The third report in the Pharos Series, Ransomware’s New Masters: How States Are Hijacking Cybercrime is authored by Aleksandar Milenkoski, Jiro Minier, Julian-Ferdinand Vögele, Max Smeets, and Taylor Grossman. 

Ransomware has evolved into one of the most pervasive cyber threats, with high-profile incidents disrupting government organizations and private companies alike. Beyond their financial impact, these attacks now pose direct risks to human safety. While ransomware has long been associated with non-state criminal actors, state-linked actors are increasingly deploying it to achieve their objectives as well. 

This report provides a comparative analysis of ransomware use by groups linked to four states: Russia, China, North Korea, and Iran. The authors find that divergent motives and operational ecosystems contribute to varying uses of state-linked ransomware to gain strategic advantages. 

Russian state-linked groups primarily leverage ransomware as an operational tool in high-tempo conflicts like Ukraine, while China often aims to enhance plausible deniability for espionage activity. Iranian actors most frequently deploy ransomware for disruption, popular perception, and reputation, particularly targeting Israeli organisations. Meanwhile, the evolution of North Korean activity reflects a focus on strategic and tactical financial gain. 

Concurrently, however, the authors find that a degree of convergence can be observed in the state-linked use of ransomware. These convergences include the adoption of best practices from cybercriminal ransomware operations and the increasing involvement of state-linked actors within cybercriminal ransomware ecosystems, not only as beneficiaries but also as active participants.

This report was developed in partnership with SentinelLabs, Deutsche Cyber-Sicherheitsorganisation (DCSO), and Recorded Future. 

Read the full report below.