ABSTRACT This research explores the conditions under which ransomware can be considered as an act of cyberterrorism and whether the cases of JBS USA, Colonial Pipeline and the wiperware attacks against Ukraine in 2022 constitute such. These theoretical and practical issues are particularly important in light of the negotiations at the United Nations level for a binding treaty on cybercrime. To achieve these goals, we have undertaken the following steps in designing a model for the analysis of ransomware events. First, we searched for an agreed-upon definition for cyberterrorism in the academic literature. To do so, we compiled a dataset of one hundred peer-reviewed articles published in scholarly journals on the topic of cyberterrorism. We reported whether authors considered factors such as inducing a sense of fear/panic, the destruction of property or the threat of such, and/or killing/violence/coercion or the threat of such as necessary conditions for the definition of cyberterrorism. Second, we complemented academic views with the definitions of practitioners and policymakers. Third, we applied the model to test whether the three ransomware case studies fit the criteria for cyberterrorism. We found that based on the proposed framework, all case studies constitute acts of cyberterrorism, albeit to a different extent.