The Turn to Offense
In November 2021, US Cyber Command publicly confirmed it had conducted offensive operations against REvil ransomware infrastructure — the first open acknowledgment that military cyber capabilities were being deployed against criminal, rather than state, targets. The operation redirected REvil's Tor-based payment infrastructure, disrupting the group's ability to collect ransoms from active victims.
Since then, offensive operations against ransomware have become a routine tool of statecraft. The FBI's infiltration and seizure of Hive's infrastructure in January 2023, the international takedown of LockBit in February 2024, and the sustained campaign against BlackCat/ALPHV demonstrated escalating ambition and coordination. By 2025, the pace had increased further — with the US, UK, Netherlands, and Australia conducting what amounts to a persistent engagement campaign against ransomware as a category.
47
Offensive operations
Publicly acknowledged in 2025
30-60 days
Disruption window
Average before group reconstitution
$1.1B
Ransoms paid in 2025
Despite increased disruption efforts
The Deterrence Analogy and Its Limits
Policymakers have frequently invoked the language of deterrence when discussing offensive cyber operations against ransomware. The logic appears straightforward: by imposing costs on attackers — disrupting their infrastructure, seizing their cryptocurrency, and degrading their operational capability — rational criminal actors will calculate that the risks of ransomware operations exceed the expected returns.
This analogy, drawn from nuclear deterrence theory and adapted through the Cyber Deterrence literature, breaks down on contact with the ransomware ecosystem's actual structure:
Decentralized actors: Deterrence requires a unitary rational actor who can receive and process cost signals. The ransomware-as-a-service (RaaS) model distributes agency across developers, operators, affiliates, initial access brokers, and money launderers — none of whom individually controls the enterprise.
Low barriers to reconstitution: Unlike nuclear weapons programs, ransomware infrastructure can be rebuilt in days. Source code leaks (Conti, LockBit builder) mean that new groups can stand up operations without developing capabilities from scratch.
Safe harbors: Deterrence assumes the target has something to lose. Operators residing in Russia, where law enforcement will not act against groups targeting Western victims, face minimal personal risk regardless of infrastructure disruption.
Affiliate migration: When a RaaS brand is disrupted, its affiliates — the operators who actually conduct attacks — migrate to competing services within days. The LockBit takedown demonstrated this: within 45 days, former LockBit affiliates appeared operating under RansomHub, Qilin, and Akira banners.
