Ransomware will thrive until we change our strategy

We have reached a stage where ransomware isn’t simply a cybercrime issue: it is now clearly a business disruptor, a threat to societal trust, and increasingly, a national security crisis.

As James Babbage, Director General (Threats) at the UK’s National Crime Agency (NCA), recently noted, ransomware is “a national security threat in its own right, both here and throughout the world.” Alarmingly, despite years of targeted operations, global strategy papers, and industry guidance, ransomware groups continue to extort millions from organizations every year with little fear of real consequences. Why? Because most of our current efforts are focused on dealing with the aftermath of attacks and not the conditions that allow them to happen in the first place.

Laws mandating the reporting of ransomware payments, like those being rolled out in Australia, are well-intentioned: they aim to build better national visibility of the threat landscape. In the UK, the government is proposing that public sector agencies no longer be permitted to pay ransoms, a move designed to cut off financial incentives to criminal groups.

While I support these measures in principle, these initiatives are reactive, and they will not stop attacks from happening. They do nothing to the raise the cost, financially or otherwise, for the criminals behind these attacks, and they do little to build resilience in the organizations most at risk.

A complex problem

Most ransomware attacks are not targeted attacks, but simply crimes of opportunity. At best, government bans will do little to stop criminals from carrying out these attacks. At worst, the criminals will instead focus on other more vulnerable sectors and target them instead.

We need to remember that those behind ransomware attacks are part of organized criminal gangs. These are professional criminal enterprises, not lone hackers, with access to global infrastructures, safe havens to operate from, and laundering mechanisms to clean their profits. Addressing this requires more than reporting requirements. It needs an international, collaborative approach that treats ransomware as the serious transnational crime it is.

The good news is that we’re not starting from scratch. The Ransomware Task Force (RTF), a global, multi-stakeholder initiative involving government, industry, and academia, mapped out this issue back in 2021 and has provided a robust action plan. It called for things such as more meaningful international cooperation, stronger resilience across critical infrastructure sectors, and accountability for virtual asset laundering.

Some progress has been made, such as recent law enforcement operations against some ransomware groups, as well as increased international pressure on cryptocurrency mixers. However, many of the more complex recommendations requiring legislative change or broader tech industry cooperation remain only partially addressed.

Steps we must take

We must get serious about resourcing law enforcement. Disrupting ransomware gangs isn’t just about knocking a website or a dark marketplace offline. It requires trained personnel, international legal instruments, strong financial intelligence, and political support. It also takes time, which means political patience. We can’t expect agencies to dismantle global criminal networks with only short-term funding windows and reactive mandates. The criminal gangs attacking us are agile and well-funded. The policing response must be just as strategic and (crucially!) supported with long-term investment and patience.

At the same time, we must tackle the more mundane reality that too many attacks could still be prevented through basic cyber hygiene. Organizations continue to fall due to phishing emails, exposed remote desktop connections, unpatched software, or poor password practices. The basics aren’t exciting, but they matter. Cyber resilience must be elevated, especially among small and medium-sized businesses, who often lack dedicated security resources but form essential links in the global digital supply chain.

This is where regulation is beginning to step in. Newer legislative frameworks like the EU’s NIS2 Directive and the Digital Operational Resilience Act (DORA) don’t just focus on the big players. They’re now placing clear obligations on the regulated entities to manage cyber risk across their suppliers and service providers. If you’re a small vendor supporting a critical service, you must meet minimum security standards. And if you’re a larger player, you must ensure your digital ecosystem is not your weakest point. This is a shift from optional best practice to regulatory requirement, and it’s long overdue.

The problem of ransomware, or indeed cybercrime in general, is not just about improving how organizations manage their cybersecurity, we also need to demand better from the technology providers that those organizations rely on. Too many software systems, including ironically cybersecurity solutions, are shipped with outdated libraries, insecure default settings, complex patching workflows, and little transparency around vulnerability disclosure. Customers have been left to carry the burden of addressing flaws they didn’t create and often can’t easily fix.

This must change. Secure-by-design and secure-by-default must become reality, and not slogans on a marketing slide or pinkie-promises that vendors “take cybersecurity seriously”. Vendors need to demonstrate that security is being built into every stage of their development lifecycle, from architectural planning through to product release, deployment, and to ongoing support and maintenance.

It’s encouraging to see regulatory proposals such as the EU’s Cyber Resilience Act take vendor accountability seriously. By assigning clearer responsibility to software and hardware providers, it sets the expectation that commercial technology must meet the same engineering standards for safety and security as any other infrastructure. After all, if a car manufacturer sold vehicles with faulty brakes, we wouldn’t accept a user-guide warning or an end user licensing agreement relieving the car manufacturer of any liability. So why should we allow software firms to ship products with insecure code that support critical services?

Finally: when things do go wrong, victims need as much support as possible. Public-private initiatives like Europol’s “No More Ransom” provide free decryption tools for known variants and help victims avoid paying ransoms. These are valuable community efforts and we need more of them, but we shouldn’t get too comfortable relying on them. If recovery tools are seen as an adequate substitute for systemic resilience, organizations are being set up to fail.

Until we fix the root causes, ransomware will continue to be a problem

Ransomware thrives in an environment built on complexity, indifference, and technical debt. It is enabled by international legal inconsistency, by fragmented enforcement, by insecure products, and by organizations who believe they are unlikely targets.

Every day that passes without a change in that reality rewards ransomware groups with profit, cover, and strength. We need an approach that is international, sustained, and coordinated. One that treats the ransomware threat as the serious criminal ecosystem it is. This means continued investment in policing and intelligence sharing, firm diplomatic responses against states which shield these criminals, more demanding expectations for vendors, and a renewed commitment to making security hygiene a foundation, not an option.

Ransomware is not going away. It’s evolving, growing, and adapting to every defence we throw at it. The time has come to stop simply treating the symptoms and for us to start curing the disease.