Between October and November 2025, one of the biggest cybercrime operations in Interpol history saw the arrest of 574 people suspected of business email compromise (BEC), digital extortion, and ransomware.
Despite its scale, the operation gained almost no attention in the US and UK because it happened across 19 African countries, principally Ghana and Nigeria.
Even so, it’s a fair bet that cybercrime experts would have that Interpol’s press release mentioned the magic keyword ransomware. West Africa has earned an unwanted reputation in recent times for BEC, email scams, and sextortion, but ransomware is a relatively new and concerning addition to the list.
Ransomware is still largely perceived as a cybercrime sector cornered by Russian cybercriminals extorting organizations outside their homeland. When non-Russians are involved, accepted wisdom has it that they are usually accomplices rather than planners.
In fact, the Interpol operation is only the latest evidence that the ransomware ecosystem has escaped Russia and is spreading quite rapidly to other countries. The pattern of spread isn’t random; the ideal territory is one in which police controls are seen as lax, and corruption is endemic, which sadly fits the bill in some African countries as much as it does in Russia.
What the police were trying to disrupt on this occasion was no small-scale opportunist extortion. According to Interpol, one ransomware attack on a Ghanaian financial institution resulted in the encryption of a staggering 100 Terabytes of data. Across all crimes investigated, including ransomware, the financial losses involved were $21 million (£16 million), similar in scale to losses anywhere in the world.
In June, Trend Micro data revealed that ransomware incidents have surged in Africa, with South Africa registering 17,849 detections, Egypt 12,281, Nigeria 3,459, and Kenya 3,030. These numbers need qualification: detections are not necessarily successful attacks but refer to attempts. It’s also impossible to know how many of these attempts were launched by African threat actors and how many were from other geographies, but the circumstantial evidence is that the former is becoming the problem.
Ransomware metastasis
Exactly how ransomware is spreading globally begs the question of why it has taken so long to metastasize. The short answer is that ransomware requires a lot of know-how. It might look simple, but the truth is that it is a specialized crime requiring the sort of expertise that takes years to acquire.
At least this was the case up to the point Russian cybercriminals worked out how to industrialize ransomware by inventing ransomware-as-a-service (RaaS). Raas offers two vital innovations, the first of which is that it removes a large amount of the technical knowledge required to build and operate a ransomware operation. The second is that it adopts an affiliate model in which RaaS customers get access to the platform in return for a fee or percentage cut. If anything turns ransomware into a global crime wave, it might be this.
If there’s good news, it is the fact that police forces seem capable of cooperating across borders to execute complex operations such as the one Interpol coordinated in Africa in October. That hasn’t always been the case, but for once, the authorities appear to be getting ahead of the problem.
For the longest time, hackers had to be really careless or unlucky to get caught, even in countries with strong law enforcement. That era is a distant memory in the US and UK. Ransomware is still a crime mainly conducted in poorer countries against richer ones, but after the latest Interpol raid, without the casual impunity of the past.