International Law Enforcement’s Impact on Ransomware Dynamics: A Comprehensive Analysis

2025-12-29 Research Reports Comments Off on International Law Enforcement’s Impact on Ransomware Dynamics: A Comprehensive Analysis

Abstract

The persistent and escalating global threat posed by ransomware necessitates a robust and meticulously coordinated response from international law enforcement agencies. This comprehensive research report delves into the intricate mechanisms and strategic efficacy of these international efforts aimed at disrupting the sophisticated operations of ransomware syndicates. Focusing on pivotal operations such as the multifaceted takedown targeting the prolific LockBit ransomware group, the temporary incapacitation of ALPHV (BlackCat), and wide-ranging initiatives spearheaded by Interpol, this study undertakes a critical analysis of their direct and indirect impacts. The primary objectives are to meticulously assess the observed shifts in ransomware payment trends, evaluate the resilience and operational security adjustments adopted by cybercriminal entities in the face of these enforcement actions, and explore the broader, systemic implications for the evolving dynamics of international cybercrime. By dissecting these complex interactions, this report seeks to provide an in-depth understanding of the challenges and successes in the ongoing global struggle against ransomware.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

1. Introduction

Ransomware attacks have unequivocally solidified their position as one of the most pervasive and economically damaging forms of cybercrime globally. Their impact transcends mere financial loss, extending to critical infrastructure disruptions, severe reputational damage, and, in some cases, the direct endangerment of public safety, particularly when healthcare or essential services are targeted. The contemporary ransomware landscape is characterized by a high degree of sophistication, a relentless pursuit of profit, and a burgeoning reliance on advanced tactics, techniques, and procedures (TTPs). This evolution has been significantly fueled by the proliferation of Ransomware-as-a-Service (RaaS) models, which have dramatically lowered the technical barriers to entry for aspiring cybercriminals, thereby broadening the base of actors engaged in these illicit activities. The ease of access to ready-made malicious software, robust operational infrastructure, and even negotiation services means that individuals or smaller groups can launch highly impactful attacks without possessing extensive technical expertise in malware development.

In response to this escalating and increasingly complex threat, international law enforcement agencies have embarked upon an unprecedented era of intensified collaboration. These concerted efforts aim not only to apprehend individual perpetrators but, more crucially, to dismantle the underlying organizational structures, financial networks, and technological infrastructures that sustain these criminal enterprises. This report provides an exhaustive examination of the strategies deployed by these agencies, the profound legal and jurisdictional challenges inherent in cross-border cybercrime investigations, and the tangible outcomes achieved through these collaborative operations. By offering a comprehensive overview, this paper illuminates the current state of international law enforcement’s indispensable role in the continuous global battle against ransomware.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

2. The Evolution of Ransomware and the Emergence of RaaS

2.1 Early Developments in Ransomware

The trajectory of ransomware has been one of continuous evolution, morphing from rudimentary, often opportunistic, attacks into highly sophisticated and globally coordinated operations. The concept of encrypting data and demanding payment for its release is not new, with early antecedents dating back to the late 1980s. The ‘AIDS Trojan’ or ‘PC Cyborg’ ransomware, distributed via floppy disk in 1989, demanded payment for decryption, illustrating the nascent stages of this criminal model. However, these early forms were largely unsophisticated, often easily circumvented, and primarily targeted individual users with limited technical knowledge, demanding relatively modest payments, typically via postal mail.

Significant shifts began to occur in the mid-2000s with the advent of more robust encryption algorithms and the widespread adoption of digital payment systems. CryptoLocker, which emerged in 2013, marked a pivotal moment. It was one of the first ransomware variants to leverage strong, asymmetric encryption (RSA-2048), making decryption without the private key practically impossible. Crucially, CryptoLocker also pioneered the use of Bitcoin for ransom payments, providing an anonymous and difficult-to-trace monetary transfer mechanism that significantly emboldened cybercriminals. Its success demonstrated the immense profitability of encrypting valuable digital assets and demanding cryptocurrency.

Following CryptoLocker, the ransomware landscape rapidly diversified. The 2017 WannaCry and NotPetya outbreaks, though differing in their primary intent, showcased the devastating potential of ransomware-like functionality coupled with wormable capabilities, enabling rapid, widespread self-propagation across networks. WannaCry infected hundreds of thousands of computers globally, crippling hospitals, businesses, and government agencies by exploiting a vulnerability in Windows systems. NotPetya, initially disguised as ransomware, was later identified as a destructive wiper malware, demonstrating the blurring lines between profit-driven encryption and state-sponsored sabotage. These events highlighted the critical infrastructure dependencies and the profound economic and societal vulnerabilities exposed by such large-scale cyberattacks, prompting a dramatic escalation in defensive and offensive cybersecurity measures worldwide.

2.2 The Rise of Ransomware-as-a-Service (RaaS)

The advent of the Ransomware-as-a-Service (RaaS) model represents a profound paradigm shift in the cybercrime ecosystem, democratizing access to powerful attack tools and infrastructure. RaaS effectively functions as a subscription or partnership model, where a core group of developers creates and maintains the ransomware code, associated infrastructure (such as payment sites, data leak sites, and backend administrative panels), and sometimes even provides technical support and negotiation services. These developers then ‘lease’ their ransomware to ‘affiliates’ – individuals or groups who are responsible for identifying and gaining initial access to targets, deploying the malware, and executing the extortion demands. The profits are typically shared, with the developers taking a percentage (often 10-30%) and the affiliates retaining the remainder.

This division of labor has numerous advantages for cybercriminals. For affiliates, it drastically lowers the technical entry barrier, as they do not need expertise in malware development, cryptography, or server infrastructure management. They can instead focus on initial access methods (e.g., phishing, exploiting vulnerabilities, buying access from initial access brokers or IABs) and social engineering. For developers, it allows for scalability and maximizes their illicit income by outsourcing the resource-intensive process of targeting and infection. Prominent RaaS groups, such as LockBit, ALPHV (BlackCat), Conti, DarkSide (which rebranded as BlackMatter), and Hive, have exemplified the immense scalability and profitability of this model, leading to a dramatic increase in the frequency, sophistication, and severity of ransomware incidents.

Furthermore, the RaaS model has fostered specialized roles within the cybercrime supply chain. Beyond developers and affiliates, there are often negotiators who handle communications with victims, cryptocurrency money launderers who obscure the flow of funds, and initial access brokers who sell access to compromised networks. The emergence of ‘double extortion’ tactics, pioneered by groups like Maze in 2019, further amplified the pressure on victims. In this strategy, not only is the victim’s data encrypted, but it is also exfiltrated. If the ransom for decryption is not paid, the threat actors then threaten to publish the stolen sensitive data on public ‘leak sites’ or private forums. This adds a new layer of leverage, as companies face not just operational disruption but also regulatory fines (e.g., GDPR violations), reputational damage, and potential legal action from affected parties. Some groups have even experimented with ‘triple extortion,’ adding Distributed Denial-of-Service (DDoS) attacks against the victim’s public-facing infrastructure to further intensify pressure, or directly contacting customers, partners, or media outlets to announce a breach.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

3. International Law Enforcement’s Response to Ransomware

3.1 Coordinated Global Efforts

The borderless nature of cybercrime dictates that no single national law enforcement agency can effectively combat ransomware in isolation. This reality has spurred an unprecedented degree of international collaboration, transforming the traditional investigative paradigm. Key international and national law enforcement agencies have established sophisticated frameworks for intelligence sharing, joint investigations, and synchronized enforcement actions across multiple jurisdictions. These entities include:

  • Europol: The European Union Agency for Law Enforcement Cooperation, which plays a crucial role in coordinating multi-country operations within Europe and with international partners. Its European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT) are central to these efforts, facilitating intelligence exchange and operational planning.
  • Interpol: The International Criminal Police Organization, with its global reach across 195 member countries, enables worldwide cooperation. Interpol’s cybercrime units facilitate cross-border intelligence sharing, provide analytical support, and assist member countries in planning and executing coordinated operations, particularly in regions with developing cyber capabilities.
  • FBI (Federal Bureau of Investigation, USA): A leading agency globally, the FBI actively investigates and prosecutes ransomware actors, often leveraging its substantial technical capabilities and extensive network of legal attachés in U.S. embassies abroad.
  • National Crime Agency (NCA, UK): The UK’s lead agency against serious and organized crime, including cybercrime, the NCA frequently initiates or participates in international operations.
  • BKA (Bundeskriminalamt, Germany): Germany’s federal criminal police office, contributing significant resources and expertise to European and global cybercrime efforts.
  • AFP (Australian Federal Police): Australia’s primary federal law enforcement agency, actively engaging in international partnerships to combat cyber threats impacting Australian citizens and businesses.

These agencies employ a range of strategic mechanisms to foster cooperation:

  • Joint Investigation Teams (JITs): These are agreements between two or more states to set up a specific team for the purpose of carrying out criminal investigations involving a cross-border element. JITs enable investigators from different countries to work together on a daily basis, sharing intelligence and evidence more effectively and overcoming some jurisdictional hurdles.
  • Mutual Legal Assistance Treaties (MLATs): Formal requests for assistance between countries in criminal investigations. While often slow, MLATs are crucial for obtaining evidence, freezing assets, or securing the extradition of suspects located abroad.
  • Intelligence Fusion Centers: Platforms like Europol’s EC3 or Interpol’s Cybercrime Directorate act as hubs where intelligence from various national agencies is pooled, analyzed, and disseminated, creating a more holistic threat picture.
  • Public-Private Partnerships: Law enforcement increasingly collaborates with private sector cybersecurity firms, academic institutions, and industry associations. These partnerships facilitate the sharing of threat intelligence, the development of decryption tools, and the understanding of evolving attack methodologies. Initiatives like the ‘No More Ransom’ project, a collaboration between Europol, the Dutch National High Tech Crime Unit, McAfee, and Kaspersky, exemplify this approach by providing free decryption tools and preventative advice.

The strategic pillars of these coordinated efforts typically include disruption of criminal infrastructure, attribution of attacks to specific groups or individuals, arrests and prosecution of cybercriminals, asset forfeiture to recover illicit gains, and comprehensive victim support to minimize harm and enhance resilience.

3.2 Notable Operations and Their Outcomes

3.2.1 Operation Cronos (LockBit Disruption)

Operation Cronos stands as a landmark achievement in international cybercrime enforcement. Launched in February 2024, this multi-agency, multi-national law enforcement action specifically targeted the LockBit ransomware group, which had for years been identified as the world’s most prolific and damaging ransomware operation. Led by the UK’s National Crime Agency (NCA), in close collaboration with the FBI, Europol, and a coalition of law enforcement agencies from over ten countries, the operation achieved significant strategic goals.

The scale of disruption was substantial: law enforcement gained control of LockBit’s primary administrative infrastructure, including 34 servers located across multiple countries such as the Netherlands, Germany, Finland, France, Switzerland, Australia, the United States, and the United Kingdom. This included the seizure of the group’s public-facing data leak sites, which had been used to publish exfiltrated victim data, as well as the backend administrative panels used by LockBit affiliates to manage their campaigns. This strategic seizure effectively crippled the group’s ability to operate, communicate with affiliates, and publish new victim data. The NCA replaced LockBit’s dark web leak site with a law enforcement message, detailing the operation’s success and revealing internal LockBit communications, which was an unprecedented move aimed at undermining trust within the cybercriminal ecosystem (afp.gov.au, 2024).

Beyond infrastructure seizure, the operation led to the arrest of two key individuals in Poland and Ukraine suspected of being involved in LockBit’s operations. Furthermore, over 200 cryptocurrency accounts associated with the group were frozen, cutting off vital financial arteries. Crucially, law enforcement successfully obtained over 1,000 decryption keys during the infiltration, which were then made available to affected victims, preventing millions of dollars in potential ransom payments and aiding data recovery. The FBI also issued a warning, offering assistance to over 7,000 potential LockBit victims globally, indicating the vast scope of the group’s attacks (justice.gov, 2024).

While LockBit initially attempted to reconstitute its operations shortly after the takedown, evidence suggests the disruption severely hampered its capabilities. The public exposure of internal communications, the seizure of infrastructure, and the arrests created a profound sense of distrust and instability within the affiliate network, driving many to seek new RaaS partnerships or cease operations. This operation undeniably inflicted significant damage on LockBit’s brand reputation and operational coherence, sending a clear message to other ransomware groups about the reach and determination of international law enforcement.

3.2.2 Operation Sentinel (Interpol’s African Cybercrime Crackdown)

Operation Sentinel, orchestrated by Interpol between October and November 2023, exemplifies a proactive and geographically focused approach to combating cybercrime, particularly ransomware, within the African continent. This month-long, multi-faceted operation involved 19 African nations, including Cameroon, Central African Republic, Democratic Republic of Congo, Ghana, Guinea, Kenya, Liberia, Nigeria, South Sudan, Tanzania, and Uganda. The primary objective was to disrupt cybercriminal networks that were disproportionately targeting the region, often exploiting nascent digital infrastructures and varying levels of cybersecurity awareness.

The operation yielded substantial results, leading to the arrest of 574 individuals suspected of involvement in a wide array of cybercrimes, including ransomware attacks, business email compromise (BEC) fraud, and online scams. Authorities managed to recover approximately $3 million in illicit funds and, significantly, decrypted six distinct ransomware variants, providing relief to numerous victims who might otherwise have paid ransoms. The collective losses caused by the disrupted rings were estimated to be around $21 million (tomshardware.com, 2023).

Operation Sentinel was not merely about arrests; it also focused on capacity building. Interpol provided training and operational support to national police forces in participating countries, enhancing their capabilities in digital forensics, intelligence gathering, and international cooperation. This approach acknowledges that long-term success against global cybercrime requires strengthening law enforcement capacities in all regions, preventing them from becoming safe havens for cybercriminals. The operation highlighted the effectiveness of international collaboration in combating a diverse range of cyber threats and underscored Interpol’s commitment to supporting member countries in their fight against organized cybercrime.

3.2.3 ALPHV (BlackCat) Disruption (FBI/DOJ)

In December 2023, the FBI, in collaboration with the Department of Justice (DOJ) and international partners, temporarily took down the ALPHV (also known as BlackCat) ransomware group’s dark web leak site and infrastructure. ALPHV, a highly sophisticated RaaS operator written in Rust, had been responsible for attacks against over 1,000 victims worldwide, including critical infrastructure entities. The FBI successfully infiltrated ALPHV’s network, seizing its website and gaining access to its decryption keys. This allowed the FBI to develop and provide a free decryption tool to victims, preventing approximately $68 million in ransom payments (justice.gov, 2023).

The operation was a significant blow, demonstrating law enforcement’s ability to penetrate the core infrastructure of even highly advanced ransomware groups. However, the subsequent events highlighted the persistent challenges in achieving lasting disruptions. Despite the FBI’s efforts, ALPHV publicly announced its return and apparent reinstatement of operations shortly after the takedown, claiming to have restored its infrastructure from backups. While the full extent of its recovery and the continued impact of the FBI’s access remain subjects of ongoing analysis, this incident underscores the resilience and adaptive nature of sophisticated cybercriminal organizations (quointelligence.eu, 2024).

3.2.4 Hive Ransomware Infiltration and Takedown (FBI/DOJ/BKA)

Another exemplary case of sustained disruption and victim support was the takedown of the Hive ransomware group in January 2023. Hive, active since June 2021, had targeted over 1,500 victims in more than 80 countries, demanding over $100 million in ransoms. In a remarkable operation, the FBI secretly infiltrated Hive’s networks in July 2022, gaining clandestine access to the group’s control panels. For over six months, the FBI provided decryption keys to hundreds of victims worldwide, preventing them from having to pay millions of dollars in ransom. This allowed victims to recover their data and secure their systems without engaging with the criminals.

Ultimately, a coordinated international effort involving the FBI, the DOJ, Germany’s BKA, and other partners culminated in the seizure of Hive’s servers and dark web sites. This takedown was exceptional because it involved a prolonged period of covert disruption, effectively turning the tables on the ransomware operators by using their own infrastructure against them to help victims. The operation is estimated to have prevented over $130 million in ransom payments (justice.gov, 2023). The success of the Hive takedown demonstrated the strategic advantage of persistent access and intelligence gathering, allowing law enforcement to undermine criminal operations from within before a public disruption.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

4. Impact on Ransomware Payment Trends

4.1 Decline in Ransom Payments

The concerted efforts of international law enforcement, coupled with enhanced organizational defenses and improved incident response capabilities, have demonstrably influenced global ransomware payment trends. Recent analyses from cybersecurity firms and government agencies indicate a measurable decline in both the overall volume and the average size of ransom payments. For instance, reports from Chainalysis and Coveware in late 2023 and early 2024 highlighted a noticeable downturn in the total value of ransoms paid by victims globally, following a peak in previous years. This decline is directly correlated with several factors stemming from successful law enforcement actions.

Firstly, the disruption of major ransomware groups like LockBit, Hive, and, albeit temporarily, ALPHV, has a direct impact on the number of active and effective campaigns. When key infrastructure is seized, affiliates lose their tools and support, leading to a temporary cessation of attacks or a significant reduction in their success rate. The seizure of decryption keys and their subsequent release to victims, as seen with LockBit, ALPHV, and Hive, empowers organizations to recover their data without capitulating to extortion demands. This directly reduces the financial incentives for cybercriminals, making their efforts less profitable and therefore less attractive.

Secondly, law enforcement’s proactive engagement with victims has played a crucial role. Agencies often advise victims against paying ransoms, emphasizing that payment fuels the criminal ecosystem and offers no guarantee of data recovery or non-publication. The availability of free decryption tools through initiatives like ‘No More Ransom’ further solidifies this stance, providing a viable alternative to payment. Insurance companies, previously criticized for encouraging payment, have also begun to adjust their policies, often requiring robust cybersecurity measures and discouraging immediate payment, thereby shifting the financial calculus for victims.

Thirdly, the financial ramifications for the criminals themselves are significant. The freezing of cryptocurrency accounts and the recovery of illicit funds, as observed in Operation Sentinel, reduce the liquid assets available to these groups for reinvestment into new tools, infrastructure, or affiliate recruitment. This financial pressure can erode the operational viability and attractiveness of being a ransomware affiliate, potentially driving individuals away from this form of cybercrime.

4.2 Shift in Cybercriminal Strategies

In a relentless cat-and-mouse game, cybercriminal groups invariably adapt their tactics, techniques, and procedures (TTPs) in response to heightened law enforcement pressure and evolving cybersecurity defenses. The decline in successful ransom payments and the disruption of established groups have triggered several strategic shifts within the ransomware ecosystem:

  • Rebranding and Reconstitution: A common tactic is rebranding. When a prominent group is disrupted or its reputation is tarnished (e.g., due to leaks or takedowns), its core members or affiliates often re-emerge under a new name, sometimes with a slightly modified ransomware variant or operational structure. DarkSide, after its involvement in the Colonial Pipeline attack, rebranded as BlackMatter. Similarly, while ALPHV was disrupted, it attempted to return, and many former affiliates of defunct groups quickly migrate to new RaaS offerings. This makes long-term tracking and attribution more challenging for law enforcement.
  • Development of New Variants: Cybercriminals continuously refine their malware to evade detection, bypass security controls, and improve encryption algorithms. They may develop new programming languages for their malware (e.g., ALPHV’s use of Rust) or integrate new obfuscation techniques to make reverse engineering more difficult. This ensures that even if law enforcement gains decryption keys for one variant, it may not work for a newer version.
  • Transition to Different Attack Vectors and Targets: As defenses against common initial access methods (like phishing) improve, threat actors pivot to exploiting new vulnerabilities, often zero-days or recently patched flaws in widely used software and network devices. There is also a potential shift in targeting – from very large, highly secure enterprises to smaller organizations perceived as having weaker defenses, or to specific industries (e.g., education, healthcare) where the data is highly sensitive and the pressure to pay is immense. Some groups might shift away from pure encryption to primarily focusing on data exfiltration and extortion without encryption, bypassing the need for decryption tools altogether.
  • Enhanced Operational Security (OpSec): Post-takedown, groups become acutely aware of the methods law enforcement used to infiltrate their networks. They respond by enhancing their operational security, adopting more secure communication channels (e.g., using more ephemeral messaging apps), employing advanced anonymity techniques for cryptocurrency transactions (e.g., mixers, privacy coins), and distributing their infrastructure across even more diverse and harder-to-reach global locations, often leveraging bulletproof hosting services.
  • Focus on Supply Chain Attacks: Instead of directly targeting individual organizations, some groups are increasingly focusing on compromising software vendors or managed service providers (MSPs). A successful breach of one such entity can provide access to numerous downstream customers, amplifying the impact of a single attack.

This adaptability underscores the persistent nature of the threat and necessitates continuous evolution in law enforcement countermeasures, requiring agencies to remain agile and forward-looking in their strategies.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

5. Legal and Jurisdictional Challenges

5.1 Cross-Border Legal Complexities

The inherently transnational nature of ransomware operations presents formidable legal and jurisdictional challenges that frequently impede effective law enforcement responses. Unlike traditional crime, cybercrime often spans numerous countries simultaneously, with attackers, victims, servers, and financial transactions distributed across different legal domains. This creates a complex web of legal hurdles:

  • Varying Legal Frameworks: Criminal codes and definitions of cybercrime differ significantly between countries. What constitutes a cybercrime in one jurisdiction might not in another, or the severity of penalties may vary widely. This divergence can complicate mutual legal assistance and extradition processes.
  • Jurisdiction Shopping: Cybercriminals often deliberately host their infrastructure or operate from countries with weak cybercrime laws, limited enforcement capabilities, or those unwilling to cooperate with international requests. This ‘jurisdiction shopping’ allows them to exploit legal loopholes and evade prosecution.
  • Data Protection Laws: Strict national and regional data protection regulations, such as the General Data Protection Regulation (GDPR) in Europe, while crucial for protecting individual privacy, can create friction when law enforcement agencies require access to data stored in other jurisdictions. These laws often dictate how personal data can be processed, stored, and shared, sometimes conflicting with the speed and scope required for cybercrime investigations.
  • Mutual Legal Assistance Treaties (MLATs) and Extradition: While MLATs are the primary formal mechanism for cross-border evidence gathering and suspect transfer, they are notoriously slow and cumbersome. The process can take months or even years, allowing cybercriminals ample time to destroy evidence, move assets, or disappear. Extradition requests are similarly protracted and can be denied based on various legal or political grounds, particularly if a suspect is located in a non-cooperative state.
  • Evidentiary Requirements: The standards for admissible evidence often differ across legal systems (e.g., common law vs. civil law traditions). Digital evidence, being volatile and easily altered, requires stringent chain-of-custody protocols that can be challenging to maintain across multiple international agencies and legal systems. Ensuring that evidence gathered in one country is admissible in another’s court can be a significant hurdle.

Coordinating actions across numerous jurisdictions requires not only political will but also meticulous navigation of these legal complexities to ensure that operations are legally sound and that any evidence gathered will stand up in court.

5.2 Data Privacy and Sovereignty Concerns

International operations against ransomware invariably raise sensitive issues concerning data privacy and national sovereignty, creating a delicate balance that must be carefully managed. When law enforcement agencies from one nation conduct investigations or access data within another’s territory, even with consent, it touches upon fundamental principles of national autonomy.

  • National Sovereignty: The principle of national sovereignty dictates that each state has exclusive jurisdiction over its own territory. Covert operations or intelligence gathering by foreign agencies, even against criminal targets, can be perceived as an infringement on sovereignty if not conducted with explicit and formal bilateral agreements. Countries are often reluctant to permit foreign agencies unfettered access to their national networks or data, even for the purpose of combating crime, due to concerns about espionage, data misuse, or loss of control over critical information.
  • Data Privacy Rights: As mentioned, data protection laws like GDPR grant individuals significant rights over their personal data. International cybercrime investigations frequently involve the collection, processing, and transfer of vast quantities of personal data belonging to victims, suspects, and even uninvolved third parties. Reconciling these privacy rights with the investigative imperative to share and analyze data across borders is a constant challenge. There is a need to ensure that data sharing respects privacy safeguards, such as anonymization or strict access controls, while still providing actionable intelligence.
  • Trust and Transparency: Building and maintaining trust between international partners is paramount. Concerns about how shared intelligence or data might be used, stored, or protected can hinder cooperation. Agencies must establish clear protocols, legal frameworks, and mutual assurances regarding data handling, oversight, and accountability to mitigate these concerns.
  • Balancing Act: Striking a balance between the urgent need for effective international law enforcement to protect citizens and critical infrastructure from cyber threats, and the fundamental respect for individual privacy rights and national sovereignty, is a continuous and evolving task. It necessitates international consensus, the development of common standards for data handling in criminal investigations, and robust legal frameworks that facilitate cooperation while upholding rights.

5.3 Attribution and Proof

The challenges of attribution and establishing proof in cybercrime investigations are particularly acute in the context of ransomware. Cybercriminals actively employ sophisticated techniques to obscure their identities, locations, and activities, making it exceedingly difficult to link an attack to specific individuals or groups with the certainty required for legal prosecution.

  • Anonymity Tools: Threat actors frequently use VPNs, Tor, proxy networks, and stolen credentials to mask their IP addresses and physical locations. They communicate through encrypted channels on the dark web, making interception and monitoring exceptionally difficult.
  • Money Laundering: Ransom payments, almost exclusively made in cryptocurrency, are laundered through mixers, tumblers, and multiple wallets, creating a complex trail designed to obfuscate the flow of funds and their ultimate beneficiaries. Tracing these funds to identifiable individuals is a highly specialized and resource-intensive endeavor.
  • False Flag Operations: Some sophisticated groups may deliberately leave misleading clues or ‘false flags’ to deflect suspicion towards other entities, including nation-state actors, further complicating attribution.
  • Evolving TTPs: As law enforcement refines its attribution techniques, cybercriminals adapt their TTPs, creating a continuous arms race. Malware variants are constantly updated, and operational procedures are altered to avoid detection and identification.
  • Legal Thresholds: Moving from intelligence-based attribution (which may be sufficient for sanctions or public statements) to legally admissible evidence (proof beyond a reasonable doubt) in a court of law is a significant leap. This requires meticulously documented digital forensics, robust chain-of-custody for evidence, and often, cooperation from Internet service providers or cryptocurrency exchanges, which can be challenging to obtain across borders.

The difficulty in attributing attacks with legal certainty means that while law enforcement may have strong intelligence on who is behind certain operations, bringing these individuals to justice in a court of law remains a complex and resource-intensive endeavor.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

6. Technological Capabilities and Innovations

6.1 Cyber Forensics and Decryption Tools

Advancements in cyber forensics have been pivotal in empowering law enforcement to effectively respond to and mitigate the impact of ransomware attacks. These capabilities are multifaceted, encompassing sophisticated analysis techniques and the development of specialized tools:

  • Advanced Malware Analysis: Law enforcement agencies, often in collaboration with private sector cybersecurity researchers, employ reverse engineering techniques to dissect ransomware samples. This involves analyzing the malware’s code to understand its encryption mechanisms, communication protocols, command-and-control (C2) infrastructure, and vulnerabilities. This analysis is crucial for identifying weaknesses that could lead to decryption.
  • Network and Memory Forensics: Investigators employ advanced network monitoring and memory forensics to understand how ransomware gains initial access, propagates across networks, and performs its malicious actions. By analyzing network traffic logs, endpoint data, and memory dumps, they can reconstruct attack timelines, identify compromised systems, and potentially locate keys or remnants of the malware that can aid in recovery.
  • Decryption Tool Development and Dissemination: One of the most impactful innovations has been the development and wide dissemination of free decryption tools. When law enforcement successfully infiltrates or disrupts a ransomware group, gaining access to their decryption keys or understanding their encryption flaws, they often work with partners to create universal decryptors. The ‘No More Ransom’ initiative, a public-private collaboration, serves as a central repository for these tools, helping thousands of victims recover their data without paying ransoms (justice.gov, 2024). This directly undermines the economic model of ransomware by removing the incentive to pay.
  • Intelligence Sharing Platforms: Real-time threat intelligence sharing platforms facilitate the rapid dissemination of indicators of compromise (IOCs), TTPs, and newly discovered vulnerabilities among law enforcement agencies and their partners. This allows for faster detection and response across different jurisdictions.
  • Forensic Duplication and Analysis: Tools for forensically acquiring and analyzing large volumes of data from compromised systems (e.g., hard drives, cloud instances) are continuously evolving, enabling investigators to gather evidence in a forensically sound manner, which is critical for legal proceedings.

6.2 Artificial Intelligence and Machine Learning

The integration of Artificial Intelligence (AI) and Machine Learning (ML) into cybercrime detection and prevention represents a significant technological leap. These advanced analytical capabilities hold immense promise for enhancing law enforcement’s ability to combat ransomware proactively and reactively:

  • Predictive Threat Intelligence: AI/ML algorithms can analyze vast datasets of historical cyberattack data, threat intelligence feeds, and dark web activity to identify emerging patterns, predict potential targets, and anticipate the next moves of ransomware groups. This allows law enforcement to allocate resources more effectively and implement proactive defense strategies.
  • Anomaly Detection: ML models can continuously monitor network traffic, system logs, and user behavior to detect subtle anomalies that may indicate the early stages of a ransomware attack or the presence of persistent threats. By identifying deviations from normal patterns, these systems can flag suspicious activities before widespread encryption occurs.
  • Automated Malware Analysis: AI can automate and accelerate the process of analyzing new ransomware variants. ML models can classify malware, identify its family, predict its behavior, and even extract key features that could aid in developing countermeasures or decryption tools, significantly reducing the manual effort required.
  • Dark Web Monitoring: AI-powered tools are increasingly used to monitor dark web forums and marketplaces where RaaS services are advertised, affiliates are recruited, and stolen data is sold. These tools can automatically flag relevant keywords, identify emerging groups, and track the financial flows associated with illicit activities (thelegalmatrix.com, 2024).
  • Behavioral Analysis: ML can build behavioral profiles of legitimate users and network entities. Any deviation from these profiles, such as unusual file access patterns or unauthorized lateral movement, can trigger alerts, helping to identify and contain ransomware before it can fully execute its payload.
  • Challenges and Considerations: While promising, the deployment of AI/ML in law enforcement also presents challenges, including the need for high-quality training data, the risk of adversarial AI (where criminals use AI to evade detection), potential biases in algorithms, and the ethical implications concerning surveillance and privacy.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

7. Case Studies of Disrupted Ransomware Groups

7.1 LockBit

LockBit emerged as one of the most prolific and impactful Ransomware-as-a-Service (RaaS) operations in the cybercrime landscape, active since at least September 2019. Known for its speed, sophisticated encryption, and aggressive double extortion tactics, LockBit quickly rose to prominence by attracting a large network of affiliates globally. The group developed several iterations of its malware, including LockBit 2.0 and LockBit 3.0 (also known as LockBit Black), each incorporating new features to enhance its evasiveness and destructive capabilities. Its affiliates exploited a wide range of vulnerabilities, often targeting public-facing applications, VPNs, and remote desktop protocols (RDP), or leveraging stolen credentials to gain initial access. LockBit was particularly infamous for its structured affiliate program, offering high revenue shares (typically 70-80%) to affiliates, which attracted a vast pool of cybercriminals.

The group claimed thousands of victims across virtually every industry sector and geographic region, including critical infrastructure, government agencies, and major corporations. The scale of LockBit’s operations and the consistent pressure it exerted on victims made it a top priority for international law enforcement. Its dark web leak site, where stolen data was published if ransoms were not paid, became a notorious symbol of its global reach and effectiveness.

Disruption through Operation Cronos: As detailed previously, Operation Cronos in February 2024 represented a monumental blow to LockBit. Led by the UK’s National Crime Agency (NCA), in partnership with the FBI, Europol, and a dozen other international agencies, the operation involved a coordinated effort to infiltrate and dismantle LockBit’s core infrastructure. This included the seizure of 34 servers, the control of LockBit’s primary data leak site, and the acquisition of over 1,000 decryption keys. The NCA’s unprecedented move of replacing LockBit’s dark web site with a law enforcement message, detailing the compromise and revealing internal information, sent shockwaves through the cybercriminal underworld. This public shaming and exposure of the group’s vulnerabilities aimed to erode trust among its affiliates and deter future participation (afp.gov.au, 2024).

Aftermath and Resilience: While LockBit attempted to signal a return to operations shortly after the takedown, evidence suggests the disruption severely crippled its capabilities and reputation. The public disclosure of its internal workings and the arrest of key figures undoubtedly fostered deep distrust among its affiliate base. Many affiliates likely migrated to other RaaS groups, contributing to a fragmentation of the ransomware market. Although new LockBit-like activity might surface, the original LockBit brand and its established infrastructure suffered significant, likely irreparable, damage. The long-term impact on the entire RaaS ecosystem is still being assessed, but it undoubtedly forced other groups to reconsider their operational security (en.wikipedia.org, 2024).

7.2 ALPHV (BlackCat)

ALPHV, also known as BlackCat, emerged in late 2021 as a sophisticated Ransomware-as-a-Service (RaaS) provider. It quickly gained notoriety for being one of the first major ransomware strains written in Rust, a modern programming language known for its performance and memory safety, making the malware particularly difficult to analyze and reverse engineer. ALPHV operated a highly professional RaaS model, offering its affiliates a robust suite of tools, infrastructure, and support. The group primarily targeted large organizations across various critical sectors, employing double extortion tactics by both encrypting data and exfiltrating it for public release if ransoms were not paid. ALPHV was also notable for its sophisticated negotiation tactics and its rapid adoption of new exploitation techniques.

FBI Disruption and Decryption: In December 2023, the FBI, in coordination with international partners, successfully disrupted ALPHV’s operations. The FBI infiltrated ALPHV’s networks, gaining access to its dark web leak site and internal infrastructure. Crucially, this allowed law enforcement to obtain decryption keys, which were then used to develop and distribute a free decryption tool to hundreds of victims. This proactive measure prevented an estimated $68 million in ransom payments, significantly impacting the group’s financial viability (justice.gov, 2023).

Reconstitution and ‘Exit Scam’ Allegations: Despite the FBI’s disruption, ALPHV defiantly announced its return to operations shortly after, claiming to have restored its infrastructure from backups. This rapid resurgence highlighted the challenges of achieving a definitive takedown of resilient cybercriminal entities. Subsequent reports, however, suggested that ALPHV might have orchestrated an ‘exit scam’ by allegedly seizing a $22 million ransom payment from a victim and then disappearing, leaving its affiliates without their share and effectively disbanding the group. The exact fate of ALPHV remains somewhat ambiguous, oscillating between a temporary disruption, a comeback attempt, and an internal collapse, underscoring the dynamic and often opaque nature of these criminal organizations (quointelligence.eu, 2024).

7.3 Hive Ransomware

Hive ransomware was an aggressive and highly effective Ransomware-as-a-Service (RaaS) operation that emerged in June 2021. It quickly established itself as a significant threat, targeting over 1,500 victims across more than 80 countries, predominantly impacting healthcare, public health, and critical manufacturing sectors. Like other prominent groups, Hive utilized double extortion tactics, exfiltrating sensitive data before encryption and threatening to publish it on its dark web leak site if ransom demands were not met. Hive’s affiliates were known for exploiting common vulnerabilities, including unpatched FortiGate VPNs, and using phishing and compromised RDP access for initial intrusion.

Undercover Infiltration and Takedown: In a highly sophisticated and prolonged operation, the FBI successfully infiltrated Hive’s network in July 2022. This covert access allowed the FBI to secretly obtain decryption keys from Hive’s systems. For more than six months, the FBI covertly provided these keys to victims worldwide, enabling them to recover their encrypted data without paying the demanded ransoms. This intelligence-led strategy prevented an estimated $130 million in ransom payments, saving numerous organizations from financial ruin and data loss (justice.gov, 2023).

In January 2023, the covert operation culminated in a coordinated international takedown involving the FBI, the U.S. Department of Justice, Germany’s Bundeskriminalamt (BKA), and other international partners. Hive’s dark web infrastructure, including its websites and administrative panels, was seized, and a message from law enforcement was prominently displayed. This operation was hailed as a significant success, not just for the public disruption but for the extended period of victim support facilitated by the prior infiltration. The Hive takedown demonstrated a highly effective strategy of turning the tables on cybercriminals by leveraging their own infrastructure to aid victims and gather intelligence, ultimately leading to their demise.

7.4 Conti Ransomware

Conti was one of the largest and most destructive Ransomware-as-a-Service (RaaS) groups, known for its highly organized structure and aggressive tactics. Active from around 2020, Conti operated a highly sophisticated corporate-like structure, complete with human resources, payroll, and project managers, paying its affiliates regular salaries. The group was responsible for thousands of attacks globally, inflicting billions of dollars in damages, and notoriously targeted critical infrastructure, including healthcare providers and governmental organizations. Conti’s attacks often involved extensive network reconnaissance, lateral movement, and the exfiltration of massive amounts of data before encryption.

Internal Leaks and Fragmentation: Conti’s operations suffered a major setback following the 2022 Russian invasion of Ukraine. The group, which reportedly had strong ties to the Russian state, publicly declared its support for Russia. This politically charged stance led to an internal backlash. A disgruntled Ukrainian researcher, allegedly affiliated with Conti, leaked tens of thousands of internal chat messages and sensitive data, including Conti’s source code, internal documents, and cryptocurrency addresses. These ‘Conti Leaks’ provided unprecedented insight into the inner workings of a major RaaS group, revealing its organizational structure, financial transactions, and operational TTPs. This severe breach of operational security shattered trust within the group and exposed its members (breached.company, 2025).

While law enforcement pressure was undoubtedly a factor in their overall decline, the internal leaks served as a catastrophic blow that led to the group’s eventual fragmentation. Following the leaks, Conti announced its official shutdown in May 2022, but its core members and affiliates quickly splintered into various smaller, more agile groups, such as Black Basta, Karakurt, and Royal Ransomware. This phenomenon, often referred to as ‘rebranding,’ allowed the underlying criminal talent and infrastructure to persist, albeit under new banners and with potentially altered operational methodologies. The Conti saga demonstrated that while direct law enforcement takedowns are effective, internal disruptions, ideological conflicts, and compromised operational security can also play a pivotal role in the demise of major ransomware syndicates, often leading to the proliferation of new, albeit initially smaller, threats.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

8. Long-Term Implications for Ransomware Groups

8.1 Financial Impact

The cumulative effect of international law enforcement actions has significant long-term financial implications for ransomware groups, directly attacking their core profit motive. The illicit financial gains from ransomware are the lifeblood of these criminal enterprises, funding their operations, compensating affiliates, and allowing for continuous reinvestment in new tools and infrastructure.

  • Decreased Ransom Payments: As discussed, successful takedowns and the release of decryption keys directly lead to a reduction in paid ransoms. When victims can recover data without payment, the revenue stream for ransomware operators diminishes. This directly impacts their profitability and the attractiveness of the RaaS model for affiliates who rely on a share of these payments.
  • Asset Freezes and Seizures: Law enforcement’s ability to identify, freeze, and seize cryptocurrency accounts associated with ransomware groups (as seen in Operation Cronos and Sentinel) directly removes capital from the criminal ecosystem. This deprives groups of funds for operational expenses, recruitment, and personal enrichment. The seizure of significant amounts of cryptocurrency can act as a powerful deterrent and severely hamper their financial liquidity.
  • Increased Operational Costs: The need for enhanced operational security (OpSec) in response to law enforcement pressure introduces increased costs for ransomware groups. They must invest in more sophisticated anonymization tools, secure infrastructure, and constantly adapt their TTPs, which consumes resources and time. The ‘cost of doing business’ for cybercriminals rises, potentially reducing profit margins.
  • Erosion of Trust and Affiliate Exodus: When a major RaaS operation is disrupted, trust within the cybercriminal underworld is severely eroded. Affiliates, whose livelihoods depend on the stability and reliability of RaaS providers, become wary. The public exposure of internal communications, potential informants, or the perceived inability of RaaS developers to protect their operations can lead to an ‘affiliate exodus,’ where skilled criminals seek partnerships with more secure or less scrutinized groups. This fragmentation can dilute the collective power and reach of major syndicates.
  • Shift to Other Cybercrime Activities: If ransomware becomes less profitable or too risky, some criminal elements may pivot to other forms of cybercrime, such as data brokering, cryptojacking, or other types of fraud. This does not eliminate the threat but shifts its nature, requiring law enforcement to remain adaptable in its focus.

While the financial impact is substantial, the highly adaptable nature of these groups means that a complete eradication of ransomware’s profitability remains an ongoing challenge. The goal is to continuously increase the risks and decrease the rewards, making ransomware a less attractive and viable criminal endeavor.

8.2 Operational Security and Adaptation

Ransomware groups operate in a constant state of flux, continuously refining their tactics, techniques, and procedures (TTPs) in response to evolving cybersecurity defenses and law enforcement pressures. This dynamic adaptation is a hallmark of their resilience and poses a significant challenge to long-term disruption efforts.

  • Enhanced Obfuscation and Evasion: Post-takedown, groups learn from the methods used to compromise them. They invest in more robust obfuscation techniques for their malware, utilize more sophisticated anti-analysis measures, and employ more resilient command-and-control (C2) infrastructures, often distributed across numerous compromised legitimate websites or cloud services to make them harder to identify and dismantle. They may also implement more stringent vetting processes for new affiliates to reduce the risk of infiltration.
  • Shifting Infrastructure and Hosting: When servers are seized, groups immediately pivot to new hosting providers, often leveraging ‘bulletproof’ hosting services in jurisdictions known for their lax enforcement or non-cooperation with international requests. They constantly rotate IP addresses, domains, and server locations, making it a continuous challenge for law enforcement to track and disrupt their digital footprint.
  • Use of Privacy-Preserving Cryptocurrencies and Mixers: While Bitcoin has been the predominant ransom currency, increasing scrutiny and improved tracing capabilities by blockchain analytics firms push groups towards more privacy-centric cryptocurrencies (e.g., Monero) or aggressive use of mixers/tumblers to obfuscate transaction trails, making financial tracing exponentially more difficult.
  • Exploitation of New Vulnerabilities: Ransomware groups are quick to adopt and exploit newly discovered vulnerabilities (zero-days or recently patched N-days) in popular software and network devices. Their ability to rapidly weaponize these flaws allows them to bypass existing defenses and gain initial access to networks before organizations can apply patches or implement mitigations. They also frequently leverage initial access brokers (IABs) who specialize in finding and selling access to corporate networks.
  • Targeting Shifts: Groups may shift their targeting strategies based on perceived risk-reward. If highly visible, large-scale attacks draw too much law enforcement attention, they might pivot to smaller, less prominent targets or specific industries where the likelihood of payment is still high but the public outcry and law enforcement response might be less intense. They might also shift focus from encryption to pure data exfiltration and extortion, bypassing the need for decryption tools and thereby making law enforcement’s ‘decryption key’ strategy less effective.
  • Internal Security Measures: Following incidents like the Conti leaks, groups become more vigilant about internal security. They may enforce stricter communication protocols, limit knowledge sharing among affiliates, and implement internal monitoring to detect potential informants or disgruntled members. However, the inherent distrust in criminal organizations often makes these measures fragile.

This continuous ‘cat and mouse’ game highlights the imperative for law enforcement to not only respond to current threats but also to anticipate future adaptations. This requires ongoing investment in intelligence gathering, advanced technological capabilities, and a deep understanding of cybercriminal psychology and market dynamics.

8.3 Impact on Cybercriminal Ecosystem

Beyond individual groups, successful law enforcement actions have broader, systemic implications for the entire cybercriminal ecosystem. These impacts can be both disruptive and, paradoxically, contribute to its evolution.

  • Erosion of Trust and Stability: High-profile takedowns, arrests, and particularly the public exposure of internal communications (as seen with LockBit and Conti leaks) severely undermine trust within the cybercriminal community. This makes it harder for RaaS developers to attract and retain skilled affiliates, as the perceived risk of compromise increases. Affiliates become wary of joining groups that might be infiltrated or disbanded, leading to instability in the criminal supply chain.
  • Fragmentation and Decentralization: Rather than eliminating the threat, successful disruptions often lead to the fragmentation of large, organized groups into smaller, more agile, and often more numerous entities. While these smaller groups may initially lack the resources and sophistication of their predecessors, their decentralized nature can make them harder to track and target. This ‘hydra effect’ requires law enforcement to adapt from targeting monolithic syndicates to addressing a more diverse and fluid threat landscape.
  • Increased Risk Aversion: The constant threat of apprehension and asset seizure forces cybercriminals to become more risk-averse. This can manifest in several ways: a preference for less high-profile targets, increased caution in communication, greater investment in anonymization tools, and a more conservative approach to ransom demands to avoid drawing excessive attention.
  • Innovation and Specialization: Paradoxically, pressure from law enforcement can also drive innovation within the cybercriminal ecosystem. Groups are forced to develop more sophisticated malware, new exploitation techniques, and better methods for money laundering and operational security. This can also lead to greater specialization within the criminal supply chain, with different actors focusing on initial access, malware development, data exfiltration, or financial services, making each component more robust.
  • Shifting Alliances and Recruitment: The disruption of a major group creates a vacuum and opportunities for new RaaS operators to emerge or for existing smaller groups to grow. There is a constant reshuffling of affiliates and talent, with individuals migrating to groups perceived as more secure, profitable, or less targeted by law enforcement. This dynamic recruitment and alliance formation means the threat landscape is continually evolving.

Ultimately, while international law enforcement can inflict significant damage on specific ransomware groups, the broader cybercriminal ecosystem demonstrates remarkable resilience and adaptability. The long-term challenge is not just to dismantle existing threats but to continuously disrupt their ability to reconstitute and innovate, making ransomware an increasingly difficult and unprofitable venture.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

9. Conclusion

International law enforcement actions have undeniably had a profound and increasingly significant impact on disrupting ransomware operations globally. The detailed examination of initiatives such as Operation Cronos against LockBit, the infiltration and takedown of Hive, the temporary incapacitation of ALPHV (BlackCat), and the broader coordinated efforts exemplified by Interpol’s Operation Sentinel, collectively illustrate a growing capacity and resolve to combat this pervasive cyber threat. These efforts have led to tangible successes, including a discernible decline in overall ransom payments, the dismantling of critical criminal infrastructure, the arrest and prosecution of key perpetrators, and the invaluable provision of decryption tools to numerous victims. These outcomes directly undermine the economic model of ransomware, increase the operational risks for cybercriminals, and provide crucial relief to affected organizations worldwide.

However, the analysis also underscores the persistent and highly adaptive nature of cybercriminal groups. In response to heightened law enforcement pressure, these organizations rapidly evolve their tactics, techniques, and procedures (TTPs). They engage in rebranding, develop new and more sophisticated malware variants, enhance their operational security, and continuously seek new vulnerabilities and avenues for exploitation. This relentless ‘cat and mouse’ game highlights that while significant victories are being achieved, the threat of ransomware remains dynamic and ever-present.

To effectively combat the evolving threat of ransomware in the long term, future strategies must encompass several critical dimensions:

  • Enhanced Cross-Border Cooperation: There is an urgent need to further streamline and deepen international collaboration, particularly in intelligence sharing, joint investigations, and harmonizing legal frameworks. This includes improving the speed and efficiency of Mutual Legal Assistance Treaties (MLATs) and expanding the use of Joint Investigation Teams (JITs).
  • Development of Advanced Technological Tools: Continuous investment in cutting-edge cyber forensics, artificial intelligence, and machine learning capabilities is paramount. These technologies can enhance predictive threat intelligence, accelerate malware analysis, improve attribution capabilities, and proactively identify and mitigate emerging threats.
  • Addressing Legal and Jurisdictional Challenges: Efforts must be intensified to navigate and, where possible, harmonize disparate national legal frameworks, data protection laws, and extradition policies. Developing international legal instruments and protocols that facilitate rapid cross-border data access for criminal investigations, while upholding privacy and sovereignty, is crucial.
  • Strengthening Public-Private Partnerships: Collaborative efforts with the private sector, including cybersecurity firms, academic institutions, and critical infrastructure operators, are indispensable. These partnerships can facilitate real-time threat intelligence sharing, contribute to the development of decryption tools, and foster collective resilience.
  • Focus on Proactive Disruption and Resilience Building: Beyond reactive investigations, strategies should emphasize proactive disruption of ransomware infrastructure before attacks can occur. Equally important is enhancing the cybersecurity resilience of potential victims through public awareness campaigns, incident response planning, and promoting robust security practices across all sectors.
  • Targeting the Financial Ecosystem: Continuing to aggressively target the financial infrastructure that supports ransomware operations, including cryptocurrency tracing, asset seizures, and sanctions against facilitators, will further erode the profitability and sustainability of these criminal enterprises.

In conclusion, while significant strides have been made in disrupting ransomware operations, the fight is far from over. The sustained commitment to coordinated international efforts, coupled with continuous innovation in legal, technological, and strategic approaches, will be essential in mitigating the persistent and evolving threat that ransomware poses to global security and economic stability.

Many thanks to our sponsor Esdebe who helped us prepare this research report.

References