Main Logo Expert commentary on tech and security

The Forgotten War: Ransomware and Cyber Conflict Studies

Sara Seppanen / Jamie MacColl 22 January 2025
Share On:
Scholars of cyber conflict have largely ignored the rise of ransomware as a national security threat. Counter-ransomware strategies would benefit from further interrogation from this community
Main Top Image
Image created using Leonardo.ai

Hostile cyberattacks on hospitals, energy infrastructure, and strategic ports. Retaliatory offensive cyber operations carried out by Five Eyes members. Ransomware bears many of the hallmarks of the kind of cyber conflict long imagined by academics, military planners, and policymakers, albeit one waged primarily by law enforcement agencies and financially motivated criminals rather than cyber commands. Indeed, the FBI recently announced that its agents have conducted over 30 disruption operations against ransomware criminals in 2024 alone, emphasising the importance of ransomware as a strategic challenge.  

Despite this, scholars of cyber conflict largely overlook ransomware. This leaves policy debates about ransomware poorer. Given the increasing use of offensive cyber operations and other tools of statecraft in counter ransomware strategies, more scholars should seek to interrogate the assumptions and concepts that underpin their implementation. 

Ransomware in cyber conflict studies

Historically, strategic studies has focused on cyber competition and conflict in interstate relations. Academics are split between framing cyber operations as an intelligence contest or using the US-driven lens of persistent engagement. This literature has successfully tempered inflated expectations about one-off, strategically decisive cyberattacks, and helped re-orient policymaking and the study of cyber conflict towards an approach focusing on the cumulative effects of campaigns. However, these debates remain narrowly tailored to state-centred dynamics.

To date, theorists on offensive cyber operations have not convincingly demonstrated how these frames – drawn upon to assess interstate cyber behaviour – can be applied to countering ransomware. 

This disconnect is perhaps best illustrated in the widely influential cyber persistence theory, which maintains that the structural condition of interconnectedness, as well as continuous network exploitation below armed conflict, tacitly fosters an ‘agreed competition’ between state adversaries. While proponents argue that ‘the strategic principle of initiative persistence remains valid against non-State actors’, there has been little sustained exploration of what value persistence can actually bring to countering ransomware actors

This is despite repeated evidence that ransomware operators’ prioritisation of financial gain defies structured competition, not least in their frequent disregard of the risk calculations that otherwise shape geopolitically motivated state behaviour in cyberspace. Ransomware operators have brazenly disrupted US critical infrastructure – including hospitals, oil pipelines, and food production – at a tempo and scale that no state adversary has come close to. 

Barring Max Smeets’ upcoming Ransom War book and a conference paper by legal researchers on the impact of Western cyber operations on the ransomware ecosystem, cybercrime and ransomware have been relegated to the periphery of strategic discussions on offensive cyber operations. Not a single prominent strategic studies or international relations journal has published an article focused on ransomware. Even when issues of cyber deterrence and non-state actors are raised, the focus of countermeasures has remained on traditional law enforcement levers like indictments and prosecutions.

In circles where states’ offensive cyber operations against ransomware actors have taken centre stage, US researchers have framed the discussion primarily around the question of authority. The debate has focused on whether such operations should fall within the purview of law enforcement or military action – of course with important implications for legal oversight and global cyber norms – rather than critically examining the strategic assumptions and efficacy of counter-ransomware cyber operations.

Is ransomware boring?

This lack of critical interrogation is symptomatic of a deeper issue: a cultural and strategic bias that downplays ransomware as less significant than state-sponsored cyber threats.

For many, ransomware lacks the geopolitical gravity and technical tradecraft typically associated with state-sponsored operations. As Ciaran Martin, former CEO of the UK National Cyber Security Centre,  quipped earlier this year, ransomware may simply be ‘politically boring’ in comparison to other cyber threats. 

In a world preoccupied with great power rivalries, particularly US-China competition, researchers and policymakers have instead – to borrow the words of former US Cybersecurity and Infrastructure Security Agency director Chris Krebs – ‘fetishised’ advanced persistent threats (APTs), state actors that conduct sustained campaigns. 

This phenomenon goes beyond the study of cyber conflict. The cyber threat intelligence industry, with the exception of a few firms focused on cybercrime, has long prioritised reporting on advanced and persistent state actors. Although there are commercial incentives for this – as has been emphasised elsewhere –  it also reflects the lived experiences and mindset of the ex-government and military intelligence professionals that dominate the industry. Given that theory-building in cyber conflict studies often relies on data-rich reports crafted by these vendors, the cyber threat intelligence industry’s preferences reinforce the academic emphasis on state activity.

Interrogating counter-ransomware strategies 

Why does the lack of strategic studies focus on ransomware matter? In the simplest terms, because ransomware policy would benefit from the same type of theory-building and debate that has informed the development of strategic and operational concepts for state activity in cyberspace. Strategies to counter ransomware go beyond a mere collection of rules and decisions; they are rooted in a broader set of beliefs and assumptions that shape how policymakers define problems, interpret information, and choose solutions. 

Consider the US counter-ransomware strategy, which increasingly emphasises law enforcement-led disruption operations through offensive cyber and other means. This is despite lingering questions about the theory of change for this approach and its underlying assumptions. Is it simply a version of persistent engagement, which the 2023 US National Cybersecurity Strategy nods to in asserting that ‘disruption campaigns must become so sustained and targeted that criminal activity is rendered unprofitable’? If so, does this mean that theories advanced for interstate competition and deterrence have simply been shifted onto ransomware? If that is the case, more discussion is required to understand how the goals, strategies, and risk calculus of criminals, particularly those harboured or tacitly endorsed by  hostile states, are different from governments and intelligence agencies. 

There are also unanswered questions about the unintended consequences of the current approach by the US, UK, and others. 

In going after major ransomware-as-a-service (RaaS) providers – criminal groups that develop and rent out ransomware tools to affiliates – James Babbage,  former commander of the UK National Cyber force and current director general for threats at the National Crime Agency, has observed that the ‘criminal industry is effective at amending its activities and business models dynamically’. 

This has recently been highlighted by Europol, which noted that the damaging of RaaS reputations by law enforcement prompted high-level affiliates to ‘lessen their dependence on ransomware service providers’ infrastructure’, instead relying on increasingly decentralised and more elusive forms of partnerships.

These are just some of the questions and challenges that would benefit from more interrogation and debate by scholars and researchers. 

The need for (academic) conflict on ransomware 

As researchers at a national-security-focused think tank, we are ourselves part of the echo chamber that has largely treated cybercrime as an afterthought or distraction from cyber competition and conflict between states. 

Yet this neglect comes with risks. First, without interrogation and challenge from those outside government, counter-ransomware strategies risk being built on shaky conceptual foundations. Second, strategic studies scholars could sideline themselves from policy debates about a cyber threat that arguably has a far greater impact on society and the economy than most state-backed cyber operations.   

With a new US administration likely to put renewed emphasis on using offensive cyber operations to achieve its goals, now is a better time than ever for scholars to shine a light on the theories and assumptions of counter-ransomware strategies. 

In doing so, scholars may reinvigorate increasingly tired debates about cyber deterrence and the utility of offensive cyber operations. They may also come to discover what we have: ransomware is one of the most compelling cyber strategy dilemmas of our time.

avatar
Sara Seppanen
avatar
Jamie MacColl

Related

Featured image
Binding Edge
Preparing for the coming AI cyber storm
Gil Baram 14 February 2025
Read more arrow
Featured image
Binding Edge
Reading between the lies: using leak sites to analyse ransomware trends
Janina Inauen / Max Smeets 1 November 2024
Read more arrow
Featured image
Binding Edge
Pell Mell or Pas Mal? Governing commercial cyber intrusion capabilities
James Shires 11 November 2024
Read more arrow

Terms and Conditions for the AI-Cybersecurity Essay Prize Competition

Introduction

The AI-Cybersecurity Essay Prize Competition (the “Competition”) is organized by Virtual Routes (“Virtual Routes”) in partnership with the Munich Security Conference (“MSC”). It is sponsored by Google (the “Sponsor”). By entering the Competition, participants agree to these Terms and Conditions (T&Cs).

Eligibility

The Competition is open to individuals worldwide who are experts in the fields of cybersecurity and artificial intelligence (“AI”). Participants must ensure that their participation complies with local laws and regulations.

Submission Guidelines

Essays must address the question: “How will Artificial Intelligence change cybersecurity, and what are the implications for Europe? Discuss potential strategies that policymakers can adopt to navigate these changes.”

Submissions must be original, unpublished works between 800-1200 words, excluding footnotes but including hyperlinks for references.

Essays must be submitted by 2 January 2025, 00:00 am CET., through the official submission portal provided by Virtual Routes.

Only single-authored essays are accepted. Co-authored submissions will not be considered.

Participants are responsible for ensuring their submissions do not infringe upon the intellectual property rights of third parties.

Judging and Awards

Essays will be judged based on insightfulness, relevance, originality, clarity, and evidence by a review board comprising distinguished figures from academia, industry, and government.

The decision of the review board is final and binding in all matters related to the Competition.

Prizes are as follows: 1st Place: €10,000; Runner-Up: €5,000; 3rd Place: €2,500; 4th-5th Places: €1,000 each. The winner will also be invited to attend The Munich Security Conference

Intellectual Property Rights

The author retains ownership of the submitted essay.

By submitting the essay, the author grants Virtual Routes exclusive, royalty-free rights to use, reproduce, publish, distribute, and display the essay for purposes related to the Competition, including but not limited to educational, promotional, and research-related activities.

The author represents, warrants, and agrees that no essay submitted as part of the essay prize competition violates or infringes upon the rights of any third party, including copyright, trademark, privacy, publicity, or other personal or proprietary rights, breaches, or conflicts with any obligation, such as a confidentiality obligation, or contains libellous, defamatory, or otherwise unlawful material.

The author agrees that the organizers can use your name (or your pseudonym) and an image of you in association with your essay for purposes of publicity, promotion and any other activity related to the exercise of its rights under these Terms.

The organizers may remove any essay-related content from its platforms at any time and without explanation.

The organizers may block contributions from particular email or IP addresses without notice or explanation.

The organizers may enable advertising on its platforms and associated social media accounts, including in connection with the display of your essay. The organizers may also use your Material to promote its products and services.

The organizers may, at its sole discretion, categorise Material, whether by means of ranking according to popularity or by any other criteria.

Data Protection

Personal information collected in connection with the Competition will be processed in accordance with Virtual Routes’ Privacy Policy. Participants agree to the collection, processing, and storage of their personal data for the purposes of the Competition.

Liability and Indemnity

Virtual Routes, MSC, and the Sponsor will not be liable for any damages arising from participation in the Competition, except where prohibited by law.

Participants agree to indemnify Virtual Routes, MSC, and the Sponsor against any claims, damages, or losses resulting from a breach of these T&Cs.

General Conditions

Virtual Routes reserves the right to cancel, suspend, or modify the Competition or these T&Cs if fraud, technical failures, or any other factor beyond Virtual Routes’ reasonable control impairs the integrity or proper functioning of the Competition, as determined by Virtual Routes in its sole discretion.

Any attempt by any person to deliberately undermine the legitimate operation of the Competition may be a violation of criminal and civil law, and, should such an attempt be made, Virtual Routes reserves the right to seek damages from any such person to the fullest extent permitted by law.

Governing Law

These Terms and Conditions are governed by the laws of the United Kingdom, without regard to its conflict of law principles. Any dispute arising out of or in connection with these Terms and Conditions, including any question regarding its existence, validity, or termination, shall be referred to and finally resolved by the courts of the United Kingdom. The participants agree to submit to the exclusive jurisdiction of the courts located in the United Kingdom for the resolution of all disputes arising from or related to these Terms and Conditions or the Competition.