Although attributing ransomware is difficult, everything that has been leaked and is public suggests most of the perpetrators are in CSTO (i.e. Russia-allied) countries that actually at least informally encourage attacks on non-CSTO countries. Leaked policies from criminal organisations suggest they generally do not target victims in CSTO countries. CSTO countries rarely have extradition treaties outside the CSTO - no CSTO country has an extradition treaty with the United States, for example. Sometimes authorities do work together when they are aligned despite the absence of a treaty (e.g. Armenia has extradited to the US before) - but that is unlikely to happen for ransomware criminals that only target victims outside the CSTO.

So I don't think they need immunity from their own government, and they don't fear extradition as long as they don't go to a non-CSTO country. Sometimes they do travel overseas and find out that the government tolerance for their activities doesn't extend outside the CSTO.

Data leaks from criminal organisations to non-CSTO governments (in combination with things the governments collect themselves and share) are likely very helpful in ensuring the criminals are likely to be picked up if they do travel.

> Even if you’re not American, if your government has given you immunity, I don’t think you can be extradited for the same crime. Your government would just refuse the request.

Depends which government it is! Some of them absolutely would.