We have updated the Virtual Routes Ransomware Countermeasures Tracker with over 50 new cases from the period between May and November 2025. This period does not mark a dramatic shift in how governments respond to ransomware, but it does highlight several developments that stand out when placed against the broader historical dataset. These developments appear gradually, across concrete investigations, arrests, infrastructure takedowns, public warnings, and financial-enforcement actions. Taken together, they help clarify how states are adapting their approach to disrupting ransomware.
Three developments below stand out most clearly in this latest update:
1. There is a greater emphasis on supporting infrastructure/services
The DanaBot cases from early May illustrate this development well. DanaBot is not a ransomware strain but a malware loader that criminal groups use to gain initial access to systems; disrupting it affects multiple ransomware operations downstream. In this coordinated action, authorities pursued the operators of the loader, arrested individuals in several countries, and seized the servers used to manage infected machines. This operation spanned the United States, Germany, the Netherlands, and Australia.
Alongside this came actions against Black Kingdom and DoppelPaymer affiliates, but the ecosystem-level focus – on delivery mechanisms, infrastructure operators, and supporting services – is what sets these cases apart.
Earlier years contain similar actions, but they appear more sporadically. In this period, they form a consistent thread running through the new cases.
2. We see more routine cross-border operations
While joint actions have long been part of counter-ransomware work, cases in this period show a more steady rhythm of international cooperation. Several of the November entries reflect continued international targeting of infrastructure related to Operation Endgame, a multi-phase campaign originally launched to disrupt malware droppers like IcedID, TrickBot successors, and other components used by major ransomware groups.
The DanaBot intervention also spanned four countries, coordinating server seizures and arrests across the United States, Germany, the Netherlands, and Australia. In another case, the arrest and extradition of a Ukrainian suspect to the United States required coordinated action across Europe and North America.
Together, these examples suggest that the cooperative frameworks developed over the last decade are now being applied more frequently and operationally, rather than only during major, headline-driving takedowns.
3. European agencies are playing a more active role in arrests and convictions
The conviction of a Belarusian hacker by French authorities – after a long-running investigation into intrusions against French regional institutions – highlights Europe’s expanding judicial footprint. In early May, an Irish court sentenced a cybercriminal involved in ransomware-linked fraud, adding to the growing list of European-led prosecutions. We also saw additional arrests and server seizures by the Netherlands, Germany, Spain, and Moldova occur over the past few months.
This does not displace the longstanding dominance of US indictments, but it adds a more balanced geographical spread to enforcement activity than seen in earlier stretches of the dataset.
—
Overall, the latest update to the tracker adds nuance to the long-term picture. Governments continue using familiar tools (arrests, indictments, extraditions, server seizures, advisories) but their application shows a more consistent focus on the ransomware ecosystem, more routine international cooperation and stronger European leadership.
