Global Policy Feedback

Ransomware poses a distinctive challenge to international governance—it operates without regard for borders, while laws and enforcement remain largely confined to individual nations. Divergent legal frameworks and inconsistent application of cybercrime laws create “safe zones” where ransomware groups can operate with minimal risk. Even when perpetrators are identified, tracking their cryptocurrency transactions remains difficult due to privacy coins, mixing services, and decentralized exchanges. This section explores how international and national entities have responded to ransomware through policy and law.

Organizations such as the United Nations have made efforts to address the fragmented state of global cybersecurity governance. The Open-Ended Working Group (OEWG) on the security of information and communication technologies (ICTs), established under UN General Assembly Resolution 75/240, was tasked with developing global norms for responsible state behavior and clarifying how international law applies to cyberspace (United Nations General Assembly). Its initiatives include a Global Points of Contact Directory, a secure communication network designed to enable quick cooperation among member states during cyber incidents, maintained through semiannual updates. Additionally, the OEWG promoted capacity-building measures such as mentoring Computer Emergency Response Teams (CERTs) and Computer Security Incident Response Teams (CSIRTs). In July 2025, the group’s Final Reportwas adopted by consensus, calling for a permanent Global Mechanism to sustain these efforts—marking one of the most significant steps yet toward a coordinated global cybersecurity framework (“OEWG 2021–2025 Adopts Its Final Report”).

The European Union has pursued a harmonized strategy through the NIS2 Directive, which updates the 2016 Network and Information Security Directive. The revised framework expands coverage to 18 critical sectors, including energy, transport, and digital services (European Commission). It also tightens reporting obligations, requiring entities to “take appropriate security measures and notify incidents to national authorities or CSIRTs within 24 hours as an early warning, and within 72 hours with a full incident report” (European Union Agency for Cybersecurity).

In contrast, the United States maintains a more decentralized structure. Cyber incident reporting remains largely state-based, though federal legislation such as the Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA) of 2022 requires key organizations—such as energy firms, hospitals, and banks—to report significant cyber incidents within 72 hours of discovery (CISA, “Cyber Incident Reporting for Critical Infrastructure Act of 2022”). Despite this, states retain their own cybersecurity rules. In 2022, “48 states and Puerto Rico introduced or reviewed over 500 cybersecurity-related bills or resolutions, and by 2025, at least 19 states had enacted 28 bills and passed 15 resolutions” (“Cybersecurity 2025 Legislation”).

China has taken the opposite approach by centralizing control through stringent laws and total bans on cryptocurrency. In 2021, the country outlawed all crypto trading, mining, and holding to curb financial crime and block ransomware payments (“China Bans Financial, Payment Institutions from Cryptocurrency Business”). Alongside this, Beijing has introduced powerful data governance frameworks—the Cybersecurity Law, Data Security Law, and Personal Information Protection Law—which collectively allow authorities to oversee data handling and ensure compliance. These laws “will come into force on January 1, 2025” (Interesse). Together, these actions demonstrate how nations are taking vastly different regulatory paths to address ransomware.

Despite coordination difficulties, recent international law enforcement operations highlight growing success. Europol’s Operation ENDGAME, carried out from May 19–22, 2025, dismantled “300 servers, neutralized 650 domains, and issued international warrants for 20 individuals, striking at the heart of ransomware operations” (“Operation ENDGAME Strikes Again: The Ransomware Kill Chain Broken at Its Source”). Similarly, INTERPOL’s Operation Serengeti, conducted between September and October 2024, dismantled ransomware and financial fraud networks across several African nations, resulting in “over 1,000 arrests, the takedown of 134,000 malicious infrastructures, and identification of more than 35,000 victims” (INTERPOL).

However, uneven cryptocurrency regulation remains a major obstacle. A 2025 Financial Action Task Force (FATF)assessment revealed that only 29% of 138 jurisdictions were “generally compliant” with its standards for virtual assets and service providers (FATF). This lack of alignment enables ransomware operators to move illicit funds across jurisdictions with weaker oversight, perpetuating a cycle of global cybercrime.