The Ransomware Epidemic: The Industrialization of Cybercrime

Zusammenfassung

Ransomware — malware that encrypts a victim’s files and demands payment for the decryption key — is not a new concept. Joseph Popp distributed floppy disks containing ransomware at a 1989 AIDS conference. What changed between 1989 and 2020 was infrastructure: anonymous cryptocurrency made untraceable payment possible; organized cybercrime groups developed professional operations with customer service and negotiation teams; and the combination of commoditized exploit toolkits and vulnerable enterprise IT created an attack surface that dwarfed anything previously available. By 2021, ransomware attacks had shut down a major US fuel pipeline, forced a major Irish hospital network to revert to paper records, and extracted record ransoms — insurer CNA Financial reportedly paid $40 million, the largest single ransomware payment disclosed at the time. Ransomware transformed from a nuisance into a geopolitical problem.

The Origins: AIDS Trojan and Symmetric Encryption

The first documented ransomware was the AIDS Trojan (1989), distributed by Dr. Joseph Popp at the World Health Organization’s AIDS conference in Stockholm. Popp mailed 20,000 floppy disks labeled “AIDS Information — Introductory Diskettes” to attendees. The disks contained a program that, after 90 boot cycles, encrypted filenames on the C: drive using symmetric encryption with a key embedded in the program — which meant security researchers could recover the key and decrypt the files.

The AIDS Trojan was conceptually correct about the attack model but technically limited. Symmetric encryption with a recoverable key was not commercially sustainable as extortion. The attacker needed a mechanism to encrypt data that only the attacker could decrypt — requiring asymmetric (public-key) cryptography — and a payment method that was both anonymous and reliable.

Cryptovirology — the academic discipline studying cryptographic attacks including ransomware — was formalized by Moti Yung and Adam Young at Columbia University in 1996. Their paper “Cryptovirology: Extortion-Based Security Threats and Countermeasures” described the theoretical framework for public-key ransomware precisely as it would be implemented a decade later: encrypt victim files with the attacker’s public key; the victim cannot decrypt without the attacker’s private key; payment unlocks the key. The paper was academic; implementation waited for cryptocurrency.

CryptoLocker: The Modern Template

CryptoLocker (2013), operated by a criminal organization led by Russian cybercriminal Evgeniy Bogachev, was the first successful large-scale modern ransomware. Its innovations:

RSA-2048 encryption with the private key held on attacker-controlled servers — technically unbreakable without the key.

Bitcoin payment — at the time a niche cryptocurrency, Bitcoin’s blockchain provided the payment anonymity and irreversibility that earlier extortion had lacked. A victim could pay in Bitcoin from any jurisdiction; the payment could not be reversed; the transaction traced only to a Bitcoin address, not an identity.

Payment deadline with countdown timer — the ransom doubled or the key was deleted after 72–96 hours, creating pressure that bypassed rational calculation.

Customer service infrastructure — CryptoLocker operated a support portal where victims could extend deadlines, confirm payments, and receive decryption tools. The goal was repeat business in a market where word-of-mouth mattered: if CryptoLocker demonstrably delivered decryption after payment, victims would pay rather than refuse.

CryptoLocker infected approximately 250,000 machines and extracted an estimated $3 million before international law enforcement disrupted the infrastructure in Operation Tovar (June 2014). Bogachev was indicted by the US Department of Justice but remained in Russia, beyond US extradition reach. The FBI placed a $3 million bounty on him — the largest for a cybercriminal — and he remained at large as of 2025.

WannaCry and the Nation-State Dimension

WannaCry (May 2017) was different in origin, scale, and consequence from CryptoLocker. It was not primarily financially motivated; it was a cyberweapon deployed by North Korea’s Lazarus Group that incorporated a wormable exploit leaked from the NSA’s arsenal.

The NSA had developed EternalBlue — an exploit for a vulnerability (MS17-010) in Windows’ SMB (Server Message Block) protocol. EternalBlue was stolen from the NSA by a group calling themselves Shadow Brokers and published online in April 2017. Microsoft had released a patch for MS17-010 in March 2017 — six weeks before WannaCry — but millions of systems remained unpatched when WannaCry launched.

WannaCry combined EternalBlue’s self-propagating network spreading capability (a worm) with a ransomware payload that encrypted files and demanded $300 in Bitcoin. The combination was catastrophic. WannaCry spread without user interaction: it scanned networks for vulnerable SMB shares and propagated automatically. Within 24 hours, it had infected over 200,000 systems in 150 countries.

The UK’s National Health Service was among the worst affected: approximately one-third of NHS hospital trusts were disrupted, with some hospitals turning away non-emergency patients and reverting to paper records for days. The estimated cost to the NHS was £92 million. Renault, Telefónica, FedEx, Deutsche Bahn, and dozens of other major organizations were hit simultaneously.

WannaCry was stopped by a 22-year-old security researcher, Marcus Hutchins (known online as MalwareTech), who discovered that the malware checked a specific unregistered domain before encrypting files — a potential kill switch. He registered the domain for $10.69; the malware stopped propagating. Hutchins later faced unrelated criminal charges for earlier malware development but was widely credited with halting WannaCry.

The NSA’s Contribution

WannaCry’s most destructive component was NSA intellectual property. EternalBlue was a government-developed cyberweapon that was stolen, published by a third party, and weaponized by North Korea — all without the NSA’s control. The episode raised uncomfortable questions about whether intelligence agencies’ practice of stockpiling vulnerabilities rather than reporting them to vendors was compatible with the security of the civilian infrastructure those vulnerabilities affected. The NSA had reportedly notified Microsoft about EternalBlue shortly before the Shadow Brokers publication — after holding the vulnerability for years — but the patch-to-deployment window was insufficient to protect the systems that WannaCry hit.

REvil, DarkSide, and the Ransomware-as-a-Service Economy

By 2019–2021, ransomware had industrialized. Criminal organizations in Russia and Eastern Europe — operating with apparent tolerance from Russian security services — developed Ransomware-as-a-Service (RaaS) platforms that licensed their malware infrastructure to “affiliates” in exchange for a cut of ransom proceeds.

REvil (Ransomware Evil), also known as Sodinokibi, operated from 2019 to 2022 as the largest RaaS operation. It provided ransomware code, encryption infrastructure, victim negotiation services, and a data-leak blog (where stolen files were published if ransoms were not paid) to dozens of affiliate operators. REvil’s affiliates extorted a combined estimated $200 million. Its largest single ransom payment — $11 million from meat processor JBS after a 2021 attack — was the largest ever reported at the time.

DarkSide operated the attack on Colonial Pipeline in May 2021. Colonial Pipeline, the largest fuel pipeline in the United States (transporting 45% of the East Coast’s fuel supply), paid DarkSide a ransom of approximately $4.4 million in Bitcoin and shut down pipeline operations for five days — not because the operational technology was affected, but because the company’s billing systems were encrypted and it could not determine how much fuel to bill customers for. The shutdown caused fuel shortages across the Southeast United States, with gas station lines extending for hours in several states. The US Department of Justice subsequently seized approximately $2.3 million of the Bitcoin ransom by obtaining the private key from the wallet — a rare instance of ransomware payment recovery.

DarkSide shut down operations within days of the Colonial Pipeline attack, claiming it had lost control of its servers and had not anticipated the attack’s political consequences.

The Healthcare Targeting Problem

Ransomware operators discovered that healthcare organizations had two properties that made them ideal targets: they held irreplaceable data (patient records) and they faced existential pressure to restore operations quickly (patients die without functioning systems). The combination made healthcare organizations more likely than most victims to pay quickly and at scale.

The University of Vermont Medical Center (October 2020) was struck during the COVID-19 pandemic’s first surge. The attack took down 5,000 computers across the hospital network. Oncology patients missed chemotherapy appointments; radiology had to reschedule procedures. The hospital spent $63 million in recovery costs — more than five times the ransom it refused to pay.

The Düsseldorf University Hospital (Germany, September 2020) suffered a ransomware attack that forced patient diversions. A woman who required emergency treatment was redirected to a hospital 32 kilometers away; German authorities initially investigated whether the delay contributed to her death (the investigation concluded the direct cause was her underlying condition). It was the first case in which ransomware was seriously examined as a potential cause of death.

Dead End: The Cryptocurrency Dependency

Ransomware is economically dependent on cryptocurrency. Without anonymous, reversible-only-by-payer digital payment, ransomware cannot function at scale: traditional wire transfers and credit cards are traceable, reversible, and subject to seizure. Bitcoin and Monero provide the payment infrastructure that makes large-scale extortion viable.

The policy debate over cryptocurrency regulation intersects directly with ransomware: stricter cryptocurrency exchange regulation (mandatory identity verification, transaction reporting) makes ransomware payment harder to launder. Ransomware groups have responded by shifting toward Monero (a privacy-focused cryptocurrency with stronger anonymity guarantees than Bitcoin) and using sophisticated mixing services to launder Bitcoin proceeds. The cat-and-mouse dynamic between law enforcement and ransomware operators’ financial infrastructure is ongoing. The cryptocurrency infrastructure built for libertarian financial freedom became the enabling technology of the largest organized extortion industry in history.