The Flip Side: How Ransomware can Transform Geopolitics

Bronte Munro |Cyber and Technology Fellow


Although considered a new phenomenon, the first ransomware attack occurred in 1989, and they have been increasing in frequency ever since. Historically, the practice of ransom involved the payment of large sums of money in exchange for the return of stolen assets that were of value to the victim. Ransomware is the technological iteration of this concept and refers to malware that is typically used to maliciously encrypt a victim’s data or deny access to it, until a ransom is paid.


The Rise of Ransomware

The criminal application of ransomware is increasing, with dark web marketplaces offering subscription RaaS (ransomware as a service) packages for as little as USD$40 a month. The consequences of this accessibility are evident in a 2021 Trend Micro study that reported 84 per cent of surveyed organisations had experienced a ransomware type attack in the previous 12 months. Highly publicised attacks such as the Colonial Pipeline and JBS ransomware attacks that occurred in May 2021 further indicate the increasing use of ransomware by financially-motivated criminal organisations, who target large corporations and critical infrastructure providers due to the significant financial reward they can extort. These types of organisations are also particularly vulnerable as they often cannot easily implement real-time offline backups, which increases the probability of them paying large ransoms to resume normal operation.


The advantages of ransomware are increasingly being realised by independent and state-sanctioned criminal actors alike. As a result, international discussion is emerging around establishing ‘off-limit’ targets, due to the highly disruptive effect ransomware is having on critical infrastructure and healthcare providers. Whilst state-sponsored actors are engaging with ransomware, the overt application of ransomware as a geopolitical tool remains largely unexplored. In particular, there is much potential for ransomware to function as a solution to the enduring question of how states proportionally respond to malicious cyber-attacks. Ransomware is unique in that it offers states an exclusive and targeted means of engagement, as it can disrupt organisations, including governments, through the encryption of data until the attacking state decides to ‘unlock it’. This arguably offers governments an ability to exert force without major physical or virtual ramifications in instances when soft power diplomacy tactics fail. This force is particularly effective if ransomware targets are carefully chosen to ensure that the assets encrypted are of immense value, but not capable of infringing on the physical safety of individuals.


New Norms in Cyberspace

Whilst the advent of new weaponry and technology has not historically contributed to global peace, ransomware arguably bridges the gap between conflict in cyberspace and conventional military engagement. The anonymity of cyberspace enables states to act offensively with little risk of attribution and without causing significant physical harm. Conversely, the application of ransomware for geopolitical purposes would require the disclosure of the attacking state’s motivation and ransom conditions. Consequently, this creates a means of engagement that is transparent and non-violent in instances where diplomacy fails, and conventional warfare is inappropriate.


Instances of state-sanctioned ransomware attacks have already been reported, with the Institute of Security and Technology’s Ransomware Task Force Report indicating that some criminal organisations operate with impunity, as the governments of their countries are unwilling or unable to persecute them. The use of ransomware by states seeking to evade sanctions have also been reported. However, the application of ransomware as a geopolitical tool that seeks ransom in the form of a diplomatic outcome is relatively novel and would subsequently stimulate a shift in the cyber threat landscape.


A key feature of ransomware’s accessibility is that it enables less economically and militarily powerful nations the ability to leverage this technology against larger states. Ransomware tools and services are comparatively cheaper than military equipment, and potential targets (particularly in highly technically advanced nations) are plentiful. This is evident in the 2021 Saudi Aramco cyber-attack, in which Iran was able to inflict considerable harm on US economic interests, an opportunity they may not have had outside of cyberspace. This accessibility is also an indication that ransomware is highly likely to be used by less conventionally powerful states in the future. Whilst this is not an attractive incentive for traditionally powerful states, it indicates that a shift in conventional power dynamics is likely to occur and reinforces the need for international discussion around cyber weapon regulation and behaviours.


New Opportunities for Engagement

The emergence of ransomware in a geopolitical context is largely inevitable and likely already being considered by governments, as more organisations fall victim to the criminals who utilise it. States are currently testing the offensive freedoms that cyberspace enables; however, as engagement becomes more aggressive the likelihood of victims responding using conventional military warfare is only going to increase. The application of ransomware to achieve geopolitical outcomes should be taken as an opportunity by states to engage in more transparent discussion around acceptable cyberspace behaviours and norms. The importance of such conversations in curbing the increasingly reckless offensive state behaviour in cyberspace should not be ignored.



Bronte Munro is the Cyber and Technology Fellow for Young Australians in International Affairs.