to other actors, affiliates, and victims, and whether those signals alter behaviour beyond the immediate target. Together, these elements allow interventions to be assessed in relation to what they plausibly set out to achieve, rather than against a generic or absolute standard.

Seen this way, recent counter-ransomware efforts are best understood as part of an ongoing learning process. Governments have become more capable of disrupting ransomware operations. The harder task now is assessing which forms of disruption matter most, which combinations endure, and how different effects accumulate over time.

Read more

CYBER CONFLICTCYBERSECURITYLAW AND POLICYRANSOMWARE

Related Posts

Bus shelter sign in Windows recovery, after Crowdstrike IT meltdown
CYBERSECURITYRANSOMWARETHREAT INTELLIGENCE

How extreme is the cyber catastrophe insurance protection gap?

Tom Johansmeyer|

3 March 2026

RANSOMWARELAW AND POLICYCYBERSECURITY

A fragmented ransomware ecosystem may be more threatening than we recognise

Jason R.C. Nurse|William Lyne|

25 February 2026

NEW YORK CITY - August 18, 2015: The Headquarters of the United Nations, a complex designed by Wallace Harrison located in the Turtle Bay neighborhood of Manhattan
CYBERSECURITYCYBER CONFLICTCYBER DIPLOMACY

The UN Cybercrime Convention is necessary, but the law still lags behind cybercriminals

Karem Lizbeth Parraga Espinoza|Richard Harknett|

23 January 2026

LAW AND POLICYSOCIAL MEDIACYBERSECURITY

Is misogyny an overlooked training ground for cybercrime?

Natasha Buckley|

13 January 2026

CYBERSECURITYCYBER CONFLICTEUROPE

Another year of Binding Hook!

Katharine Khamhaengwong|

23 December 2025