By visiting our site, you agree to our privacy policy regarding cookies, tracking statistics, etc.

Pharos Report No. 3: Ransomware’s New Masters: How States Are Hijacking Cybercrime

The third report in the Pharos Series, Ransomware’s New Masters: How States Are Hijacking Cybercrime is authored by Aleksandar Milenkoski, Jiro Minier, Julian-Ferdinand Vögele, Max Smeets, and Taylor Grossman

Ransomware has evolved into one of the most pervasive cyber threats, with high-profile incidents disrupting government organizations and private companies alike. Beyond their financial impact, these attacks now pose direct risks to human safety. While ransomware has long been associated with non-state criminal actors, state-linked actors are increasingly deploying it to achieve their objectives as well. 

This report provides a comparative analysis of ransomware use by groups linked to four states: Russia, China, North Korea, and Iran. The authors find that divergent motives and operational ecosystems contribute to varying uses of state-linked ransomware to gain strategic advantages. 

Russian state-linked groups primarily leverage ransomware as an operational tool in high-tempo conflicts like Ukraine, while China often aims to enhance plausible deniability for espionage activity. Iranian actors most frequently deploy ransomware for disruption, popular perception, and reputation, particularly targeting Israeli organisations. Meanwhile, the evolution of North Korean activity reflects a focus on strategic and tactical financial gain. 

Concurrently, however, the authors find that a degree of convergence can be observed in the state-linked use of ransomware. These convergences include the adoption of best practices from cybercriminal ransomware operations and the increasing involvement of state-linked actors within cybercriminal ransomware ecosystems, not only as beneficiaries but also as active participants.

This report was developed in partnership with SentinelLabs, Deutsche Cyber-Sicherheitsorganisation (DCSO), and Recorded Future

Read the full report below.

This report is a part of the Pharos Series, a new series shedding light on cybersecurity and emerging technology challenges. The series aims to offer clear expert insights helping policymakers, researchers, and practitioners navigate evolving threats.

Author

Home

Similar posts

Research & Analysis

Pharos Report No. 4 | Assessing the Impact of Ransomware Interventions and Countermeasures: A Framework

The fourth report of the Pharos Series, a joint project of Virtual Routes and Royal United Services Institute (RUSI), is authored by Max Smeets, Jamie MacColl, Sophie Williams-Dunning and Bob Herczeg.
Read more
Research & Analysis

Three insights from the latest countermeasures tracker update

We have updated the Virtual Routes Ransomware Countermeasures Tracker with over 50 new cases from the period between May and November 2025.
Read more
Research & Analysis

Apolline Rolland presents REMIT research at the 2025 Conference on International Cyber Security

At the 2025 Conference on International Cyber Security, we joined a vibrant discussion on how states, technologies, and private actors are reshaping the boundaries of espionage and governance in the digital realm, representing EU-funded REMIT project.
Read more

Thank you for signing up to our newsletter!

Thank you! RSVP received for Pharos Report No. 3: Ransomware’s New Masters: How States Are Hijacking Cybercrime

Pharos Report No. 3: Ransomware’s New Masters: How States Are Hijacking Cybercrime

Loading...

Loading…