The Secret Payments That Keep Global Ransomware Attacks Going

Authored by Chris Summers via The Epoch Times (emphasis ours),

Cyber attacks—usually involving ransomware—are making the news almost every day, and experts say artificial intelligence (AI) is being deployed to help the attackers find their targets more quickly.

Illustration by The Epoch Times, Getty Images

Ransomware is a type of malicious software—or malware—that prevents a user from accessing their computer files, systems, or networks and demands they pay a ransom for their return, according to the FBI.

Among the dozens of ransomware attacks in the United States in July included incidents at Susan B. Allen Memorial Hospital in Kansas, Ingram Micro, an IT company in California, and Cookeville Regional Medical Center in Tennessee.

The number of reported ransomware attacks worldwide in 2024 was 5,289, up 15 percent on the year before, according to the U.S. Office of the Director of National Intelligence.

But those figures do not include the vast majority of attacks, which were not reported, according to Andy Jenkinson, a fellow of the Cyber Theory Institute and author of the book “Stuxnet to Sunburst: 20 Years of Digital Exploitation and Cyber Warfare.”

“Ransomware is huge. Ransoms are being paid left, right, and center. There are two types of ransomware attacks: one that becomes public and one that becomes covered up,” he told The Epoch Times.

PurpleSec, a U.S. cybersecurity company, estimates that the average cost of a ransomware attack has risen since 2019 from $761,106 to $5.14 million.

Ransoms Paid in Crypto

Jenkinson said ransoms are almost always paid in Bitcoin and other cryptocurrencies, which are harder to trace than bank transfers.

Comparitech keeps a database of ransomware attacks around the world, and Jenkinson said cybercrime—including cyberscams that are carried out using stolen data—costs $32 billion a day globally.

A report last month by Sophos, based on a survey of cybersecurity leaders in 17 countries, found that nearly 50 percent of companies paid ransoms, and the median payment was $1 million.

Adnan Malik, a lawyer who is head of data protection at Barings Law in Manchester, England, told The Epoch Times that companies do not openly declare they have paid a ransom.

An image of a seized ransomware website is displayed during a Department of Justice press conference in Washington on Jan. 26, 2023. As artificial intelligence is increasingly used to support cyberattacks, some officials are seeking to curb the crime by limiting ransom payments, which they say fuel cybercrime. Kevin Dietsch/Getty Images

“They will try and brush it under the carpet. … They will try and disguise it as some other expense.”

Malik said that companies often haggled with ransomware attackers.

“Hackers will start with a very absurd amount, and it’s not uncommon for a demand in millions to be reduced to a couple of hundred thousand. It happens all the time,” he said.

James Babbage, the director general (Threats) at the UK’s National Crime Agency, told the BBC’s “Panorama” program recently that “it is the paying of ransoms which fuels this crime.”

“We would in general discourage victims from paying ransoms, but every victim needs to make their own choice,” Babbage said.

Paul Abbott was the director of a trucking company in England, KNP Logistics Group, which had to close down with the loss of 730 jobs in September 2023, as a direct result of a ransomware attack.

Abbott told The Epoch Times that a night shift worker first noticed a problem with the company’s computer systems and called in the IT support team, which initially didn’t think it was anything malicious.

He said they carried out a controlled shutdown restart and, “During the restart, they discovered a text file which was embedded into one of the servers that was a ransom note from the Akira group, and obviously the root cause of the issue became very clear at that point.”

Akira is one of the best-known ransomware groups. “It’s easy money for people that know what they’re doing,” Abbott said.

Enforcement Efforts

The British government announced on July 22 plans to ban ministries, state-owned agencies, schools, hospitals, and operators of critical national infrastructure from paying ransom demands to cyber-criminals.

Jenkinson said other issues need to be addressed first.

“Banning ransom payments without fixing the root vulnerabilities is like offering heart transplants to junk food addicts without changing their diet. The UK’s proposal risks driving cybercrime further underground while treating symptoms, not causes,” he said.

“Unless we tackle the insecure systems and poor cyber hygiene that enable these attacks, we’re applying plasters to a thousand cuts while leaving the knife untouched.”

Europol, the police force for the European Union, said it had taken part in a July 22 operation which led to the arrest, in Kyiv, Ukraine, of the alleged administrator of the XSS.is forum, which it said was one of the most influential Russian-speaking cybercrime platforms.

The alleged administrator of XSS.is, a Russian-language cybercrime forum, is arrested in Kyiv, Ukraine, on July 22, 2025. XSS, short for cross-site scripting, is a cyberattack method that injects malicious code into trusted websites to steal data or hijack user sessions. Europol

XSS, or cross-site scripting, is a common form of cyber-attack in which malicious scripts are injected into trusted websites to steal data or hijack user sessions.

Europol said the XSS forum had more than 50,000 registered users and was a “key marketplace for stolen data, hacking tools, and illicit services.”

In May last year, the U.S. State Department offered a $10 million reward for information leading to the arrest of Dmitry Khoroshev, who it said was the administrator of the LockBit ransomware group.

The State Department said LockBit had carried out attacks on more than 2,500 victims around the world, including around 1,800 in the United States, and had obtained at least $150 million in ransom payments, in the form of digital currency.

Britain’s National Crime Agency said Khoroshev was known as LockBitSupp, and “provided ransomware-as-a-service (RaaS) to a global network of hackers or ‘affiliates,’ supplying them with the tools and infrastructure to carry out attacks.”

Russian national Dmitry Khoroshev, the alleged administrator of the LockBit ransomware group, in file images. The State Department said LockBit attacked more than 2,500 victims globally—about 1,800 in the United States—and collected at least $150 million in cryptocurrency ransom payments. UK National Crime Agency

Poor Data Infrastructure

Jenkinson said false narratives suggest cybercriminals were becoming “more sophisticated” and were all based in countries such as Russia and other former Soviet republics, which were beyond the reach of the law.

Malik agrees, saying that, in reality, “The hackers are good, but some of the systems that organizations have here are very poor.”

“By and large, most organizations have very poor data infrastructure, very poor systems that allow hackers entry into their system,” he said.

Jenkinson pointed to recent attacks perpetrated by Scattered Spider, a group of U.S. and UK hackers who were believed to include a number of teenagers.

In May, one of the alleged leaders of Scattered Spider, 23-year-old Tyler Buchanan, a British national, was extradited from Spain to the United States to face charges of conspiracy to commit computer intrusion, wire fraud, and aggravated identity theft in California.

Read the rest here…