Ransomware has become a central national security concern, prompting governments to expand their response toolkit beyond traditional law enforcement measures. Arrests, infrastructure takedowns, sanctions, indictments and public exposure are now routinely deployed against ransomware actors. Yet these interventions are often applied opportunistically and assessed in isolation, making it difficult to determine whether they produce lasting strategic effects or merely short-term disruption. Visibility is frequently mistaken for effectiveness.

The fourth report of the Pharos Series, a joint project of Virtual Routes and Royal United Services Institute (RUSI), is authored by Max Smeets, Jamie MacColl, Sophie Williams-Dunning and Bob Herczeg. The report introduces a practical framework for evaluating ransomware interventions across four dimensions: severity, scope, longevity and reversibility, and signalling value. This structured approach enables graded assessments, distinguishes between actor-level and ecosystem-level effects, and makes trade-offs across different types of interventions explicit.

The framework is illustrated through four cases — REvil, Emotet, Hive, and LockBit — demonstrating how different intervention designs generate distinct impact profiles. Overall, the report provides policymakers and operational teams with a consistent method to compare interventions, avoid equating publicity with impact, and strengthen long-term counter-ransomware strategy.

This project was made possible by the support of the German Federal Foreign Office. The views expressed in this paper do not necessarily represent the views or policies of the ministry or the government.

Read the full report below.

This report is a part of the Pharos Series, a series shedding light on cybersecurity and emerging technology challenges. The series aims to offer clear expert insights helping policymakers, researchers, and practitioners navigate evolving threats.