Cybercrime Vs Geopolitics: How Ransomware Is Becoming A Geopolitical Tool

By Kate O'Flaherty • 11 June 2026 • 7 min read

Nation states are ramping up destructive attacks utilising ransomware and wipers. What can be done to manage the risk?

In 2017, Russia-linked adversaries unleashed an attack that later became known as NotPetya, as part of an ongoing campaign against Ukraine. Disguised to look like the Petya ransomware, the consequences of the devastating cyberattack were destruction, rather than financial gain. The damage from the wiper tool went far beyond its target, hitting companies across Europe and beyond.

Nearly a decade later, wipers and ransomware are becoming key tools for nation state attackers to halt critical services and cause disruption.

The 2021 Colonial Pipeline incident is a prime example of the damage that can occur as a result of this type of attack. Attributed to DarkSide — a group with Russian links — the attack forced the shutdown of the largest fuel pipeline in the US, triggering widespread fuel shortages.

In 2021, North Korean government-linked adversaries perpetrated the Maui ransomware attacks against hospitals and diagnostic centres, with the aim of generating revenue and causing chaos.

The escalating geopolitical situation including the Russia-Ukraine war and Iran conflict are adding to the threat, with growing fears of destructive attacks from adversaries linked with hostile nations such as China, Russia, Iran and North Korea (CRINK).

It has led national security agencies to issue warnings, with the UK National Cyber Security Centre (NCSC) detailing tools to help businesses mitigate the risk.

What can firms do to manage this growing issue?

The Evolution of Ransomware

There’s no doubt the risk of nation state attacks utilising ransomware as part of geopolitical aims is growing. Tracey Hannan-Jones, information security consulting director at UBDS Digital, believes the line between cybercrime and geopolitics “has never been thinner”.

What was once the domain of financially motivated criminal gangs has evolved into a “sophisticated instrument of state power”, according to Hannan-Jones.

This is seeing ransomware, malware and destructive cyberattacks used beyond extortion. “They are weapons of geographical disruption, deployed by nation-state actors to destabilise governments, cripple infrastructure, and project power — without a single shot being fired,” she says.

Previously ransomware attacks followed a predictable logic: Encrypt, demand payment and profit.

This has shifted dramatically as nation-state actors — most notably those aligned with Russia, North Korea, China, and Iran — have adopted and adapted the same techniques, often “with objectives far beyond financial gain”, says Hannan-Jones.

Undermining Trust

Gary Barlet, public sector CTO at Illumio, concurs with Hannan-Jones’ analysis. In some cases, attacks are designed to undermine public trust, create operational instability and apply economic pressure, says Barlet.

He explains how many ransomware groups operate in environments where they receive indirect protection or tacit approval from governments that see strategic value in their activity. “This convergence creates a huge challenge for defenders who are no longer dealing with just isolated criminal activity.”

The issue now is threats that sit in a “grey zone” between financially-motivated attacks and state-aligned operations, according to Barlet. “Ransomware groups increasingly behave like proxies, targeting foreign adversaries or contributing to broader destabilisation efforts.”

At the same time, it’s difficult to identify the perpetrators, because cyber operations are deliberately designed to provide criminals with plausible deniability. “An attack may appear financially-motivated at first glance, but the operational timing, target selection, or broader impact may suggest strategic intent underneath,” explains Barlet.

Opportunistic Vs Strategic

Nation state attacks can be strategic or opportunistic. Money is often a motivator for nation state attacks, such as those perpetrated by North Korea.

It is not unusual to observe nation state adversaries “monetising digital insecurity to generate illicit revenue”, says Jamie Moles, senior technical manager at ExtraHop. “By collaborating with cybercriminal syndicates, states deploy ransomware and exploit supply chain vulnerabilities. This financial extraction allows regimes to bypass international sanctions and fund ‘off-book’ intelligence operations.”

Opportunity can sometimes play a part, with conflict in Iran allowing nations such as Russia to fly under the radar.

Meanwhile, state-sponsored attackers sometimes take advantage of the cybercrime ecosystem to conceal their culpability in attacks, says Andrew Brandt, principal threat intelligence incident commander at Huntress. “Why spend the time to develop custom, bespoke malware when you can just take the leaked source code from Gh0stRAT and use that, instead?”

Supply Chain and Critical Infrastructure Risk

The risk is expanding further as supply chains become more digitally interconnected, seeing them inherit new points of failure that attackers are quick to exploit. Cybercriminals routinely abuse misconfigurations, insecure APIs and weak authentication to gain initial access before moving laterally toward critical systems, according to Illumio’s Barlet.

Ransomware groups also know that disrupting supply chains can be far more damaging and profitable than stealing data. “Even short-lived disruption can ripple across global supply chains, particularly in just-in-time production environments where delays quickly go downstream,” says Barlet.

As this threat grows, traditional security models can struggle, because they are built for incidents, rather than state-backed campaigns.

Security models are often built around “a perimeter-based mindset”, according to Barlet. “Security teams think in binary terms about whether an attacker got in or not, meaning they often fail to account for what happens afterwards. This creates unrealistic expectations that every breach can be prevented.”

However, when attackers breach the perimeter, they often move laterally across systems, escalating access and causing widespread disruption. “By focusing too heavily on the perimeter, organisations are effectively defending a finite boundary while ransomware actors operate freely inside once they get through it,” explains Barlet.

He says the Jaguar Land Rover and retail attacks last year followed this pattern. “The attackers compromised networks, targeted systems critical to services and operations and exfiltrated sensitive information.”

Limit the Impact

As the attack lines continue to blur, it’s key to ensure resilience thinking, cross-sector awareness, supply chain visibility, and executive-level accountability. Frameworks such as ISO 27001 can provide a basis to manage risk amid increasing threats.

With the nation state threat surging amid geopolitical disruption across the world, Barlet believes firms — particularly those operating in critical sectors — need to let go of the idea of total prevention and instead focus on limiting the impact of ransomware through breach containment.

“A containment-first strategy forces attackers to slow down, making it harder for them to remain hidden and move across different systems,” he explains. “More importantly, it forces attackers to change their techniques and procedures, giving security teams a much better chance of detecting, responding to and recovering from attacks.”

UBDS Digital’s Hannan-Jones thinks that the focus should be on resilience over prevention. “No organisation can guarantee it will not be attacked, so the focus must shift to resilience: The ability to detect, respond and recover with robust business continuity and disaster recovery planning.”

Incident response preparedness is key, including rehearsed plans with “clear escalation paths and communication protocols to significantly reduce the impact of a successful attack”, says Hannan-Jones.

Organisations should also prioritise threat intelligence integration, she advises. “This means moving beyond generic security alerts and consuming sector-specific, geopolitically-contextualised threat intelligence to understand which threat actors are active, their tactics, and their targets for proportionate risk management.”