Day 0 Event #258 Nowhere to Hide Accountability to Fight Global Ransomware

Summary

This panel discussion, titled “Nowhere to Hide, Accountability to Fight Global Ransomware,” brought together international experts to address the escalating global ransomware threat. Moderated by Giacomo Paoli Persi from UNIDIR, the panel featured representatives from Australia’s cyber affairs, El Salvador’s UN mission, Microsoft, and the Cyber Peace Institute. The discussion opened with alarming statistics showing ransomware attacks have increased by nearly 300% in the past year, with Microsoft tracking over 600 million cyber attacks daily.

Ambassador Brendan Dowling emphasized that ransomware has evolved from a cybersecurity issue into a national security threat, citing examples of attacks on small Pacific Island nations like Tonga’s health system and Australia’s Medibank incident affecting 10 million citizens. The panelists identified several key factors driving ransomware growth: the emergence of “ransomware as a service” models that lower barriers to entry, the use of cryptocurrency enabling anonymous payments, and the existence of safe havens where cybercriminals operate with impunity, particularly in Russia.

Julie Rodriguez Acosta highlighted how the attack on Costa Rica’s government infrastructure served as a wake-up call for Latin American nations, demonstrating ransomware’s potential to disrupt essential public services and undermine governance. The Cyber Peace Institute presented preliminary research findings showing that of 300 analyzed threat actors, 54% of those attributed were linked to Russia, with over 2,700 incidents recorded across 90 countries, primarily targeting healthcare and U.S. organizations.

The discussion emphasized that effective countermeasures require coordinated international cooperation, moving beyond viewing ransomware as merely a technical problem to recognizing it as a societal threat requiring whole-of-nation responses. Panelists stressed the importance of meaningful public-private partnerships, capacity building across different regions, and the need for states to implement stronger accountability mechanisms while supporting vulnerable organizations that lack cybersecurity resources.

Keypoints

## Major Discussion Points:

– **Ransomware as a National Security Threat**: The panel emphasized that ransomware has evolved beyond a cybersecurity issue to become a national security crisis affecting critical infrastructure, healthcare systems, and essential government services. Examples included attacks on Tonga’s National Health Information Service and Costa Rica’s government infrastructure, demonstrating how these attacks impact entire societies rather than just individual organizations.

– **Evolution of the Ransomware Ecosystem**: Speakers discussed how ransomware has become industrialized through “ransomware-as-a-service” models, lowering barriers to entry for cybercriminals. The threat landscape has been further complicated by cryptocurrency enabling anonymous payments, AI enhancing attack sophistication, and the emergence of specialized roles like initial access brokers.

– **Safe Havens and Attribution Challenges**: A significant focus was placed on how ransomware groups operate with impunity from certain jurisdictions, particularly Russia, where there are limited legal consequences. The panel discussed various accountability mechanisms including sanctions, law enforcement cooperation, and active disruption measures, while acknowledging their limitations.

– **Public-Private Collaboration Models**: The discussion explored successful partnerships between government and private sector entities, including Microsoft’s pilot program with Europol and Australia’s approach of embedding government cyber experts in private companies during incidents. The importance of information sharing and moving away from treating ransomware as a private sector problem was emphasized.

– **Data-Driven Analysis and Global Mapping**: The Cyber Peace Institute presented preliminary findings from their global ransomware mapping project, showing that 54% of attributed threat actors are linked to Russia, with healthcare being the most targeted sector. This research highlighted the need for evidence-based approaches to understanding and combating ransomware.

## Overall Purpose:

The discussion aimed to bring together diverse stakeholders (government officials, NGOs, private sector, and international organizations) to examine the evolving ransomware threat landscape and explore collaborative approaches to accountability, prevention, and response. The panel sought to move beyond viewing ransomware as merely a technical issue and instead frame it as a global security challenge requiring coordinated international action.

## Overall Tone:

The discussion maintained a serious and urgent tone throughout, reflecting the gravity of the ransomware threat. Speakers consistently emphasized the escalating nature of the problem and the inadequacy of current responses. While acknowledging some positive developments (like improved detection rates and international cooperation initiatives), the overall sentiment was one of concern about the growing sophistication and impact of ransomware attacks. The tone was collaborative and solution-oriented, with speakers building on each other’s points and emphasizing the need for multi-stakeholder cooperation, though there was an underlying frustration with the persistence of safe havens and the challenges of attribution and accountability.

Speakers

– **Giacomo Paoli Persi** – Head of the Security and Technology Program at the United Nations Institute for Disarmament Research (UNIDIR), Panel Moderator

– **Brendan Dowling** – Ambassador for Cyber Affairs and Critical Technology of Australia

– **Julie Rodríguez Acosta** – Minister Counselor for the Permanent Mission of El Salvador to the United Nations

– **Francesca Bosca** – Chief Strategy Officer at the Cyber Peace Institute

– **Chelsea Smethurst** – Director for Cyber Policy and Diplomacy at Microsoft

– **Nedalcho Mihay** – Cyber Threat Analyst with the Cyber Peace Institute

– **Vilda** – Criminologist (audience member who asked a question, identified herself as having written a master’s thesis on ransomware)

**Additional speakers:**

None identified beyond the speakers names list.

# Comprehensive Report: “Nowhere to Hide, Accountability to Fight Global Ransomware” Panel Discussion

## Executive Summary

This panel discussion, moderated by Giacomo Paoli Persi from the United Nations Institute for Disarmament Research (UNIDIR), brought together international experts to address the escalating global ransomware crisis. The discussion featured Ambassador Brendan Dowling (Australia’s Ambassador for Cyber Affairs and Critical Technology), Julie Rodríguez Acosta (Minister Counselor for El Salvador’s UN Mission, participating remotely from New York), Francesca Bosca (Chief Strategy Officer at the Cyber Peace Institute), Chelsea Smethurst (Director for Cyber Policy and Diplomacy at Microsoft), and Nedalcho Mihay (Cyber Threat Analyst with the Cyber Peace Institute).

The panel opened with alarming statistics demonstrating significant increases in ransomware attacks, with Microsoft tracking over 600 million cyber attacks daily and 415,000 attacks per minute. The discussion fundamentally reframed ransomware from a technical cybersecurity issue into a comprehensive national security threat requiring whole-of-society responses, with vivid examples ranging from attacks on small Pacific Island nations to major incidents affecting millions of citizens.

## Opening Context and Threat Landscape

### Why Ransomware Persists Despite Awareness

Giacomo Paoli Persi opened the discussion by addressing a fundamental question: why ransomware continues to proliferate despite being a well-known threat. He identified three key factors: technology factors that make ransomware accessible, the availability of commercial off-the-shelf tools that lower barriers to entry, and systemic failures in countermeasures that allow the threat to persist.

### Unprecedented Growth Statistics

Chelsea Smethurst provided sobering statistics from Microsoft’s threat intelligence, revealing that the company tracks “over 600 million cyber attacks daily” and “415,000 attacks a minute.” She reported a 275% increase in ransomware usage over 12 months, establishing the dramatic scale of the current threat landscape.

Francesca Bosca supplemented these figures with financial data, noting that according to Chainalysis, “victims paid more than 1 billion US dollars in 2023” to ransomware operators, demonstrating the massive economic impact of these attacks.

## Ransomware as a National Security Threat

### Real-World Humanitarian Impact

Ambassador Brendan Dowling provided compelling examples that demonstrated how ransomware transcends traditional cybersecurity boundaries to become a humanitarian crisis. His description of the situation in Tonga was particularly striking: “Last week, the National Health Information Service in Tonga was shut down by a ransomware attack. We have deployed a team from Australia to assist them with recovery… At the moment, in hospitals in Tonga, people are using paper and pen to deliver healthcare to their people.”

Even more profound was Dowling’s account of the cascading social consequences from Australia’s Medibank incident, which affected 10 million citizens. He revealed that “we saw women and families facing domestic violence from partners who weren’t aware of the health treatment that their spouse or their mother or their sister had been seeking, and had to be moved to safe houses to escape violent partners or former partners.” This example powerfully illustrated how data breaches can trigger real-world violence and endanger lives.

### Impact on State Capacity and Governance

Julie Rodríguez Acosta provided insights into how ransomware affects state capacity, drawing on the experience of Costa Rica’s government infrastructure attack. She explained that such attacks can “disrupt essential public services and compromise the confidentiality of citizens’ personal data,” ultimately undermining “public trust in the state’s ability to secure digital systems.”

## The Ransomware-as-a-Service Ecosystem

### Industrialization of Cybercrime

Dowling provided detailed insights into the sophisticated business model behind modern ransomware operations, describing “a service industry where you can talk to a liaison person or a broker who will connect you with the person who will conduct the initial attack on a system.” He noted that “most ransomware groups will just take 20% of the profit” from attacks they facilitate.

Bosca highlighted the role of specialized actors within this ecosystem, including initial access brokers who sell access to compromised networks, facilitating ransomware deployment by other actors. This division of labor has significantly lowered barriers to entry for conducting sophisticated attacks.

## Data-Driven Analysis of Global Ransomware Patterns

### Cyber Peace Institute Research Findings

Despite technical difficulties with screen sharing, Nedalcho Mihay presented preliminary findings from the Cyber Peace Institute’s comprehensive global ransomware mapping project. Their analysis of 2,717 ransomware incidents across 90 countries revealed that over half targeted US organizations, with healthcare being the most affected sector.

The attribution data showed that while 52% of analyzed threat actors remain unattributed, among the 300 threat actors they could identify, 54% of those attributed were linked to Russia. This finding reinforced concerns about safe haven jurisdictions and the concentration of ransomware operations in specific geographic regions.

## Enabling Factors and Criminal Infrastructure

### Cryptocurrency as a Fundamental Enabler

Dowling made a striking assertion about cryptocurrency’s role: “this crime type didn’t exist before cryptocurrency. Cryptocurrency enabled the long-range launching of ransomware attacks across the globe.” This insight identified cryptocurrency as a fundamental enabler that transformed ransomware from a localized nuisance into a global threat.

### Safe Haven Jurisdictions

Throughout the discussion, speakers consistently identified safe haven jurisdictions as a critical enabling factor. Smethurst emphasized that “safe havens where ransomware groups operate with impunity, primarily in Russia, enable continued criminal activity.” The attribution data showing the concentration of threat actors linked to Russia reinforced this concern.

### Targeting Vulnerable Infrastructure

Chelsea Smethurst provided a crucial statistic: “over 90% of successful ransomware attacks target unmanaged devices,” highlighting how attackers focus on organizations with limited defensive capabilities. This targeting pattern creates a cycle where those least able to defend themselves become the most attractive targets.

## Response Mechanisms and International Cooperation

### Government Responses and Active Disruption

Dowling outlined Australia’s multi-faceted approach, which includes “financial sanctions, travel restrictions, and active disruption of ransomware infrastructure.” Australia has also implemented practical support measures, such as deploying assistance teams to help Tonga recover from ransomware attacks, and is introducing a ransomware payment reporting scheme.

### International Frameworks

Rodríguez Acosta emphasized the role of international frameworks, noting that “the UN framework for responsible state behavior includes norms about preventing malicious actors from operating with impunity.” She highlighted El Salvador’s advocacy for including ransomware discussions in UN mechanisms and leveraging international cooperation through UN, OAS, and bilateral partnerships.

## Public-Private Collaboration and Emerging Technologies

### Innovative Partnership Models

Smethurst described a pilot program with Europol announced “earlier this month,” representing novel approaches to combining private sector technical capabilities with government investigatory powers. Dowling emphasized the importance of “creating safe spaces for information sharing without regulatory consequences.”

### Artificial Intelligence and Future Threats

The discussion touched on AI’s dual role in ransomware. Rodríguez Acosta noted that AI enhances “sophistication of social engineering and phishing campaigns,” while Smethurst expressed interest in “how creative uses of artificial intelligence tools will evolve to counter ransomware in the coming years.”

### Blockchain Technology Questions

An audience question about blockchain technology revealed that speakers acknowledged their knowledge was outdated in this area. Bosca expressed specific interest in exploring “how to use blockchain for ransomware resistance and incident attribution” and “how you can integrate blockchain with AI for automated threat detection.”

## Capacity Building and Multi-Stakeholder Approaches

### Addressing Global Disparities

Bosca emphasized that “inclusive capacity building across different sectors and geographies is essential for meaningful collaboration,” noting significant disparities in cybersecurity capabilities. She advocated for expanding collaboration beyond government-private sector partnerships to include civil society organizations for “victim-centered responses and ethical frameworks.”

### Supporting Vulnerable Nations

The discussion highlighted how smaller nations address capability gaps through international cooperation. Rodríguez Acosta explained how “small nations like El Salvador leverage international cooperation through UN, OAS, and bilateral partnerships to combat ransomware.”

## Key Challenges and Future Directions

### Persistent Implementation Challenges

Despite broad agreement on the nature of the threat, several challenges remain unresolved. The non-cooperation of safe haven jurisdictions, particularly Russia, represents a significant ongoing obstacle. The development of scalable models for public-private collaboration that can be replicated globally also requires further work.

### Research and Development Needs

The discussion identified several areas requiring further attention, including the development of victim-centered response protocols, ethical frameworks for ransomware incidents, and research into emerging technologies like blockchain applications for cybersecurity.

## Conclusion

This comprehensive panel discussion successfully demonstrated the evolution of ransomware from a technical cybersecurity issue to a multifaceted crisis requiring coordinated international response. The speakers showed remarkable consensus on the nature and scale of the threat, while identifying practical approaches for enhanced collaboration and response.

The discussion’s strength lay in its integration of diverse perspectives from government, private sector, civil society, and international organizations. The vivid examples of real-world impact effectively demonstrated why ransomware requires urgent, comprehensive action that goes beyond traditional cybersecurity approaches.

Moving forward, the challenge lies in translating shared understanding into effective implementation, scaling successful collaboration models, and addressing the fundamental enablers that allow ransomware operations to continue with relative impunity. The innovative approaches discussed provide promising templates, but sustained international cooperation will be essential to address this evolving global threat.

Giacomo Paoli Persi: Good afternoon, ladies and gentlemen. It is my pleasure to welcome you to this panel titled Nowhere to Hide, Accountability to Fight Global Ransomware. My name is Giacomo Persi Paoli, I’m the head of the security and technology program at the United Nations Institute for Disarmament Research, UNIDIR, and I have the pleasure of being your moderator today. So welcome, whether you’re joining us here in person in Oslo or online, we really look forward to engaging with you throughout this event. If you’re following us here in the room, please be mindful that you have to wear your headset and we are actually broadcasting on channel five for this meeting. Over the course of the panel, there will be the opportunity for you to engage with our expert speakers and ask questions. If you are here in the room, you will see microphones at the periphery of the seating area and if you are online, please do submit your questions in the chat. We have a dedicated moderator that will be passing them on to me and then I will extend them to our expert speakers. So why ransomware? Well, ransomware has emerged as an urgent global challenge with attacks growing by nearly 300% last year alone. Now ransomware in itself is a new. So the question comes, how is it possible that despite the fact that we all know what ransomware is, it’s still having such a devastating impact on cyber security? How come that these percentages keep growing? And that’s probably a combination of different factors. On one side, there is definitely the technology factor, the technology factor that is making these ransomware campaigns more complex, more sophisticated, more difficult to detect, quicker to deploy at scale. There is also another evolution of the threat landscape, which is the emergence of commercial off-the-shelf ransomware tools or cybercrime as a service that has really broadened the base and lowered the barriers for cybercriminals that are willing to engage in this malicious behavior. So, on one side, we have definitely the threat that is continuously evolving and becoming increasingly complex. And on the other side, we probably have a failure, a systemic failure to find the right countermeasures to mitigate this threat. And these countermeasures start from basic cyber hygiene of individuals and they escalate up to organizational and governmental and intergovernmental responses. So, through the panel today, we’re really hoping to get different perspectives from speakers that are representatives of different stakeholder communities that can really help us understand better not only how is the threat evolving, but also what can we do to monitor, to detect and to respond to such a ubiquitous threat as is ransomware. So, I’m very happy to be joined by great speakers today. I will introduce them. They’re both here in the room and joining us online. Starting here on my immediate left, Brendan Dowling, the Ambassador for Cyber Affairs and Critical Technology of Australia. On his left, Francesca Bosco, Chief Strategy Officer at the Cyber Peace Institute. Further down the table, we have Chelsea Smethurst, Director for Cyber Policy and Diplomacy at Microsoft. And joining us online, I hope, Julie, you can hear me. It’s Julie Rodriguez Acosta, Minister Counselor for the Permanent Mission of El Salvador to the United Nations. So, we will give each speaker an opportunity to share some of their initial remarks. And then we have structured this panel through a series of questions. questions and answers. At any point, please do feel free to jump in. There will be hopefully a dedicated time towards the end to collect your questions, but particularly for following us online, do not wait until that moment to start writing them in the chat. It will make our life a lot easier if you, you know, proactively start to asking your questions. So I would like now to give the floor to Ambassador Dowling here on my left for his remarks, please.

Brendan Dowling: Thanks Giacomo and thanks everyone for joining us. Ransomware is the most prominent cybersecurity threat that we’re facing globally. As Giacomo just went through, it is a sophisticated industry. It’s not new, but it is getting more effective. There is more money being made and then there are more criminal groups taking advantage of this crime type. Importantly, the way that the ransomware ecosystem has developed means it no longer, you no longer need to be a sophisticated cyber criminal group to be able to conduct a ransomware attack. We have this service industry where you can talk to a liaison person or a broker who will connect you with the person who will conduct the initial attack on a system. There will be people who will fence your data, the data for you, who will conduct each element of the operation for you. So it is now an accessible crime type. And for most ransomware groups, they will just take 20% of the profit from the attack that you conduct. So it’s become democratised, industrialised, and it is ubiquitous. What we’re seeing, what we’re worried about is that ransomware groups seem to be targeting the more smaller, more vulnerable parts of our society. They’ve realised that attacking large infrastructure, like with the colonial pipeline attack, is bad for business. It’s actually more effective to conduct a higher volume of attack, even if you’re extracting A lower value ransom. What we’re seeing at the moment in Pacific Islands, some countries with populations fewer than 100,000 people are being targeted by cybercrime groups operating out of Russia. Last week, the National Health Information Service in Tonga was shut down by a ransomware attack. We have deployed a team from Australia to assist them with recovery, but it’s astonishing that in a country the size of Tonga, one of the most remote islands in the Pacific, is being targeted, not at their government or business level, but the National Health Information Service. At the moment, in hospitals in Tonga, people are using paper and pen to deliver healthcare to their people. Nurses are struggling to process and triage patients because of this attack. So for anyone who doubts how much of a scourge this crime type is globally, that is the sort of activity that we are seeing now. In Australia, we had an attack against the Medibank private health insurance company. 10 million Australians had their sensitive health data compromised. For anyone who thinks ransomware is a technical issue, out of that incident, we saw women and families facing domestic violence from partners who weren’t aware of the health treatment that their spouse or their mother or their sister had been seeking, and had to be moved to safe houses to escape violent partners or former partners. These are not cyber issues. These are not technical issues. These are whole of nation security and safety issues. What can we do about it? It’s really hard. This is a crime type that didn’t exist before cryptocurrency. Cryptocurrency enabled the long-range launching of ransomware attacks across the globe. So that financial… Financial innovation has made finding this crime much more difficult. We need better access to crypto exchanges, to sharing intelligence amongst national jurisdictions to try and disrupt those parts of the ecosystem. This is a crime type that relies on a lot of brokers, a lot of middle operators who make this system functional. We need to get better at disrupting the entire ecosystem. In Australia, we apply financial and travel sanctions against cybercrime actors. This is an important measure, but it’s a limited measure. We also engage in hard disruption of the ecosystem. Earlier this year, we fried the servers of the people who hosted the data in the ransomware attack against Medibank. But this crime type thrives because too many jurisdictions are not doing enough about it. National groups are operating out of safe harbours, safe jurisdictions, where there are few legal consequences. Primarily, these groups are operating out of Russia, not solely, but we need jurisdictions to take this more seriously. That’s why we supported mechanisms like the Cybercrime Convention to try and get more national jurisdictions to cooperate and work together to combat this crime type. Finally, attacks succeed because of basic vulnerabilities. It would be excellent if cybercriminals were forced to use their most sophisticated techniques, but they can get by exploiting common or known vulnerabilities because we’re not doing enough to patch, because technology companies are not making it easy enough to upgrade software and to replace end-of-life hardware. This needs to be a global response to hit all aspects of both the ecosystem in which this crime type thrives, but also how we better build up our resilience. We also need to talk about it more openly. There is a sense of shame amongst businesses or organisations or entities that no one wants to be open about this. And so I get attacked today and my neighbour gets attacked tomorrow. because I didn’t share the information about it. So this is a really important conversation. This crime type is getting worse. It is targeting the most vulnerable. And at the moment we are not winning.

Giacomo Paoli Persi: Thank you. Thank you ambassador for starting us off, like touching on many points that I’m sure will be picked up by speakers in their remarks and definitely during our Q and A. I would like now to pivot online and welcome Julia connecting from New York. I hope you can hear me and see us okay. And Julia, if you’re ready, the floor is yours.

Julie Rodríguez Acosta: Thank you so much. I hope that you can see me and listen to me okay. Greetings for the hot New York City. Today is really, really hot. Let me begin by extending my sincere appreciation to the organizers for convening this timely and important discussions. I cannot think of a better group of stakeholders to reflect on how we can collectively counter the impacts of one of the most pressing information security threats of all time. My first point is that as I just mentioned, cyber crime is ransomware is just not a cyber crime. It has effectively evolved into a national security crisis around the globe. And its consequences are tangible and personal and affects individuals like you and me. Business, hospitals, schools, local governments, they all have been targets. No one is immune. So beyond these immediate impacts, ransomware also has broader implications for international peace and security, including its potential risks to the financing of weapons of mass destruction. So in this context, the United Nations continues to offer a platform to advance dialogue, promote international cooperation and build collective responses. Notably, ransomware was not included in the first annual progress report of the Open and Working Group that is currently addressing these issues in 2022. And as I say, ransomware. So, despite growing concern expressed by many delegations during that year’s discussions on existential threats to information security, El Salvador was among the groups of countries that advocated for its inclusions, and we were pleased to see ransomware formally acknowledged in the second Progress Annual Report. So, the ransomware attack that crippled Costa Rica’s government infrastructure set off a wake-up call for many. It demonstrated how ransomware can affect not only institutions, but also states’ ability to deliver essential services and maintain governance. Since then, El Salvador has consistently advocated for a strong language that addresses ransomware directly, especially as we face new threats exacerbated by other emerging technologies like artificial intelligence. I was just, as was just mentioned, AI has enhanced the sophistication of social engineering and phishing campaigns, further expanding the ransomware threat landscape. We also support language reflecting concern over the rise of ransomware as a service model that allow individuals without technical backgrounds to launch highly disruptive attacks. This evolving business model significantly lowers the barrier to entry for cyber criminals and amplifies the capabilities of more technical, sophisticated actors. The threat to critical infrastructure and its potential implications for international peace and security must not be underestimated. We also have supported advancing a more holistic view of the ransomware ecosystem, one that includes effective prosecution, disruption of technical enablers, and also breaking the financial cycle that sustained the threat. One of the favorite elements that was introduced in the recent discussion is the recognition of the importance of a human-centric approach, one that prioritizes understanding and addressing the real-world impacts of individuals and communities. So still much remains to be done, from improving international cooperation and victim support to strengthening deterrence mechanisms, and also the adoption of common standards. I will stop here, but definitely I will look forward to hearing the perspective of other speakers and continue this critical conversation, and thank you so much for having me online.

Giacomo Paoli Persi: Thank you, Julia, for sharing your initial remarks. We’ll come back to you with a couple of questions. But now I would like to move to Francesca from the Cyber Peace Institute. We’ve heard already with the first two interventions how one of the main challenges about countering ransomware is actually our ability to track ransomware initiatives or campaigns and trace the various actors and their malicious actions. So Cyber Peace Institute has been working on something on this topic. So over to you.

Francesca Bosca: Thank you so much and thanks a lot to the organizers and to Giacomo’s moderator. It’s a pleasure to contribute to today’s discussion. Allow me indeed to give a bit of context on the work of the Institute to give also some food for thought for the discussion. The Cyber Peace Institute is an international non-governmental organization that is devoted to reduce the harms from cyber attacks on people’s lives by assisting vulnerable communities. And we do this in a very concrete way starting by analyzing cyber threats, hence also the participation today in advocating for responsible behavior in cyberspace based on the evidence that we gather. At the core what we do is indeed we conduct in-depth analysis of cyber incidents and thanks to this knowledge we both provide the free cybersecurity support to other civil society organizations and under-resourced organizations. And we use this knowledge to engage in international forums also like this one to promote a responsible behavior in cyberspace, emphasizing the human-centric approach and advocating for the protection of fundamental rights and freedoms online. And also by monitoring emerging technologies like Julie was just mentioning, artificial intelligence, also we anticipate how future cyber threats might impact on the threat landscape of vulnerable communities. As a tangible example of how we work and building on the excellent remarks that Giacomo, the Ambassador and Julie just mentioned on the prevalence of ransomware, giving also some concrete examples, we would like to contribute… Thank you to all of you for joining us today. Considering the persistence of ransomware threat actors and the increasing harm caused by ransomware operations worldwide, at the end of March we decided to have a sort of threat-focused type of analysis and type of work, which is the project that we are currently doing. Phase one is a global mapping of ransomware threat actors, their geographies, affiliations and targets, providing basically evidence-based support to stronger multilateral actions. And then phase two will evaluate the state compliance with the UN cyber norms, judicial cooperation, and the misuse also of the technical infrastructure, paving the way for more accountability mechanisms. If you allow me still, let’s say, five minutes, we would like to share with you the very first initial findings. And to do this, I’m joined by my colleague, Nadelcho, online, who will present the preliminary findings from our work. Nadelcho, the floor is yours.

Nedalcho Mihay: Hello. Thank you, Francesca. It’s a pleasure being here. And without further ado, I’ll share my screen now. Thanks. Just to make sure you can see it. Yeah. Is that good?

Giacomo Paoli Persi: Not yet, but I’m sure it will come soon. We still cannot see your screen, Nadelcho.

Francesca Bosca: We can see your name, but not your screen.

Nedalcho Mihay: I’m sorry. I don’t know.

Giacomo Paoli Persi: I’d like to then start the transition towards the more interactive part of the discussion but I’m also looking at our colleagues in the back that are taking care of the tech. Whenever you are ready to show the screen, please just flag and we will go back to Nadellcio. So Chelsea, I’d like to come to you, first of all to thank you and Microsoft for convening this event and for the leadership that Microsoft has been showcasing in really promoting multi-stakeholder discussions on this interesting and important topic. I see that perhaps the screen issue has been resolved but since we kind of see online an infinite repetition of the same screen, while the technology is still being sorted, perhaps I come to you Chelsea with the first question and then we can go back to Nadellcio, which is how has the kind of global ransomware threat evolved in recent years and what trends are most concerning today and this may be actually a very good introduction to then what Nadellcio is going to show.

Chelsea Smethurst: Yeah, fantastic. Thank you for inviting me. So I think just briefly, Microsoft produces a digital defence report annually, usually in October of every year and what we’ve seen in terms of year-over-year changes for ransomware is a whopping 275% change just in the last 12 months in terms of increase in use of ransomware and there’s really been two sort of accompanying trends that have gone with this ransomware. J.M. Gannett, The New York Times. And I think the most significant thing is that we have seen two kinds of ransomware uptick that we’ve seen. One is, while we’ve seen the 275% use of over the last 12 months, we’ve also gotten better as a collective industry at actually defending against ransomware. And so we’ve seen, in terms of quantitative numbers, a 300% decrease in the overarching amount of ransomware that has gotten to the encryption phase, so what I sort of call the lockout phase. And that’s really significant, because once you get there, you’re really at the behest of the cybercriminals whom are using the ransomware. I think, secondly, one other point I’ll make, too, is that while we’ve seen some positive numbers to account for that really large increase in the use of ransomware, what we have not seen is that over 90% of successful ransomwares really attack unmanaged devices. And so these are very much your entities, like hospitals or NGOs, which will continue to be targeted because they have access to fewer resources. And so really thinking about what is the collective capacity to address ransomware, we’re really only as strong as our weakest link, and I think this is very true in the ransomware domain. So I think this is a little bit context, and I’d be happy to switch it over to the CyberPeace team now, because those give you a little bit of numbers in terms of what we’re seeing in the last 12 months with ransomware.

Giacomo Paoli Persi: Thank you, Chelsea, for this initial introduction, at least, into the threat landscape. Let’s try to go back online to Nadelche and see if we’re now in a position to share your screen and see your slides. I think it should work now. Yes, I confirm we can see it. Thank you.

Nedalcho Mihay: OK, thank you. Yeah, just an introduction. My name is Nadelche Mihailos, and I’m a cyber threat analyst with the CyberPeace Institute, with which I’ve been heavily involved in working with the incident tracer platforms. So as Francesco mentioned, the project consists of two phases. So I’ll skip this, and I’ll just go into the aims and objectives of the study. The aim is to compile a… the Statistically Representative Dataset on Global Ransomware Activity including the targets of ransomware attacks and the names and locations of ransomware threat actors and we had two objectives, the first is to create a database of threat actor profiles including the name of the threat actor, associated ransomware and location country and the second objective is to create a database of global ransomware incidents including target location, target sector and threat actor name Now I just want to very briefly touch upon our research methodology as it is a central part in the work of the analysis team so we start with the analytical questions and key terminology we create the data collection schemas for both the research and threat actors and incidents we define the key sources and then we document the limitations of our work which mainly revolve around the usual constraints of open source research and the current limits of AI and LLM as we incorporate automation in every step so the research was mainly guided by four analytical questions which threat actors have been responsible for the development, deployment or facilitation of ransomware operations, second ransomware threat actors operate from, originate in or are located in which countries or regions, third what open source indicators so that would be personnel, linguistic patterns, technical infrastructure contribute to the geographical attribution of ransomware threat actors and finally which locations and sectors have been most frequently targeted by ransomware attacks Now for data sources we use data shared by partners or gathered through open source intelligence in both structured and unstructured format and as we have incorporated all of our previous research from our cyber incident tracers that could have impacted the results of the data collection so initial analysis and findings we have analyzed information on around 300 threat actors 52% of them remain unattributed to a specific geographic location of the attributed threat actors 54% are linked to Russia followed by 8% linked to Iran, 7% to China in terms of the data collection on global ransomware incidents we have collected information on 2,717 incidents conducted by 184 threat actors against organizations in 22 sectors across 90 countries. More than half of all attacks were attacks against organizations in the United States. And more than a third were attacks against the healthcare sector, followed by non-profits and the ICT, with the top three most active threat actors in our database being LockBit, BlackCat, and Rebel. And the following slides illustrate how one of our graph analysis tools helps us with data analysis and visualization. The first one is an analysis of all incidents pivoted around targeted countries. The second one is a visualization of our research into threat actors, which have been grouped and mapped to countries they are connected to. You will notice that some actors appear linked to several countries, either because members were arrested in multiple jurisdictions or because several open source indicators connect them to more than one country. And finally, the last two slides present a simplified dashboard view of our initial results. First one are the results of our analysis into the targets of ransomware attacks. And the second are the results into the analysis of the perpetrators of ransomware attacks. On the top right, you can see the distribution of threat actors, connections to geographic locations. And on the bottom left, you can see the distribution of threat actors among the global ransomware incidents database. Thank you.

Giacomo Paoli Persi: Thank you, Nadelchev, for this inspiring presentation and being representative of the research community. I’m always in favor of bringing more evidence and data-driven decision-making to the table. So thank you so much to you and to the Cyber Peace Institute for this initiative. Really looking forward to see how it evolves. And before we go back now to the panelists and… and continue with our questions. I just wanted to remind colleagues online that you can start asking your questions if you want to use in the chat. We have Michael Karamean from Microsoft that is our great online moderator and he will make sure that those questions reach me here in the room. Ambassador, I would like to come back to you and also to you, Julia, because you both alluded to or mentioned the fact that ransomware is not just a cybercriminal behaviour, but it can escalate, it can reach the threshold of being a national security threat or at the very least a national security concern for a variety of reasons. Would you mind elaborate on your perspective on this?

Brendan Dowling: I think it’s a really important way of framing the issue. I think cybercriminals flourished in a context where we thought about ransomware as a cybersecurity issue that our CISOs or our ICT teams needed to be conscious of. But as we’ve seen the ramifications from ransomware attack resonate and ripple through society, I think increasingly we have to be conscious that these are not confined, they’re not purely cyber incidents, these are whole of nation incidents which governments need to take much more seriously. I think the important part of that message is when a entity, an organisation or a business is attacked, it shouldn’t be seen as just something that affects that business. Oftentimes the externalities of a ransomware attack are born by the community, they’re born by the broader government, they’re not just about the effect on that business. As I said before, if businesses or entities don’t talk or share information about their attacks, that actually… impedes the ability of their competitors or other people in the industry to protect themselves. So we need to start seeing ransomware as a much broader national threat to say, one, not only is it okay to talk about these types of attacks if they hit you, but actually we need you to do that to better protect our citizenry, to better protect our nation. So we’re doing a lot in Australia to drive that behaviour, increasing our expectations on industry to report attacks, making clear that if you seek assistance from the Australian Cyber Security Centre, that is not a bad thing, that is not something to be ashamed of, actually it’s a trusted government entity that can help you out. But when we see these attacks affecting society so broadly, it needs to be a whole-of-society response, not just something that’s seen as a manageable keep-it-within-yourself, it only affects you sort of attitude. So it’s taken us too long to get to this point, but now I think we’re realising because of the scale of the attacks that this is a national security threat that requires national and global responses. Thank you.

Giacomo Paoli Persi: Julia, I would like to come back to you as well, because in your remarks you also highlighted how, to some degree, what happened in Costa Rica was a wake-up call for many governments, and you alluded to the fact that even in El Salvador you’ve started to take proactive action and initiatives with respect to ransomware. So would you mind elaborating a little bit how you see ransomware as a potential national security concern?

Julie Rodríguez Acosta: Thank you so much, Jacomo. And yes, following on the remarks just delivered by Ambassador Dolin, first we see an increased number of ransomware attacks targeting critical infrastructure. So this is very concerning. These attacks, as it was mentioned, go beyond financial motivations and represent a clear violation of what we have as the guideline of responsible state behavior. So while many of these attacks really fall under the realm of cybercrime, there is growing evidence of the state-linked ransomware operations that are conducted with certain tacit state tolerance. So we even see cases where ransomware has been used, not primarily for financial gain, but as a vector to conduct denial-of-service attacks that affect the availability of system and national space. So this is linked with the case of Costa Rica, which was the first time that a national government was directly targeted in such a way. So this attack disrupted essential public services and compromised the confidentiality of citizens’ personal data. So beyond the first impact, it undermines public trust in the state’s ability to secure a digital system. And this is especially worrisome as all governments are trying to increase how they can digitalize public services. So there, and I mentioned this a little bit in my initial remarks, we also see linkages between ransomware and broader security concerns, particularly by the theft of cryptocurrency, as was mentioned by Ambassador Dowling. In some cases, these stolen assets have been reportedly being used to fund weapons of mass destruction programs and their delivery systems. And this is a direct threat to international peace and security. Also, the use of cryptocurrency complicates attribution and prosecution, making it more difficult to hold perpetrators accountable. So these are just some examples on how ransomware really intersects not only with national security, but also with broader international security architecture. And this evolving threat landscape demands close coordination between governments and multilateral institutions and other stakeholders, as it was mentioned by the

Giacomo Paoli Persi: Thank you, Julia. I’d like to go back to Chelsea and Francesca because both Microsoft and CPI, in a different way, you collect a lot of data and you have visibility in a way that perhaps other organizations don’t. So I would like to go back to where we started, which was with the recognition of how ransomware is increasing and the number of ransomware attacks has been growing significantly over the past 12 months. So based on the data that you have collected as a business, Chelsea, or as an organization that focuses on open source data with CPI, what can you share with us around the reasons behind why we’ve seen these numbers grow so much? Perhaps you can start, Chelsea, and then we’ll go to Francesca.

Chelsea Smethurst: Great, thank you. So I think there’s really three trends, but I’ll start with some sobering numbers. So at Microsoft, we track over 600 million cyber attacks daily. And if you break that down to a minute by minute basis, you’re looking at somewhere around 415,000 attacks a minute. And that’s just us as a company and what we have purview and visibility into. And so we’re up against a pretty large mountain, right, in terms of cyber attacks. But I would say there’s probably three things specific to ransomware that we’re really seeing on the Microsoft side. One is what we call ransomware as a service. And this is essentially a product, right? So this does two things. It lowers the barrier of entry for cyber criminals who want to use these tools and techniques because it’s easier, frankly. And then secondly, it allows scalability. So if it’s easy to just download a software and click a button and then get money and pay it out from it, you’re going to be able to do it, right? So that’s another reason why we see an uptick in the use of these technologies. And then secondly, right, the other thing I’ll mention, and it’s been mentioned by a couple of our panelists today, is the rise of cryptocurrency. And this is problematic for two reasons, right? It’s easy to get paid for these ransomware attacks. And then secondly, it’s really harder to track. And with anything with cybersecurity, if you can’t assign accountability and transparency, it’s really hard to really deter these attacks, right? If you can sort of hide behind your actions and it’s difficult to track. But I think finally, really the third and probably the most important factor in this issue is what we call safe havens. So these are geographic entities where, you know, you can actually base out of ransomware attacks against international victims, but they’re really not held accountable at the legal and international level. And it’s really difficult from an industry perspective to really target and sort of minimize these, what I call safe haven opportunities for ransomware. And so this is an area where I would like to see, I think, more collective international cooperation across both the private sector and also governments. And that’s something that I think we’ll see more of in the future.

Giacomo Paoli Persi: Thank you. Francesca?

Francesca Bosca: Yeah, maybe I can. So I guess some of the points were already made and maybe just on the first one, meaning the ease of access to tools and the rise of, let’s say, ransomware as a service that all the previous speakers mentioned, indeed, I would say, potentially also in a way amplified and enhanced by artificial intelligence and emerging technologies. So that this is definitely something that will impact the cryptocurrency ecosystem and the sort of widespread availability and relative anonymity of cryptocurrencies facilitate, obviously, the ransom payment and obviously is leveraged by perpetrator. The safe havens was mentioned. Maybe what I can add is something that was mentioned, I think, also before by Julian, and it’s an excellent observation, which is the, in a way, the expanding global digital footprint, especially with remote work, purely secure system and legacy infrastructure provides more vulnerability for threat actors to exploit. But this means also that they are trying, let’s say, to, in a way, optimize the way they work and use the same infrastructure basically for launching different type of criminal activities. So, and this is why the second phase of the program will focus specifically on exploitable and exploited, I would say, infrastructure, which is something that is also, I mean, not so well, I would say, or not so much investigated. And an output of this mapping will be able to demonstrate that the same infrastructure basically is likely used, for example, for other crimes beyond ransomware. And allow me to mention two other factors that we see when it comes to the, why, let’s say, the increase. There is also a sort of thriving, what we call initial access broker markets, meaning that you have brokers that specialize in obtaining and selling access to compromised networks, often of high value organizations, which ransomware groups basically exploit to deploy their malware. So it’s a sort of like cyber-organized crime form of activity, but with a very specialized, let’s say, professionals at the beginning, providing ransomware operators with the data that they need to then carry out the attack. And then let’s not forget another very important point. We’ve seen ransomware groups shifting from, let’s say, opportunistic attacks, so launching widespread attacks against, let’s say, as many individuals as possible, to more strategically targeting critical infrastructure, like, for example, healthcare, education, even civil society with limited cybersecurity resilience, but high sensitivity to disruption. And that’s interesting because, I mean, I was checking the, still the criminal profits hit records high because, according to Chainalysis, a victim paid more than 1 billion of US dollars in 2023, facilitated through cryptocurrency, which means that still criminals are getting quite some profit out of it.

Giacomo Paoli Persi: Thank you. If we have time at the end, I’d like to go back to this kind of driver discussion, because, you know, in basic kind of criminal studies, you know that criminals need I think all normatives need means and need opportunities in order to perpetrate their crime. And there is a lot of discussion around the means and how the means are evolving, whether it is technology, whether it is cryptocurrency, whether it is permissive regulatory regimes that allow them to or enable them to do what they do. But I don’t think there is necessarily a lot of, or enough, focus on opportunities, which is what are the weaknesses of the system that they can then exploit in order to. And one could argue the regulatory one is probably a hybrid between both a means and an opportunity. But if we have time, I’d like to discuss more. But going back to a point that Chelsea mentioned around safe havens, I would like to come back to you, Brendan, about what mechanisms currently exist to hold states accountable when ransomware groups operate with impunity within their borders. So what can states do?

Brendan Dowling: It’s a tough one. We have an established norm on this issue that was agreed as part of the 11 norms of responsible state behaviour, which essentially said states should take responsibility to prevent malicious cyber actors from operating with impunity in their territory. But we still see this happening quite commonly. We then look to what international measures do we have that can help us address that issue? One is bilateral. We engage with several attacks that have been launched from Russian territory against Australia or partners in the region. We engage with the Russian government and we make clear that we expect action to be taken against these actors. Usually there is no response. So a big part of that problem is that we have a government that is not taking seriously and is in fact likely profiting from some of the criminal activity. We’ve then used sanctions to try and target the people who are behind the attacks. These are a limited measure, they do have an impact, they do have a deterrent, but the problem of attribution is a challenge and then sanctions, if a person does not have financial assets in your country, are always going to have limited effect. Law enforcement responses have to be part of the response. When we do find cyber criminals in jurisdictions who will cooperate, ensuring the digital evidence is made available to support successful law enforcement and prosecution. And that’s where the Budapest Convention, where the Cybercrime Convention, will hopefully bring more states to take seriously legal measures to combat cyber criminals who may come across their jurisdiction. Finally, we consider that disruption measures have to be part of their solution. When you’ve exhausted all other avenues to achieve a law enforcement response, when you have safe havens where people are operating from with impunity, finding active disruption measures to take down infrastructure, to throw sand in the gears to make life harder for these actors has to be an important part of the response. Again, challenging, time-consuming, attribution can be a difficulty, but we have had success against groups like Lockbit, where there has been significant enough impacts on their infrastructure to disrupt their operations for some time. The Counter Ransomware Initiative, I think, has been a really effective grouping that has brought countries together to talk about building up cooperation to combat ransomware. That’s still a work in progress, but I think a much broader church of countries are coming together to take this seriously. So, we’re going in the right direction. Here the sort of figures that Chelsea shared. There is a long way to go to seriously put a dent in this crime.

Giacomo Paoli Persi: Thank you. I’d like to come back to you, Julia, to look at more of the multilateral side of this equation. But before I do, I just wanted to share with perhaps Chelsea and Francesca an interesting question that came online, so you have the time to think about it, while Julia gives us her multilateral perspective. And the question reads, is there any research on how blockchain deployment is correlated to the mitigation of cyber threats? If no, how do we promote this research topic? And if yes, what is the outcome? So anything that you can think of related to the use of blockchain in this context would be very, very useful. But now, Julia, coming back to you, what role do you think should the UN play, not only in establishing norms, but also potentially in establishing frameworks for state accountability in cyberspace?

Julie Rodríguez Acosta: Thank you so much, Giacomo. And as Ambassador Dowling just highlighted, at the UN we have this framework for responsible state behavior that basically outlines expectations on how states should act in cyberspace, and includes voluntary non-binding norms, reaffirmation of the applicability of international law, and also building. So one of the key principles is that critical infrastructure must be protected and respected, and is effectively off limits. However, while the framework says the reality on the ground tells us a different story, as we see from this Cyber Peace Institute research, data and reporting continue to show a rise in hostility and pervasive cyber activity, including ransomware attacks that often target the very infrastructure meant to be protected. So the UN… And then it should continue to play a central role in promoting the implementation of these norms, encouraging the state to take operational actions at the technical level to enhance compliance, and this includes the advancement in cooperative measures, information sharing, joint investigations, but also reinforcing norms that clearly outline unacceptable behaviors, especially those that undermine trust, security, and stability in cyberspace. So more broadly, international community must work together to disrupt the ransomware business model and build resilience. You see, national policies, laws, and technical capabilities are not enough to address what is inherently a transnational threat, and no country can tackle this challenge in isolation, and thus we promote that we do this also through multilateral forums. So yes, you know, kind of rounding up, more international cooperation is needed, but it must be cooperation that is practical and action-oriented and focuses on disrupt, deter, and prepare, and have more effective response mechanisms so they can leverage.

Giacomo Paoli Persi: Thank you, Julia, for your perspective, and also to give Chelsea and Francesco a couple more minutes to think about this. I also thought I’d add, you know, being at UNIDIR, I have the privilege of having seen and having witnessed how the UN discussions have evolved, and we’re now getting to the point where the current open-ended working group is wrapping up its five-year mandate, and we are about to enter a new, a future permanent mechanism with some details already being agreed on and others still being up for negotiation, but it looks like that this new mechanism will have at least potentially the opportunity to really go focus more on the implementation of all the existing commitments that are already in place. And if we accept that beyond all commitments there has to be the political will to implement them, and if we take that as a given, because if there isn’t, then there is nothing really, no practical measure can work without the political will and commitment to implement it. But if we take that political commitment as a given, then I think there are a number of issues that can, where the UN and the multilateral approaches can really help, whether it is, as Julia was mentioning, Some states may not even be aware that their territory is being used as a safe or as a as a kind of a staging ground for ransomware campaigns. Or some may be aware but maybe don’t have the means to do anything with it. Technological means but also legal means because maybe they don’t have a national legislation that allows them to intervene. And all of these things, despite the fact that we’re talking about ransomware and cybersecurity which make them feel like new, they are not new in the UN system. There are many conventions that have been negotiated before that then have followed with practical instruments and measures that have been developed in order to help states implement them and comply with the commitments. So you know perhaps there will be an opportunity to develop like a model law or a model legislation for those countries that need to adopt some sort of regulatory measures at the national level that would enable them to then intervene and disrupt a ransomware campaign emanating from their territory. These things, you know, you need to have legal coverage to do certain things. If you want to share evidence with your neighbor, if you want to cooperate, these require very well-developed regulatory frameworks or cooperation mechanisms that would require a little bit of assistance in developing. And with that, I turn back to Francesca and Chelsea and ask if you had the chance to think about the topic of blockchain and whether or not you are aware of any work or any research that has been conducted to explore the extent to which it can be helpful in this context.

Chelsea Smethurst: I can go next. Go. Great. So I’m not aware of the latest art around sort of cryptocurrency and Bitcoin and blockchain research, but just one brief point I’ll make is that cryptocurrencies are ultimately based on blockchain technology, right? And so if cryptocurrencies and financial transactions are actually processed through exchange. Thank you so much for joining us today, and I’m sure there’s a lot more to sort of assess on that topic, but it is an interesting part of the technology block or the technology platform that can be used for both positive means, right, but also criminal means too. So good question. I’m looking forward to Francisco’s points on this.

Francesca Bosca: That’s interesting because it’s a topic close to my heart because it was like two jobs ago I left, let’s say, when I was doing research on blockchain. So I mean, provided that it’s a little bit outdated information and I would need to, let’s say, to look into that again. So there are a couple of aspects, one from, let’s say, from a technical standpoint, I would say that I do see, and I remember, I mean, doing some research on how, for example, blockchain can be used as a sort of like, not, let’s say, the black sheep when it comes to cybersecurity, but on the opposite, and there are some practical implementation areas I’m thinking about, like the threat intel sharing, for example, that can be extremely beneficial when we think about cybersecurity. I’m thinking about identity and access management, for example, where obviously the decentralization of digital identities can help, for example, when it comes to decentralized security. So thanks to the distributed architecture and the consensus mechanisms, and obviously the fact that you have, I mean, the key strength of the blockchain resides basically in the immutable data ledger. I mean, obviously you can improve the audit trails and the data integrity. Again, outdated information, but I would suggest that there was. There were a couple of things that came to my mind. ENISA, so the EU agency, did some interesting work back in before COVID. So in 2019 on distributed ledger technology and cyber security. And there is also a work done by the World Economic Forum on blockchain cyber security in again in 2020. So these are the only two that, I mean, came to my mind. But again, because my knowledge is a little bit outdated. Can I just mention one thing where I can see it’s a very good question also, because I think it also helps us in thinking about, let’s say, potential future direction. What I would be really interested in seeing is, for example, how to use blockchain for ransomware resistance and incident attribution. And one interesting aspect that is kind of like collateral is also how you can integrate blockchain with an AI for automated threat detection as well.

Giacomo Paoli Persi: Thank you. And we may go back to the more general topic of which technologies exist out there that could help. But I’m also conscious of the time. And before I continue, we probably were a little bit too ambitious with the number of questions we have prepared. I’m conscious of the time that we have, 12 minutes before we have to wrap up this interesting session. So I also wanted to make sure I give the opportunity to colleagues in the room. If there is anyone who would like to ask a question, I see one. If you can please reach for the microphone on your right and introduce yourself, please, before asking the question.

Vilda: Yes, thank you. Can you hear me?

Giacomo Paoli Persi: Yes.

Vilda: Perfect. Thank you so much for an excellent panel. My name is Vilda. And I think ransomware is such an interesting type of crime. And as a criminologist, I’ll allow myself to say that it’s maybe my favorite kind of crime, at least from an academic perspective. And I have a question for Julie. and Brendan who’s tackling cyber crime from like a government sector because I wrote my master’s thesis on on ransomware and one of the many many interesting and unique aspects of ransomware is that it’s as far as I can tell the only type of crime or cyber crimes the only type of crime where the private sector is dominating both on crime prevention but also handling the incident and dealing with the aftermath so I was just wondering coming from a government perspective how in your in your respective countries how are you dealing with that sort of cooperation with the government and and the private sector, thank you.

Brendan Dowling: It’s really interesting question and you you’re right in cyber so much of the front line is in the hands of the private sector and in no other form of crime or attack type would we say oh well that’s that’s kind of completely a responsibility of the private sector and whether they tell anyone about it is their business and they’re on their own to kind of assist you with that so that does make a much more challenging environment some of the things that we’ve done in Australia to try and without using compulsion but to try and build a far more collective response to these crime types when we had a two major cyber incidents affecting millions of Australians going back to 2022 the government came out and very publicly engaged with those companies sent teams of police officers and cyber security experts from the government to sit in the headquarters of those companies and to provide assistance to launch the investigations in a very collaborative way now that was those were very large-scale incidents so that’s We have tried to create an environment where we normalise engaging with the government as soon as there is an incident, that sharing information with the government to aid in the response is not just a nice thing to do, but is actually the expected thing to do. We have introduced legislation that says if you as a private company engage with our cyber security centre, the information you share with them will not be used for regulatory purposes so you can trust there is a safe space to engage and seek that assistance. And now we are introducing a mandatory ransomware payment reporting scheme. So in all these measures we are trying to create an environment where it is not seen as purely something for a business or an entity to manage, it is seen as something that needs a collective response and that active engagement with the government, with law enforcement, with our cyber security experts is a normal way of responding to these incidents. It will take time, but I think it actually improves when that type of behaviour is modelled well by companies. Once some companies start to do this and it becomes a new norm that this is how you engage, that creates an environment where others are doing the same. So we are trying to make all these efforts to normalise that it becomes a collective response rather than just something that is dealt with in isolation.

Giacomo Paoli Persi: Thank you. Julia, would you like to come in on this question?

Julie Rodríguez Acosta: Yes, thank you so much for the question and I think this is very pertinent and I would like to provide some insights from the Global South perspective. I think this is very pertinent because there is often this idea that Ramswell were only targets large enterprises or companies that can afford to pay substantial ransom, but in reality, you know, small organisations around the globe are affected and the consequences for these small organisations are often massive. On a national level, we have this kind of like multi-stakeholder cooperation. Of course, as a government, we have enacted laws on cybersecurity and very recently on data protection because ransomware, often, you know, it’s related with data theft. So we wanted to make sure that we have in place all these laws that also protect personal data and privacy. And then, of course, these linkages with private industry, law enforcement agencies, and of course, as a small nation, we leverage a lot of cooperation that we can build through, you know, entities like the United Nations. We also have a lot of work with regional organizations like, for example, OAS. So we kind of like pivot everything that has been done in the international level that can help us. And then a lot, of course, we rely, as I was mentioning before, on a lot of bilateral cooperation, trying to learn for those who say that have more advanced capabilities to fight this threat. But as we have, you know, highlighted throughout the panel, it is global. So it is in best interest of all, you know, to have tried to leverage that level of cooperation so we all can combat the encounter run forward.

Giacomo Paoli Persi: Thank you. And actually, I would like to take this question and link it to the rest of the panel, because we did have in our list a question around successful models for public-private collaboration on cybersecurity that could potentially be scaled. So again, going back to you, Chelsea, and Francesca, you know, you have seen probably many different configurations of how the public and the private sector work together. What are some of the most successful? successful stories that you’ve seen or some of the models that you think could be used as an inspiration.

Chelsea Smethurst: So I’ll go ahead and start, but I really liked your question from the audience, but I’ll briefly say, so just earlier this month Microsoft actually announced a pilot program with Europol to integrate our digital crimes investigators into their European cybercrime center in The Hague, and I think these sort of novel model public-private partnerships are an interesting thing to try out across different sectors, right? Because then you’re marrying both the private sector expertise and sort of the front lines that we see in ransomware with the legal and investigatory powers of states and governments, and that’s a very powerful tool and I’d like to sort of see those models as applicable be replicated across different environments, but it’s a really great question and I think more to be seen on if this model with Europol will scale and also be successful, but I think just willingness to try to partner between private sectors and governments is a really great attempt, so.

Francesca Bosca: And maybe the other one that comes to mind is the ransomware task force, which I think see involved, I mean, it’s a multi-stakeholder effort with participation from across government, industry, civil society, and I think it was very well-received, very well-sustained, let’s say, and so, yeah, I think these are the ones that come to mind, and maybe just to advocate with my civil society head, I would say not only private sector and government should work together, but also including, I think, civil society organization can definitely bring an added value, I mean, there’s one aspect which is something that I try to highlight in the panel, so documenting basic data, So basically the impact that ultimately ransomware is having, as we said also and as remarked by the previous panelists, as a societal threat, not just a technical one or just not just a business related one. But it can also be a sort of like, in a way, supporting sort of like thinking outside the box. And civil society has a sort of like unique capacity to propose tests and proposals. So ethical frameworks supporting victim-centered response protocols reinforces the need for due diligence in digital infrastructure. So coupling it with, for example, what Brendan was mentioning before in terms of like the collaboration with law enforcement and the collaboration with the private sector. I think that also civil society can definitely play a role.

Giacomo Paoli Persi: Thank you. I’m conscious of the time. We have just over two minutes before we need to wrap up this discussion. So I would like to do one final round to all our speakers and give you the chance, starting with you, Ambassador, to 30 seconds. What is the one key takeaway you would like the audience here in the room and online to bring back after this session?

Brendan Dowling: I think working together on this issue, there’s private sector responses to build resilience as threat intelligence sharing. Microsoft helped us as we tracked down the perpetrator behind the Medibank attack. This affects every nation at all levels. We’ve been too slow to come together and act collectively against it. There’s no one lever. We need to pull all levers at once. So talking about this as a national policy issue in all your countries is crucial.

Giacomo Paoli Persi: Thank you. Coming to you, Julia, online, your key takeaway.

Julie Rodríguez Acosta: Thank you, Giacomo, and thank you so much to all the panelists. This has been really enriching. As you said, we are at the UN. and Francesca Pellicchino. They are working with the United States and other states to establish a permanent mechanism. These are critical opportunities for all states regarding their size and capacity. They can share insights on ransomware. We can design some mechanisms within the US to advance international cooperation and assist in finding ransomware together.

Francesca Bosca: I was reflecting on one of the first panels where I’m super happy to hear very concrete initiatives and good examples. My aspiration for the panel is to go out and say collaboration needs to be meaningful, not just tokenized. Collaboration is not just a buzzword that we need to have there, but it needs to make an impact. Allow me to say one thing that I forgot to mention before, which I think is important and we didn’t have time to dig into. Definitely the aspect of capacity building. Don’t take for granted that we are all on the same page. We got some very good examples from different areas of the world. We need to build an inclusive capacity building work stream across the different sectors and across the different geographies.

Giacomo Paoli Persi: Thank you. Chelsea?

Chelsea Smethurst: Finally, to close this off, I’d like to see how capacity building and skilling changes to tackle this problem. I think it’ll be an exciting next few years as we see creative uses of artificial intelligence tools to really counter ransomware. I don’t think that’s just going to sit in the hands of big tech providers. Looking forward to seeing how our countermeasures against ransomware will evolve. Thank you.

Giacomo Paoli Persi: Thank you very much. With that, all is left to do is to thank our speakers for sharing their experience and knowledge with us. Thank all of you in the audience, here in person and online. for participating and again thanks to Microsoft for bringing us together to discuss this very interesting topic. Thank you very much, thanks.

Agreement points

Ransomware has dramatically increased and represents a global threat requiring urgent action

Speakers

– Giacomo Paoli Persi
– Chelsea Smethurst
– Brendan Dowling

Arguments

Ransomware attacks have grown by nearly 300% in the last year, becoming the most prominent global cybersecurity threat

Microsoft tracks over 600 million cyber attacks daily, with ransomware showing a 275% increase in usage over 12 months

Ransomware-as-a-service model has democratized cybercrime by lowering barriers to entry and allowing non-technical criminals to conduct attacks

Summary

All speakers agree that ransomware has seen unprecedented growth (275-300% increases) and has evolved into the most prominent global cybersecurity threat, requiring immediate and comprehensive responses.

Topics

Cybersecurity

Ransomware is a national security issue, not just a technical cybersecurity problem

Speakers

– Brendan Dowling
– Julie Rodríguez Acosta

Arguments

Ransomware attacks have consequences that ripple through society and require whole-of-nation responses, not just cybersecurity solutions

The Costa Rica government attack demonstrated how ransomware can affect states’ ability to deliver essential services and maintain governance

Summary

Both speakers emphasize that ransomware transcends technical cybersecurity issues and represents a fundamental threat to national security, governance, and essential service delivery.

Topics

Cybersecurity

Safe havens and jurisdictional challenges enable ransomware operations

Speakers

– Chelsea Smethurst
– Brendan Dowling
– Nedalcho Mihay

Arguments

Safe havens where ransomware groups operate with impunity, primarily in Russia, enable continued criminal activity

Australia applies financial sanctions, travel restrictions, and conducts active disruption of ransomware infrastructure

52% of analyzed threat actors remain unattributed, while 54% of attributed actors are linked to Russia

Summary

Speakers agree that safe havens, particularly in Russia, represent a critical enabling factor for ransomware operations, with attribution challenges complicating response efforts.

Topics

Cybersecurity | Legal and regulatory

Multi-stakeholder collaboration is essential for effective ransomware response

Speakers

– Brendan Dowling
– Chelsea Smethurst
– Francesca Bosca
– Julie Rodríguez Acosta

Arguments

Successful collaboration requires normalizing government engagement and creating safe spaces for information sharing without regulatory consequences

Microsoft’s pilot program with Europol integrates private sector expertise with government investigatory powers

Multi-stakeholder efforts including civil society organizations can provide victim-centered responses and ethical frameworks

Small nations like El Salvador leverage international cooperation through UN, OAS, and bilateral partnerships to combat ransomware

Summary

All speakers emphasize the critical need for collaboration across government, private sector, and civil society, with various models being tested and implemented globally.

Topics

Cybersecurity | Legal and regulatory

Vulnerable sectors and populations are increasingly targeted by ransomware

Speakers

– Brendan Dowling
– Chelsea Smethurst
– Nedalcho Mihay
– Francesca Bosca

Arguments

Attacks on small Pacific Island nations like Tonga’s National Health Information Service show the global reach and societal impact of ransomware

Microsoft tracks over 600 million cyber attacks daily, with ransomware showing a 275% increase in usage over 12 months

Analysis of 2,717 ransomware incidents shows over half targeted US organizations, with healthcare being the most affected sector

Ransomware has evolved from opportunistic attacks to strategically targeting critical infrastructure with high sensitivity to disruption

Summary

Speakers agree that ransomware groups are increasingly targeting vulnerable populations and critical infrastructure, particularly healthcare and small nations with limited defensive capabilities.

Topics

Cybersecurity

Similar viewpoints

Both speakers identify cryptocurrency and safe havens as fundamental enabling factors for ransomware operations, with cryptocurrency making financial tracking difficult and safe havens providing operational security for criminals.

Speakers

– Brendan Dowling
– Chelsea Smethurst

Arguments

Cryptocurrency enables long-range ransomware attacks and makes financial tracking more difficult for law enforcement

Safe havens where ransomware groups operate with impunity, primarily in Russia, enable continued criminal activity

Topics

Cybersecurity | Economic

Both speakers emphasize the importance of inclusive, multi-stakeholder approaches that consider the needs of vulnerable populations and smaller nations, advocating for capacity building and international cooperation.

Speakers

– Francesca Bosca
– Julie Rodríguez Acosta

Arguments

Multi-stakeholder efforts including civil society organizations can provide victim-centered responses and ethical frameworks

Small nations like El Salvador leverage international cooperation through UN, OAS, and bilateral partnerships to combat ransomware

Topics

Cybersecurity | Development

Both speakers focus on future-oriented solutions, emphasizing the potential of emerging technologies and the need for comprehensive capacity building to address ransomware challenges.

Speakers

– Chelsea Smethurst
– Francesca Bosca

Arguments

Artificial intelligence tools show promise for evolving countermeasures against ransomware attacks

Inclusive capacity building across different sectors and geographies is essential for meaningful collaboration

Topics

Cybersecurity | Development

Unexpected consensus

The role of civil society in ransomware response

Speakers

– Francesca Bosca
– Brendan Dowling
– Julie Rodríguez Acosta

Arguments

Multi-stakeholder efforts including civil society organizations can provide victim-centered responses and ethical frameworks

Successful collaboration requires normalizing government engagement and creating safe spaces for information sharing without regulatory consequences

Small nations like El Salvador leverage international cooperation through UN, OAS, and bilateral partnerships to combat ransomware

Explanation

Unexpectedly, speakers from government, civil society, and international organizations all agreed on the critical role of civil society in ransomware response, which is unusual given that cybersecurity is often viewed as primarily a government-private sector issue.

Topics

Cybersecurity | Legal and regulatory

The need for active disruption measures beyond traditional law enforcement

Speakers

– Brendan Dowling
– Chelsea Smethurst

Arguments

Australia applies financial sanctions, travel restrictions, and conducts active disruption of ransomware infrastructure

Microsoft’s pilot program with Europol integrates private sector expertise with government investigatory powers

Explanation

There was unexpected consensus between government and private sector representatives on the need for active disruption measures, including ‘frying servers’ and novel integration models, which represents a more aggressive approach than traditional cybersecurity responses.

Topics

Cybersecurity | Legal and regulatory

Overall assessment

Summary

The speakers demonstrated remarkably high consensus across all major aspects of ransomware challenges and responses. Key areas of agreement included the dramatic scale of the threat, its evolution from technical to national security issue, the critical role of safe havens and cryptocurrency as enablers, the need for multi-stakeholder collaboration, and the targeting of vulnerable populations and critical infrastructure.

Consensus level

Very high consensus with no significant disagreements identified. This strong alignment suggests a mature understanding of the ransomware threat landscape and broad agreement on response strategies. The implications are positive for policy development and international cooperation, as stakeholders from government, private sector, civil society, and international organizations share common threat assessments and response frameworks. This consensus provides a solid foundation for coordinated action and suggests that the main challenge is implementation rather than agreement on the nature of the problem or general response approaches.

Different viewpoints

Role of civil society in ransomware response

Speakers

– Francesca Bosca
– Brendan Dowling
– Chelsea Smethurst

Arguments

Multi-stakeholder efforts including civil society organizations can provide victim-centered responses and ethical frameworks

Australia applies financial sanctions, travel restrictions, and conducts active disruption of ransomware infrastructure

Microsoft’s pilot program with Europol integrates private sector expertise with government investigatory powers

Summary

Francesca advocates for including civil society as a third pillar alongside government and private sector, emphasizing victim-centered approaches and ethical frameworks. However, other speakers focus primarily on government-private sector partnerships without explicitly including civil society organizations in their collaboration models.

Topics

Cybersecurity | Legal and regulatory

Unexpected differences

Emphasis on capacity building vs. enforcement

Speakers

– Francesca Bosca
– Brendan Dowling

Arguments

Inclusive capacity building across different sectors and geographies is essential for meaningful collaboration

Australia applies financial sanctions, travel restrictions, and conducts active disruption of ransomware infrastructure

Explanation

While both speakers acknowledge the global nature of the ransomware threat, Francesca emphasizes the need for inclusive capacity building and not assuming all stakeholders are at the same level, while Brendan focuses more on enforcement measures and active disruption. This represents an unexpected philosophical difference between capacity-building versus enforcement-first approaches.

Topics

Cybersecurity | Development

Overall assessment

Summary

The speakers showed remarkable consensus on the nature and scale of the ransomware threat, with disagreements primarily focused on implementation approaches rather than fundamental issues. Main areas of difference included the role of civil society in response efforts, preferred models for public-private collaboration, and emphasis between capacity building versus enforcement measures.

Disagreement level

Low to moderate disagreement level. The speakers demonstrated strong alignment on threat assessment and the need for collaborative responses, with differences mainly in tactical approaches and stakeholder inclusion. This suggests a mature policy discussion where the fundamental challenges are well understood, but implementation strategies are still evolving. The implications are positive for policy development, as the shared understanding of core issues provides a solid foundation for developing comprehensive responses that could incorporate multiple approaches.

Partial agreements

Similar viewpoints

Both speakers identify cryptocurrency and safe havens as fundamental enabling factors for ransomware operations, with cryptocurrency making financial tracking difficult and safe havens providing operational security for criminals.

Speakers

– Brendan Dowling
– Chelsea Smethurst

Arguments

Cryptocurrency enables long-range ransomware attacks and makes financial tracking more difficult for law enforcement

Safe havens where ransomware groups operate with impunity, primarily in Russia, enable continued criminal activity

Topics

Cybersecurity | Economic

Both speakers emphasize the importance of inclusive, multi-stakeholder approaches that consider the needs of vulnerable populations and smaller nations, advocating for capacity building and international cooperation.

Speakers

– Francesca Bosca
– Julie Rodríguez Acosta

Arguments

Multi-stakeholder efforts including civil society organizations can provide victim-centered responses and ethical frameworks

Small nations like El Salvador leverage international cooperation through UN, OAS, and bilateral partnerships to combat ransomware

Topics

Cybersecurity | Development

Both speakers focus on future-oriented solutions, emphasizing the potential of emerging technologies and the need for comprehensive capacity building to address ransomware challenges.

Speakers

– Chelsea Smethurst
– Francesca Bosca

Arguments

Artificial intelligence tools show promise for evolving countermeasures against ransomware attacks

Inclusive capacity building across different sectors and geographies is essential for meaningful collaboration

Topics

Cybersecurity | Development

Key takeaways

Ransomware has evolved from a cybersecurity issue to a national security threat requiring whole-of-society responses, with attacks growing 275-300% in the past year

The ransomware-as-a-service model has democratized cybercrime by lowering barriers to entry and enabling non-technical criminals to conduct sophisticated attacks

Cryptocurrency and safe haven jurisdictions (primarily Russia) are key enablers that make ransomware profitable and difficult to prosecute

Critical infrastructure and vulnerable populations (healthcare, small nations, NGOs) are increasingly targeted due to their high sensitivity to disruption and limited cybersecurity resources

Successful counter-ransomware efforts require coordinated multi-stakeholder collaboration between governments, private sector, and civil society organizations

Attribution remains challenging with 52% of threat actors unattributed, though 54% of attributed actors are linked to Russia

Public-private partnerships must normalize government engagement and create safe information-sharing environments without regulatory consequences

International cooperation through mechanisms like the UN framework, Budapest Convention, and Counter Ransomware Initiative is essential but implementation remains insufficient

Resolutions and action items

Australia’s mandatory ransomware payment reporting scheme to improve collective response and information sharing

Microsoft’s pilot program with Europol to integrate private sector expertise with government investigatory powers

Cyber Peace Institute’s two-phase project to map ransomware threat actors globally and evaluate state compliance with UN cyber norms

El Salvador’s advocacy for stronger UN language addressing ransomware and support for establishing permanent mechanisms for international cooperation

Australia’s deployment of assistance teams to help Tonga recover from ransomware attacks on their National Health Information Service

Unresolved issues

How to effectively address safe haven jurisdictions where ransomware groups operate with impunity, particularly Russia’s non-cooperation

Developing scalable models for public-private collaboration that can be replicated across different countries and sectors

Creating inclusive capacity building programs across different geographies and sectors to address varying levels of cybersecurity readiness

Establishing effective mechanisms for cryptocurrency tracking and regulation to disrupt ransomware financial flows

Determining the role of blockchain technology in mitigating cyber threats, with limited current research available

Addressing the challenge that over 90% of successful ransomware attacks target unmanaged devices in under-resourced organizations

Developing victim-centered response protocols and ethical frameworks for ransomware incidents

Suggested compromises

Creating safe spaces for private sector engagement with government where shared information will not be used for regulatory purposes

Balancing mandatory reporting requirements with incentives for voluntary cooperation and information sharing

Leveraging international organizations and bilateral partnerships to help smaller nations access cybersecurity capabilities they cannot develop independently

Integrating civil society organizations into public-private partnerships to provide victim-centered perspectives and ethical frameworks

Using the UN’s future permanent mechanism to focus on practical implementation of existing norms rather than creating new commitments

What we’re seeing at the moment in Pacific Islands, some countries with populations fewer than 100,000 people are being targeted by cybercrime groups operating out of Russia. Last week, the National Health Information Service in Tonga was shut down by a ransomware attack… At the moment, in hospitals in Tonga, people are using paper and pen to deliver healthcare to their people.

Speaker

Brendan Dowling

Reason

This comment powerfully reframes ransomware from a technical cybersecurity issue to a humanitarian crisis affecting the most vulnerable populations. It demonstrates the global reach and indiscriminate nature of ransomware attacks, challenging assumptions about who gets targeted.

Impact

This vivid example set the tone for the entire discussion, establishing ransomware as a human-centered issue rather than just a technical problem. It influenced subsequent speakers to adopt similar human-impact framing and contributed to the panel’s emphasis on ransomware as a national security threat.

For anyone who thinks ransomware is a technical issue, out of that incident, we saw women and families facing domestic violence from partners who weren’t aware of the health treatment that their spouse or their mother or their sister had been seeking, and had to be moved to safe houses to escape violent partners or former partners. These are not cyber issues. These are not technical issues. These are whole of nation security and safety issues.

Speaker

Brendan Dowling

Reason

This comment fundamentally challenges how ransomware is categorized and understood, revealing unexpected cascading social consequences that extend far beyond the immediate cyber incident. It demonstrates how data breaches can trigger real-world violence and endanger lives.

Impact

This observation became a central theme throughout the discussion, with multiple speakers subsequently emphasizing the societal and national security dimensions of ransomware. It helped shift the conversation from technical solutions to whole-of-society responses.

This crime type didn’t exist before cryptocurrency. Cryptocurrency enabled the long-range launching of ransomware attacks across the globe.

Speaker

Brendan Dowling

Reason

This insight identifies cryptocurrency as the fundamental enabler that transformed ransomware from a localized nuisance into a global threat. It provides a clear causal link between financial innovation and criminal evolution.

Impact

This observation was picked up by multiple subsequent speakers who elaborated on cryptocurrency’s role in ransomware operations. It helped frame the discussion around the intersection of financial technology and cybercrime, influencing later conversations about blockchain and financial tracking.

We also see cases where ransomware has been used, not primarily for financial gain, but as a vector to conduct denial-of-service attacks that affect the availability of system and national space… This attack disrupted essential public services and compromised the confidentiality of citizens’ personal data… it undermines public trust in the state’s ability to secure a digital system.

Speaker

Julie Rodríguez Acosta

Reason

This comment introduces a crucial distinction between financially-motivated ransomware and state-linked operations with broader strategic objectives. It highlights how ransomware can be weaponized to undermine governmental legitimacy and public trust.

Impact

This insight elevated the discussion to the level of international relations and state security, influencing the moderator’s subsequent questions about state accountability and the role of multilateral institutions in addressing ransomware threats.

So it’s as far as I can tell the only type of crime or cyber crimes the only type of crime where the private sector is dominating both on crime prevention but also handling the incident and dealing with the aftermath

Speaker

Vilda (audience member)

Reason

This observation from a criminologist provides a unique analytical framework that distinguishes ransomware from all other crime types. It highlights an unprecedented shift in crime response dynamics where traditional government roles have been largely assumed by private entities.

Impact

This comment prompted detailed responses from government representatives about public-private cooperation models and sparked discussion about the need to normalize government engagement in ransomware incidents. It helped frame the final portion of the discussion around collaborative response models.

We have this service industry where you can talk to a liaison person or a broker who will connect you with the person who will conduct the initial attack on a system… So it is now an accessible crime type. And for most ransomware groups, they will just take 20% of the profit from the attack that you conduct. So it’s become democratised, industrialised, and it is ubiquitous.

Speaker

Brendan Dowling

Reason

This comment reveals the sophisticated business model behind modern ransomware operations, showing how it has evolved from individual hacking to an organized criminal industry with specialized roles and profit-sharing structures.

Impact

This insight was reinforced by other speakers who discussed ‘ransomware as a service’ and influenced the discussion about why ransomware attacks have increased so dramatically. It helped explain the scalability and accessibility that drives the current ransomware epidemic.

Overall assessment

These key comments fundamentally transformed what could have been a technical cybersecurity discussion into a comprehensive examination of ransomware as a multifaceted global crisis. Dowling’s vivid examples of human impact in Tonga and Australia established an emotional and humanitarian foundation that influenced all subsequent speakers to frame their contributions in terms of real-world consequences rather than abstract technical challenges. The identification of cryptocurrency as the foundational enabler provided a clear analytical framework that other speakers built upon. The distinction between criminal and state-linked ransomware operations elevated the discussion to matters of international security and diplomacy. Finally, the criminologist’s observation about the unique public-private dynamics in ransomware response opened up crucial questions about governance and collaboration models. Together, these insights created a rich, multi-dimensional conversation that addressed technical, social, economic, political, and humanitarian aspects of the ransomware threat, demonstrating how individual thought-provoking observations can elevate and redirect an entire policy discussion.

How is it possible that despite the fact that we all know what ransomware is, it’s still having such a devastating impact on cyber security?

Speaker

Giacomo Paoli Persi

Explanation

This fundamental question about the persistence of ransomware despite awareness was posed at the beginning but not fully answered, requiring deeper investigation into the gap between knowledge and effective countermeasures

Is there any research on how blockchain deployment is correlated to the mitigation of cyber threats? If no, how do we promote this research topic? And if yes, what is the outcome?

Speaker

Online participant (via Michael Karamean)

Explanation

This question about blockchain’s potential role in cybersecurity mitigation was only partially addressed, with speakers acknowledging their knowledge was outdated and suggesting need for current research

How to use blockchain for ransomware resistance and incident attribution

Speaker

Francesca Bosca

Explanation

Francesca expressed specific interest in exploring blockchain applications for ransomware defense and attribution, indicating this as a promising research direction

How you can integrate blockchain with AI for automated threat detection

Speaker

Francesca Bosca

Explanation

This represents an emerging area combining two technologies that could enhance cybersecurity capabilities but requires further investigation

Research into exploitable and exploited infrastructure used for multiple criminal activities beyond ransomware

Speaker

Francesca Bosca

Explanation

Phase two of the Cyber Peace Institute’s research will investigate how the same infrastructure is used for various crimes, which is currently under-researched

What are the opportunities (weaknesses of the system) that criminals exploit, beyond just the means they use

Speaker

Giacomo Paoli Persi

Explanation

The moderator noted there’s insufficient focus on the ‘opportunities’ aspect of criminal behavior in ransomware, suggesting need for more research on systemic vulnerabilities

How creative uses of artificial intelligence tools will evolve to counter ransomware in the coming years

Speaker

Chelsea Smethurst

Explanation

Chelsea expressed interest in seeing how AI countermeasures against ransomware will develop, indicating this as an important area for ongoing research and development

Development of model laws or legislation for countries that need regulatory frameworks to intervene against ransomware

Speaker

Giacomo Paoli Persi

Explanation

The moderator suggested this as a potential area for UN work, noting that some states may lack legal frameworks to take action against ransomware operations in their territory

How to build inclusive capacity building work streams across different sectors and geographies

Speaker

Francesca Bosca

Explanation

Francesca emphasized the need for comprehensive capacity building research and implementation, noting that not all stakeholders are at the same level of understanding or capability