The birth of ransomware was a stunt that got out of hand. In 1989, an evolutionary biologist called Joseph L Popp Jr was working part time for the World Health Organisation on the Aids epidemic. He was a difficult man. When he was denied a permanent job, he decided to punish his peers while shocking them into acknowledging another kind of infection: the computer virus.
Popp wrote a questionnaire promising to help minimise the risk of contracting HIV, duplicated it on to 20,000 floppy discs, and sent them to researchers in 90 countries. Each disc contained a Trojan virus. Once it was inserted, a malware timebomb eventually made the computer unusable until the user paid a “licence fee” of $189 to a PO box in Panama. Popp’s primitive “Aids Trojan” was quickly identified and he was arrested for blackmail. Intending to make a point rather than a profit, he was mortified to learn that some of his targets had overreacted by wiping their hard drives: one Italian Aids organisation lost a decade’s worth of vital data. Popp experienced a psychological collapse and was deemed unfit to stand trial. The criminals who developed his crude innovation into a global business would not be so scrupulous.
A ransomware attack is a form of cybercrime in which hackers use malware to encrypt data and charge the targets a fee to receive a decryption key. Increasingly, the hackers also steal sensitive data and threaten to auction it on the dark web: “double extortion”. It is a remarkably inefficient form of crime, like trashing an entire car to steal a pair of sunglasses. According to Anja Shortland, a professor of political economy at King’s College London and expert in the economics of crime, the hackers reap only around $1bn a year but cost their victims, in 2025, an estimated $57bn.
The disproportionate consequences of refusing to pay create a collective action problem by incentivising compliance. It’s much quicker and cheaper to cough up and minimise disruption than to hold out and suck up the damage. The British Library, for example, was hacked in October 2023 and is still not back to normal. But every ransom paid inspires further attacks. There is a psychological cost, too. One man whose computer company was almost destroyed by a hack compared the experience to “suffocating, drowning – or both at the same time”.
Computer scientists Adam L Young and Moti Yung first mapped out the potential of ransomware in 1996, comparing it to the face huggers in Alien: the virus could not be removed without killing the host. But for many years, technological limitations made it unrewarding, especially when it came to trading in stolen data. One reformed cybercriminal likened trying to sell a major cache to “offering a 747 for sale at a flea market”. Three breakthroughs were required to turn ransomware into a thriving industry: untraceable communications (the TOR protocol), a decentralised currency (bitcoin) and asymmetric encryption, which generates a unique encryption key for each infected computer. By 2013, Shortland writes, “all the preconditions for large-scale, profitable ransomware campaigns were in place”.
Shortland’s book lacks the narrative verve of Scott J Shapiro’s 2023 history of hacking, Fancy Bear Goes Phishing. Her mission is to explain more than to entertain. But she still manages to paint a fascinating picture of a fast-evolving criminal industry. Ambitious hackers build ransomware brands, sharing their top-of-the-range software with affiliates who do the dirty work of extortion. Establishing trust among thieves is essential, if short-lived. The major brands have salaried employees, help desks and even human resources departments. “Criminal HR is a fast-moving, high-stakes job,” Shortland writes. I’ll bet it is.
Job security isn’t great in this business. Whether due to internal fractures or heat from law enforcement, operations routinely shut down and reopen under new guises. According to Shortland, the cyber-attack that paralysed much of Costa Rica’s economy in 2022 at a cost of half a billion dollars was probably a marketing exercise by a collapsing brand called Conti, to create the illusion that it was healthier than it was. The Costa Ricans were collateral damage. With similar ruthlessness, healthcare systems are popular targets. In such cases, ransomware is not just an economic crime but a lethal one.
Ransomware does not, therefore, attract colourful, lovable rogues. LockBitSupp, which unsuccessfully demanded $80m from Royal Mail in 2023, was revealed to be Russian national Dmitry Yuryevich Khoroshev, an arrogant, racist thug who disgusted even fellow criminals. “For five years of swimming in money I became very lazy,” he bragged, “and continued to ride on a yacht with titsy girls.” This is not Moriarty we’re dealing with. Brand names like Evil Corp and DarkSide reek of dim, adolescent nihilism.
Russia has been a cybercrime hotbed since the 1990s. After years of refusing US extradition requests, Vladimir Putin agreed to raid the ransomware brand REvil in January 2022, only for the invasion of Ukraine to sink any further cooperation. North Korea has been busy, too. In 2017, its WannaCry virus infected tens of thousands of computers in 150 countries, including Spanish telecoms, German trains, Chinese universities and the NHS. Along with Russia’s NotPetya malware, it spooked western governments into treating ransomware as a national security issue.
Shortland concludes with the nightmarish likelihood of AI-enabled cyberwar in which disruption is the primary aim, from the mass deletion of data on cloud servers to meddling with nuclear power stations. She claims that we are “mostly blind or indifferent” to “a previously unimaginable level of catastrophic risk”. While demanding that governments step up – legally mandated cyber-hygiene, more support for victims, more prosecutions – she compares ransomware to Covid: a plausible goal is not defeating it altogether but “agreeing on an acceptable level of risk and learning to live with the underlying threat”.
Shortland invokes Covid in another sense: one day a cyber-attack could bring an entire economy to a pandemic-like standstill, so we had better be ready. This book may not be a page-turner for the average reader but one hopes that the right people are paying attention.
