The Law and Politics of Ransomware

41 Pages Posted: 6 Aug 2022 Last revised: 21 Nov 2022

See all articles by Asaf Lubin

Asaf Lubin

Indiana University Maurer School of Law; Berkman Klein Center for Internet & Society; Yale University - Information Society Project; Federmann Cybersecurity Center, Hebrew University of Jerusalem Faculty of Law

Date Written: August 4, 2022


What do Lady Gaga, the Royal Zoological Society of Scotland, the city of Valdez in Alaska, and the court system of the Brazilian state of Rio Grande do Sul all have in common? They have all been victims of ransomware attacks, which are growing both in number and severity. In 2016, hackers perpetrated roughly four thousand ransomware attacks a day worldwide, a figure which was already alarming. By 2020, however, ransomware attacks reached a staggering number, between 20,000 and 30,000 per day in the United States alone. That is a ransomware attack every eleven seconds, each of which cost victims on average nineteen days of network downtime and a payout of over $230,000. In 2021 global costs associated with ransomware recovery exceeded $20 billion.

This Article offers an account of the regulatory challenges associated with ransomware prevention. Situated within the broader literature on underenforcement, the Article explores the core causes for the limited criminalization, prosecution, and international cooperation that have exacerbated this wicked cybersecurity problem. In particular, the Article examines the forensic, managerial, jurisdictional, informational, and resource allocation challenges that have plagued the fight against digital extortions in the global commons.

To address these challenges, the Article makes the case for the international criminalization of ransomware. Relying on existing international regimes––namely, the 1979 Hostage Taking Convention, the 2000 Convention Against Transnational Crime, and the customary prohibition against the harboring of terrorists––the Article makes the claim that most ransomware attacks are already criminalized under existing international law. In fact, the Article draws on historical analysis to portray the criminalization of ransomware as a “fourth generation” in the outlawry of Hostis Humani Generis (enemies of mankind).

The Article demonstrates the various opportunities that could arise from treating ransomware gangs as international criminals subject to universal jurisdiction. The Article focuses on three immediate consequences that could arise from such international criminalization: (1) Expanding policies for naming and shaming harboring states, (2) Authorizing extraterritorial cyber enforcement and prosecution, and (3) Advancing strategies for strengthening cybersecurity at home.

Keywords: Ransomware, International Law, Law and Technology, Criminal Law, Crime Prevention, Cyber Crime, Sanctions, Insurance Law, Cybersecurity Law, Data Protection, Sovereignty, Non-Intervention, Underenforcement

JEL Classification: K100, K14, K23, K33, M15, Z18, F50, F51, F52, F53, F55, F59

Suggested Citation

Lubin, Asaf, The Law and Politics of Ransomware (August 4, 2022). Vanderbilt Journal of Transnational Law, Vol. 55, p.1177 (2022), Indiana Legal Studies Research Paper No. 494, Available at SSRN:

Asaf Lubin (Contact Author)

Indiana University Maurer School of Law ( email )

Office #322
211 S. Indiana Avenue
Bloomington, IN 47405
United States
8128556403 (Phone)

HOME PAGE: http://

Berkman Klein Center for Internet & Society ( email )

Harvard Law School
23 Everett, 2nd Floor
Cambridge, MA 02138
United States

Yale University - Information Society Project ( email )

P.O. Box 208215
New Haven, CT 06520-8215
United States

Federmann Cybersecurity Center, Hebrew University of Jerusalem Faculty of Law

Mount Scopus
Mount Scopus, IL 91905

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
PlumX Metrics