THE CYBEROBSERVER
Ransomware Deterrence: Can Offensive Cyber Operations Disrupt Criminal Ecosystems?
Cyber ThreatDigital Policy

Ransomware Deterrence: Can Offensive Cyber Operations Disrupt Criminal Ecosystems?

Western governments have increasingly turned to offensive cyber operations against ransomware infrastructure. The results are mixed — disruptions are real but temporary, and the strategic logic of deterrence maps poorly onto decentralized criminal ecosystems.

Marcus Chen

Senior Threat Intelligence Analyst

Cyber Threat
5 Jun 20264 min read

The Turn to Offense

In November 2021, US Cyber Command publicly confirmed it had conducted offensive operations against REvil ransomware infrastructure — the first open acknowledgment that military cyber capabilities were being deployed against criminal, rather than state, targets. The operation redirected REvil's Tor-based payment infrastructure, disrupting the group's ability to collect ransoms from active victims.

Since then, offensive operations against ransomware have become a routine tool of statecraft. The FBI's infiltration and seizure of Hive's infrastructure in January 2023, the international takedown of LockBit in February 2024, and the sustained campaign against BlackCat/ALPHV demonstrated escalating ambition and coordination. By 2025, the pace had increased further — with the US, UK, Netherlands, and Australia conducting what amounts to a persistent engagement campaign against ransomware as a category.

47

Offensive operations

Publicly acknowledged in 2025

30-60 days

Disruption window

Average before group reconstitution

$1.1B

Ransoms paid in 2025

Despite increased disruption efforts

The Deterrence Analogy and Its Limits

Policymakers have frequently invoked the language of deterrence when discussing offensive cyber operations against ransomware. The logic appears straightforward: by imposing costs on attackers — disrupting their infrastructure, seizing their cryptocurrency, and degrading their operational capability — rational criminal actors will calculate that the risks of ransomware operations exceed the expected returns.

This analogy, drawn from nuclear deterrence theory and adapted through the Cyber Deterrence literature, breaks down on contact with the ransomware ecosystem's actual structure:

  • Decentralized actors: Deterrence requires a unitary rational actor who can receive and process cost signals. The ransomware-as-a-service (RaaS) model distributes agency across developers, operators, affiliates, initial access brokers, and money launderers — none of whom individually controls the enterprise.

  • Low barriers to reconstitution: Unlike nuclear weapons programs, ransomware infrastructure can be rebuilt in days. Source code leaks (Conti, LockBit builder) mean that new groups can stand up operations without developing capabilities from scratch.

  • Safe harbors: Deterrence assumes the target has something to lose. Operators residing in Russia, where law enforcement will not act against groups targeting Western victims, face minimal personal risk regardless of infrastructure disruption.

  • Affiliate migration: When a RaaS brand is disrupted, its affiliates — the operators who actually conduct attacks — migrate to competing services within days. The LockBit takedown demonstrated this: within 45 days, former LockBit affiliates appeared operating under RansomHub, Qilin, and Akira banners.

Full analysis continues below

Register to read the complete assessment

The Cyber Observer is independent — no advertising, no vendor sponsorship, no editorial constraints. Registration gives you full access to all articles and briefings for 12 months. No payment required.

Register — 12 months free

Email only. No card. Unsubscribe anytime.