Ransomware as a State-Sponsored Weapon

Executive Summary

Ransomware is no longer the exclusive domain of cybercriminal threat actors. Actors linked to China, Russia, Iran, and North Korea increasingly deploy it as a strategic instrument to conceal espionage, disrupt critical sectors, and fund national objectives:

Nation-states are almost certain to expand ransomware operations against critical infrastructure, using artificial intelligence, access brokers, and data leaks to advance cyberwarfare and influence campaigns while maintaining plausible deniability.

Organizations should consider briefing their boards on state motivations, rehearsing flashpoint scenarios, and strengthening resilience with offline, immutable backups, proactive detection (EDR/XDR) supported by Recorded Future® intelligence.

Figure 1: A selection of ransomware families and variants that have been used by state-backed actors

(Source: Recorded Future)

Analysis

Ransomware continues to impact organizations across every industry worldwide. While it is often framed as a criminal threat, the reality is more complex: actors linked to nation-states are increasingly weaponizing ransomware to advance their strategic objectives. Below is an overview of activity by country.

Figure 2: Timeline showing news and vendor reporting of state-backed actors' ransomware attacks from January 1, 2020, to September 1, 2025 (Source: Recorded Future)

China appears to use ransomware to conceal espionage and reduce attribution risk. For example, in 2022, the China-linked threat group “Bronze Starlight” allegedly deployed ransomware to conceal its espionage activities. More recently, in July 2025, Microsoft reported that a China-linked threat actor employed Warlock ransomware, possibly to exfiltrate sensitive information. In 2020, the deployment of ColdLock ransomware against the energy and semiconductor sectors occurred shortly after President Tsai Ing-wen’s electoral victory. Taiwan attributed the attack to the Chinese state-sponsored threat actor known as Winnti. Winnti, also known as the Winnti Group, is an umbrella term that encompasses several threat groups, including RedGolf (also known as BARIUM, Brass Typhoon, WICKED PANDA, and APT41). Some reports stated there was no demand for payment and the attack was deliberately destructive; other reports suggest a $3,000 USD payment was requested.

Russia is assessed to be actively leveraging some ransomware actors to serve its geopolitical and financial interests. Some cybercriminal threat groups appear to act in ways that align with Kremlin interests, either directly or indirectly, to avoid attention from local law enforcement and insulate themselves from Western attention. In 2025, German media reported that the GRU (Russia’s military intelligence) cooperated with ransomware operators to exfiltrate data from private firms contracted by the German military.

Figure 3: Recorded Future’s Country Risk Data identifies 35 countries with advanced surveillance capabilities. Of these, 24 have no or limited legal oversight over the use of those capabilities, increasing the risk of intrusive cyber monitoring.

(Source: Recorded Future)

Iran-aligned threat actors have reportedly used ransomware both as a revenue source and as a geopolitical tool for a number of years. Since 2020, multiple groups associated with Iran’s Ministry of Intelligence (MOIS) and the Islamic Revolutionary Guard Corps (IRGC) have established fronts to launch targeted, disruptive, and destructive attacks against public and private entities. The overwhelming majority of targets reside in Israel or in countries deemed to collaborate with anti-regime elements, such as Albania. Some of the groups associated with the Iranian government’s ransomware operations include BlackShadow, DarkBit, Homeland Justice, Moses Staff, and Pay2Key. Pay2Key is tied to Iran’s Fox Kitten (aka Lemon Sandstorm) and has targeted nations antagonistic to Iran, such as Israel and the US. Iranian operators have also disguised wiper attacks — as with Agrius’s use of Apostle, for example — as ransomware attacks, using ransom notes to mask their destructive intent. The FBI has assessed that state-aligned threat actors are collaborating with or coordinating operations alongside criminal ransomware groups such as NoEscape, RansomHouse, and ALPHV.

Figure 4: Infographic showing how Iranian state-sponsored threat actors collaborated with ransomware operators

(Source: Recorded Future)

North Korean cyber operations serve as a clear example of how ransomware is used to achieve state-sponsored strategic objectives. Government institutions in the UK attribute the 2017 WannaCry campaign, which disrupted key services, including the UK’s NHS, to North Korea’s Lazarus Group. North Korea has also deployed ransomware, such as Maui, specifically targeting healthcare providers, very likely due to their large amount of digitized personally identifiable information. In addition to other cryptocurrency thefts, US and South Korean authorities assess that proceeds from ransoms support the DPRK’s strategic goals, including its ballistic missile, nuclear, and offensive cyber programs. Furthermore, North Korean threat groups, such as Andariel, are known to combine ransomware operations with espionage. The 227 Research Centre within North Korea is also developing domestic AI capabilities, which could in turn be used to support ransomware-focused cyber operations.

Figure 5: Graph showing the key motivations, targets, and criminal cooperation of Russia, China, North Korea, and Iran (Source: Recorded Future)

Outlook

Critical infrastructure is very likely to be increasingly targeted with ransomware under the guise of criminal activity:
Nation-states are very likely to increasingly direct ransomware campaigns against critical national infrastructure sectors. These operations by non-state-sponsored actors would serve both as pressure tactics and as preparation for potential conflict, while maintaining plausible deniability by framing them as “criminal” attacks.

Artificial intelligence will almost certainly accelerate the adaptation of ransomware: AI-driven automation will likely help threat actors enhance deepfakes, tailor phishing lures, dynamically evade defenses, generate forged stolen data, optimize payload delivery, and refine ransom pricing.

Access brokers are likely to become a key enabler of state-sponsored ransomware operations: The growing market for initial access will enable nation-states to purchase footholds in sensitive networks. This commoditization of initial intrusion will very likely support state-linked ransomware campaigns.

Ransomware will likely continue to be used as a testbed for cyber warfare capabilities: States are likely to increasingly use ransomware incidents to trial exploits, gauge adversaries' response times, and refine disruptive techniques, with lessons feeding directly into their respective military cyber doctrines.

Ransomware data leaks are likely to be used for influence operations: Leak and extortion websites and stolen data may be weaponized beyond financial extortion and used to embarrass governments, discredit political figures, or sow distrust in democratic institutions. This merges traditional influence operations with cybercrime.

The ransomware ecosystem is likely to fragment further, making attribution even more challenging: The growth of ransomware-as-a-service (RaaS) and access-broker markets has eroded the distinction between state and criminal actors, providing nation-states with opportunities to outsource capabilities, expand operational reach, and preserve plausible deniability.

Mitigations

Integrate geopolitical threat intelligence: Security teams must connect ransomware events to state objectives. CISOs should consider briefing boards on the motivations and strategic intent of adversaries.
Recorded Future Solutions: Geopolitical Intelligence

Resilience testing through scenarios: Move beyond standard tabletop exercises, simulating ransomware incidents aligned with geopolitical flashpoints (for example, energy attacks during elections).
MITRE D3FEND™: Operational Activity Mapping (D3-OAM)

Rigorous backups and recovery: Maintain offline, immutable backups and validate recovery regularly — this remains a foundational control.
MITRE D3FEND™: Restore Disk Image (D3-RDI)

Proactive detection and threat hunting: Ensure EDR/XDR tools are tuned and enriched with high-fidelity threat intelligence to detect state-sponsored tactics, techniques, and procedures (TTPs) early.
MITRE D3FEND™: Network Traffic Analysis (D3-NTA), Identifier Analysis (D3-ID)
Recorded Future Solutions: SecOps Intelligence, Threat Intelligence, Integrations, Managed Monitoring

Deception and disruption: Deploy honeypots, decoy credentials, and fake environments to slow attackers and expose their techniques early.

MITRE D3FEND™: Decoy Environment (D3-DE)

Risk Scenario

Scenario: A state-backed threat actor targets a critical infrastructure company supplying a rival nation, framing the intrusion as a criminally motivated ransomware attack to obscure attribution.

First-Order Implications

Threat

A front group infiltrates via a third-party vendor. Using AI-driven deepfakes, the front group spoofs IT support, gains credentials, moves laterally, exfiltrates data, and encrypts systems. It also sabotages control systems.

Organizational Risk

Second-Order Implications

Threat

Threat actors escalate media-facing leak sites, time data dumps, and push a narrative that this is a typical ransomware event, thereby deflecting scrutiny.

Organizational Risk

Third-Order Implications

Threat

The threat actor maintains covert persistence by creating hidden accounts, modifying firmware, abusing vendor update channels, and staging ransomware-like incidents to conceal ongoing activity.

Organizational Risk

Further Reading