Most ransomware gangs are believed to operate from countries with limited or non-existent extradition agreements with Western nations, making it difficult for law enforcement to apprehend them. Some of the countries where these gangs are thought to be based include:
Russia: Many of the most notorious ransomware groups are believed to operate out of Russia. The country is often seen as a safe haven for cybercriminals due to the lack of cooperation with Western law enforcement and the protection of criminals who avoid targeting Russian entities.
Eastern Europe: Several ransomware gangs are also thought to be based in other Eastern European countries, such as Ukraine and Belarus. These regions have a history of cybercriminal activity, partly due to their technical expertise and the geopolitical environment.
Iran: There are also reports of ransomware gangs operating out of Iran, often with links to state-sponsored activities.
North Korea: North Korea has been linked to several high-profile ransomware attacks, and it is believed that the regime uses ransomware as a means of generating revenue.
At some point the corporate espionage/sabotage and whatever sales taxes they get from funds stolen abroad is worth less than the potential earnings of money leaving the country.