Wikipedia Deep Dive

Ransomware

13 min read

In 2013, a twenty-one-year-old man in Virginia received a terrifying message on his computer screen. The Federal Bureau of Investigation, it claimed, had detected child pornography on his machine. He needed to pay a fine immediately or face arrest. Panicked and guilty—because his computer actually did contain illegal images of minors—he drove to the police station and turned himself in.

The FBI hadn't sent that message. It was ransomware, a type of malicious software designed to extort money from victims by holding their digital lives hostage. But here's the twist: the criminal software accidentally caught an actual criminal. The ensuing investigation discovered the illegal files, and the man was charged with child sexual abuse.

This story captures something essential about ransomware. It exploits fear. It exploits guilt. And it has become one of the most profitable criminal enterprises in human history, generating over a billion dollars annually in payments to attackers who may be sitting in apartments thousands of miles from their victims.

The Billion-Dollar Shakedown

To understand ransomware, imagine coming home to find that someone has changed all the locks on your house, your car, and your storage unit. They've left a note: pay us in untraceable currency, or you'll never see your belongings again. Now imagine this happening to hospitals, schools, city governments, and corporations—all at once, all around the world.

That's essentially what ransomware does to digital systems.

The numbers are staggering. In 2021, there were approximately 623 million ransomware attacks globally. Victims paid an estimated $1.25 billion in ransoms in 2023 alone—and that's just the money that flowed directly to criminals. The actual cost, when you factor in downtime, recovery efforts, lost business, and reputational damage, is far higher. Security firm Sophos estimated in 2020 that the average cost to remediate a ransomware attack was over $760,000.

These aren't just statistics. They represent emergency rooms that couldn't access patient records. Schools that lost years of student data. Small businesses that closed permanently because they couldn't afford to recover.

How Digital Kidnapping Works

The mechanics of ransomware rely on a branch of mathematics called cryptography—the same technology that protects your online banking and secure messages. Cryptography can lock information so securely that even the world's most powerful supercomputers couldn't crack it in a million years. Ransomware turns this protective technology into a weapon.

Here's how it typically unfolds.

First, the attacker needs to get their malicious software onto your computer. The most common method is embarrassingly simple: they trick you into installing it yourself. You receive an email that looks like it's from your bank, your boss, or a delivery company. There's an attachment or a link. You click it, and the ransomware is now running on your system.

Some ransomware is more aggressive. The infamous WannaCry attack of 2017 didn't wait for anyone to click anything. It exploited a vulnerability in Microsoft Windows to spread automatically from computer to computer across networks, infecting over 200,000 systems in 150 countries within days.

Once the ransomware is running, it gets to work encrypting your files. Encryption is like putting each file into an unbreakable safe. The ransomware generates a unique key—think of it as a combination to the safe—and then destroys its own copy of that key after sending it to the attackers. Your photos, documents, databases, everything, becomes unreadable digital noise.

Then comes the ransom note.

The Cryptoviral Extortion Protocol

The sophisticated cryptographic scheme behind modern ransomware was actually invented by academics. In 1996, two researchers at Columbia University, Adam Young and Moti Yung, presented a paper at a prestigious security conference describing exactly how to build ransomware that would be mathematically impossible to defeat without paying.

They called it cryptoviral extortion, and they drew their inspiration from an unlikely source: the movie Alien.

In that film, a creature called a facehugger attaches itself to a victim's face and implants an embryo. The victim is held hostage by biology—remove the facehugger incorrectly, and both die. The embryo grows inside the victim until it kills them by bursting out.

Young and Yung saw a similar parasitic relationship in their cryptographic scheme. The ransomware attaches to your data. Try to remove it incorrectly, and your files die. The only safe extraction requires cooperation from the attacker.

The technical elegance of their scheme is worth understanding. It uses something called hybrid encryption, which combines two types of cryptographic systems. The ransomware generates a random key to encrypt your files—this is fast and efficient. Then it encrypts that key using a different method that only the attacker can reverse. Even if security researchers capture and analyze the ransomware, they can't extract the key because it was never there to begin with.

Young and Yung published this as an academic warning. They wanted the security community to understand what was possible so they could prepare defenses. But they also essentially published a blueprint that criminals would eventually follow.

The AIDS Trojan: Where It All Began

The first ransomware attack predated Young and Yung's work by seven years, and it was far cruder—so crude that victims didn't actually need to pay to recover their files.

In 1989, attendees of a World Health Organization AIDS conference received floppy disks in the mail, supposedly containing educational software about the disease. Twenty thousand disks were distributed. The software worked normally at first, but after users rebooted their computers ninety times, it suddenly hid all their files and demanded payment.

The ransom? $189, to be sent by mail to a post office box in Panama registered to "PC Cyborg Corporation."

The creator was Joseph Popp, an evolutionary biologist. His ransomware had a fatal flaw: it used what's called symmetric encryption, meaning the same key locks and unlocks the data. That key had to be stored in the malware itself, where security researchers quickly found it. Anyone infected could recover their files without paying.

Popp was eventually identified and arrested in the United States. He was extradited to the United Kingdom to face charges but was declared mentally unfit to stand trial after reportedly wearing curlers in his beard and cardboard boxes on his head. He promised to donate any proceeds from his scheme to AIDS research, though it's unclear if the poorly designed attack generated any money at all.

For years afterward, ransomware remained relatively rare. The problem wasn't technical—it was logistical. How do you collect ransom money without getting caught?

The Payment Problem

Traditional kidnapping is risky partly because of the ransom exchange. Someone has to pick up the money, and that's when police make arrests. Early ransomware faced the same challenge in digital form. Wire transfers leave records. Credit card payments can be traced. Even sending cash through the mail creates a physical trail.

Ransomware operators experimented with various solutions. Some demanded payment through premium-rate text messages—the victim would send a text to a special number, get charged $10 on their phone bill, and receive an unlock code. In 2010, Russian authorities arrested nine people running exactly this scheme. It had earned them over $16 million.

Others demanded payment through prepaid voucher services like Paysafecard, which let you buy a card with cash and use the code for online payments. But these vouchers had limits and were designed for small transactions, not massive extortion operations.

The game changed completely with Bitcoin.

Bitcoin, and the cryptocurrencies that followed, solved the payment problem elegantly. Transactions are effectively irreversible. They don't require banks or financial institutions that might cooperate with law enforcement. And while Bitcoin isn't truly anonymous—all transactions are recorded on a public ledger—it's anonymous enough when combined with techniques for obscuring the flow of funds.

The rise of cryptocurrency-enabled ransomware was immediate and dramatic. CryptoLocker, which appeared in late 2013, was among the first to demand Bitcoin payment. Within just two months, its operators extracted an estimated $27 million from victims. Even after law enforcement took down the operation, the approach was widely copied.

Ransomware as a Service

Perhaps the most disturbing evolution in ransomware has been its professionalization. Criminal enterprises now operate with the organizational sophistication of legitimate software companies.

On dark web marketplaces—hidden websites accessible only through special software—you can purchase ransomware as a subscription service. The model mirrors legitimate software like Microsoft Office 365 or Adobe Creative Cloud. You pay a monthly fee, or perhaps a percentage of your criminal proceeds, and in return you get regularly updated ransomware, technical support, and even customer service portals to handle communications with victims.

This ransomware-as-a-service model means that launching an attack no longer requires technical expertise. Someone with no programming skills can rent sophisticated ransomware, customize it with their own ransom note and payment address, and begin infecting victims. The barrier to entry has collapsed.

Some ransomware operations maintain help desks to assist victims with making payments. This isn't altruism—it's business logic. If victims can't figure out how to buy Bitcoin or navigate the payment process, the criminals don't get paid. So they provide step-by-step instructions, chat support, and even extensions on payment deadlines.

This customer service extends to actually decrypting files after payment. You might think that criminals would simply take the money and disappear, but most ransomware operators understand that their business model depends on reputation. If word gets around that paying the ransom doesn't work, future victims won't bother paying. So they deliver on their promises—usually.

When Nations Become Targets

In 2022, the small Central American nation of Costa Rica declared a state of emergency. President Rodrigo Chaves announced that his country was "at war"—not with a neighboring nation, but with ransomware hackers.

A criminal group called Conti had launched a sustained assault on Costa Rican government systems. Tax collection was disrupted. Healthcare services were affected. Government ministries couldn't function normally. The attackers demanded millions in ransom and, when Costa Rica refused to pay, began publishing stolen government data.

Costa Rica isn't alone. Cities, hospitals, school districts, and critical infrastructure have all found themselves under attack. In 2019, the city of Baltimore was hit so badly that officials couldn't process home sales or water bills for months. The city estimated the total cost at over $18 million—and refused to pay the $76,000 ransom on principle.

This raises a genuine moral and practical dilemma. Paying ransoms funds criminal enterprises and encourages future attacks. But refusing to pay can mean losing irreplaceable data, disrupting critical services, and costing far more in recovery than the ransom would have been. Hospitals have paid ransoms because patient lives were at stake. Cities have paid because the cost of rebuilding from scratch was unthinkable.

There are no easy answers.

The Evolution of Extortion

Ransomware has evolved beyond simple file encryption. Modern attackers often engage in what's called double extortion or even triple extortion.

In double extortion, attackers don't just encrypt your files—they steal copies first. Even if you have backups and can restore your systems without paying, they threaten to publish your sensitive data. For a hospital, this might mean patient medical records. For a law firm, client communications. For a business, trade secrets or embarrassing internal emails.

Triple extortion adds another layer: attackers may contact your clients, patients, or business partners directly, demanding payment from them to keep their specific information private. Or they might launch denial-of-service attacks against your systems until you pay.

This evolution was actually predicted. In 2003, researcher Adam Young presented a paper at West Point describing what he called leakware—malware that threatens to publish stolen data rather than simply deny access to it. He noted that this attack is rooted in game theory. The victim retains access to their information, but its disclosure is at the discretion of the attacker.

The attack works because reputation has value. A company might survive losing its files. But losing its files and having confidential customer data splashed across the internet? That's an existential threat.

The Fight Back

There's some good news. After peaking at $1.25 billion in 2023, ransomware payments dropped sharply to $813 million in 2024. This decline appears to reflect two factors: more victims refusing to pay, and more effective law enforcement action against ransomware operations.

Organizations have gotten better at maintaining offline backups that can't be encrypted by ransomware. They've improved their security practices to prevent infections in the first place. And some have simply decided on principle that they won't negotiate with digital kidnappers, accepting the costs of rebuilding as preferable to funding criminal enterprises.

Law enforcement has also become more aggressive. International operations have disrupted major ransomware gangs, seized cryptocurrency wallets, and in some cases recovered ransom payments. The US Federal Bureau of Investigation has successfully recovered millions of dollars in Bitcoin from ransomware operators.

Security researchers regularly find flaws in ransomware implementations. Sometimes attackers make mistakes that allow files to be decrypted without paying. Sometimes cryptographic keys leak. Sometimes the ransomware is all bluster—scareware that claims to have encrypted your files but actually hasn't.

But the threat remains. As long as there's money to be made and cryptocurrency provides relatively anonymous payment, ransomware will persist. The tools to create it are publicly available. The barrier to entry is low. And the potential rewards are enormous.

Protecting Yourself

The same boring security advice that experts have repeated for decades remains your best defense. Keep your software updated, because many ransomware attacks exploit known vulnerabilities that patches have already fixed. Be suspicious of unexpected email attachments, even from people you know. Maintain regular backups of your important files, and keep at least one backup disconnected from your network so ransomware can't reach it.

For organizations, the calculus is more complex. You need incident response plans. You need to decide in advance whether you would pay a ransom and under what circumstances. You need cyber insurance, though insurers are increasingly reluctant to cover ransomware and increasingly demanding that you demonstrate basic security hygiene before they'll write a policy.

You need to assume that an attack is possible—perhaps inevitable—and plan accordingly.

The Parasitic Relationship Continues

Young and Yung's Alien-inspired metaphor remains apt. Ransomware is a parasite that has evolved sophisticated mechanisms to extract resources from its hosts without killing them. The most successful ransomware operators are careful not to be too greedy—they want victims to survive and pay, not be destroyed. They want to maintain their reputation for honoring deals.

In a perverse way, ransomware has created a functioning economy built entirely on crime. There are specialized roles: the developers who write the code, the affiliates who distribute it, the money launderers who convert cryptocurrency to spendable cash, the customer service representatives who help victims pay. There's competition, innovation, marketing, and even customer satisfaction surveys.

And there are victims. Hundreds of millions of attacks every year. Billions of dollars in costs. Real harm to real people and organizations.

The facehugger hasn't let go yet.