{
	"id": "2f041afc-a989-42c1-a1e5-f6b25d315dc7",
	"created_at": "2026-04-06T01:32:22.420556Z",
	"updated_at": "2026-04-10T03:20:59.002061Z",
	"deleted_at": null,
	"sha1_hash": "ed1286fbe53d5728d434993e1bf0d46b0a7d4c35",
	"title": "How ransomware exploded in the age of Bitcoin",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 483060,
	"plain_text": "How ransomware exploded in the age of Bitcoin\r\nBy Adriana Hamacher\r\nPublished: 2019-12-21 · Archived: 2026-04-06 00:51:26 UTC\r\nRansomware turns 30 this month. And the malicious software, invented by the well meaning but wacko\r\nevolutionary biologist Joseph L. Popp, is thriving. \r\nAttacks spiked by 118% during the first quarter of this year, with hackers singling out for punishment state and\r\nlocal governments, while continuing to target businesses, universities, and hospitals.\r\nRansomware’s robust health is due to three symbiotic factors: our increasing reliance on digitization; ever more\r\nsophisticated crooks delivering more powerful viral strains, and the prevalence of untraceable ransoms—now\r\nalmost always paid in bitcoin or other cryptocurrencies. \r\nHackers’ demands are also increasing along with the chilling efficacy of their product. According to ransomware\r\nrecovery specialists Coveware, the average ransom payment increased by 184%  in the first half of 2019. Largely,\r\nthat’s thanks to an increasing number of attacks with new ransomware strains such as RYUK on large enterprises.\r\nThe average ransom demanded, internationally, is now $4,300. \r\nDesperate for a quick solution, most victims pay up, data recovery professionals told Decrypt. In fact, according to\r\none report, many businesses have begun hoarding cryptocurrencies, in case of an attack. Is it any wonder then that\r\nsome analysts believe major ransomware attacks could be affecting the price of cryptocurrency? \r\nHappy Birthday ransomware\r\nRansomware refers to the category of computer viruses that are designed to quickly across computer networks and\r\nencrypt the files on them; the idea is to hold sensitive documents hostage until the victim pays ransom to the\r\nhacker. \r\nThe vulnerability of those targeted—nursing homes, providers of local infrastructure, and cities—gives them little\r\nalternative. In May, an RYUK attack on the City of Riviera Beach, Florida, forced the local government to cough\r\nup $600,000 to decrypt the frozen files. In October, hackers hit the administrative website of the City of\r\nJohannesburg, in South Africa, and threatened to publish the stolen data on the Internet—unless they received a\r\n$30,000 bitcoin ransom. The city refused to pay.\r\nBut as bad as the blight is, ransomware wasn’t born bad. \r\nHarvard-educated Popp, its inventor, was a polymath, and ransomware was born in 1989 out of his desire to\r\ncombat AIDS, or so he claimed. In his misguided determination to amass funds to thwart the disease, he mailed\r\nmore than 20,000 infected floppy disks to the delegate list of a World Health Organisation forum. When the\r\nrecipients ran the disks, their computers froze, and an onscreen message instructed them to send funds to access a\r\nsecond disk that would restore their files. \r\nhttps://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc\r\nPage 1 of 6\n\nJoseph L.Popp aged 18. Image: Eastlake North High School yearbook\r\nPopp was arrested, but deemed mentally unfit to stand trial due to his increasingly strange behavior (which\r\nincluded wearing condoms on his nose and putting curlers in his beard to ward off radiation.) He died in 2006 in a\r\ncar accident and didn’t live to see his invention grow up, and—enhanced with a more effective method of\r\nencryption—become one of the world’s most prevalent cybercrimes. \r\nRansomware and bitcoin\r\nFor many years, however, ransomware languished as a small-time enterprise. It wasn’t until bitcoin began gaining\r\ntraction, in 2012, that it really took off. Hackers fell in love with the decentralized digital currency, which made it\r\ndifficult to trace or block payments, and it became ever easier to launder their ill-gotten gains as more\r\ncryptocurrencies hit the scene.\r\n“I don't think there is much doubt that ransomware and cryptocurrencies go hand in hand,” Edward Cartwright,\r\nProfessor of Economics at De Montfort University, in the city of Leicester, UK, told Decrypt. “Ransomware is\r\nhighly reliant on cryptocurrency and bitcoin in particular.”\r\nBitcoin accounted for about 98% of ransomware payments made in the first quarter of 2019, according to data\r\nfrom Coveware. As a result, it’s become an inextricable part of the ransomware model.\r\n“Not only does it offer anonymity and untraceability to criminals it is also something that victims are willing to\r\nengage with, said Cartwright. \r\nThe ransomware industry\r\nIndeed, some experts say the increasing acceptance and understanding of cryptocurrency has driven ransomware\r\nfrom being a rarified crime into something far more common. \r\nhttps://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc\r\nPage 2 of 6\n\n“I strongly believe that cryptocurrency has played a role in the ransomware epidemic,” Victor Congionti\r\ncofounder and CEO of New York-based Proven Data Recovery, told Decrypt. \r\nOf course, in some cases, victims are able to catch intruders before ransomware has been activated or fully spread.\r\nIn other cases, when the particular strain is “in the wild,” it may be possible to reverse engineer or create a\r\n“decryption utility,” Congionti said. But nine times out of ten the only way to reinstate files is to obtain decryption\r\ntools by paying the ransom, he added.  \r\nThus, a core service that Proven Data and other data recovery specialists offer is assisting victims willing to pay\r\nhackers’ bitcoin ransoms.\r\nAnti-virus providers such as Emsisoft sometimes find ways to disable ransomware, and post those fixes online for\r\nfree. But they can decrypt ransomware only if there are errors in the underlying software or if a security lapse\r\nallows the researchers to hack into the attacker’s server, otherwise, it’s essentially bulletproof.\r\n“The majority of cases require payment, because they’re using strong encryption. And there’s no other opinion\r\nthan to pay or restore from backups,” said Congionti.\r\nRansomware has helped put bitcoin in the news and we know that the price of bitcoin\r\ngoes up whenever it is in the news.\r\n—Edward Cartwright\r\nSince 2016, there have been around 4,000 ransomware attacks a day, amounting to 1.5 million per year, according\r\nto statistics posted by the US Department of Homeland Security. Little wonder then that firms like Proven Data\r\nhave formed relationships with hackers, and can often negotiate the price down. One hacker even offered data\r\nrecovery firms exclusive “promo codes.” They were told that after paying they’d receive a code for a discount on\r\na future ransom. \r\nCongionti said that simply paying the ransom is sometimes not enough. Hackers often provide decryption keys\r\nthat contain corrupted data, or missing files, which then needs to be checked and reversioned in-house, \r\nTheir methods are also becoming increasingly sophisticated. Some have even initiated automated schemes via\r\nsmart contracts that ensure decryption when a victim sends a payment. There’s no negotiating between humans;\r\nthe crime is automated on the blockchain.\r\nStockpiling bitcoin for ransom\r\nIt can cost three times as much to recover data than to pay the ransom. The speed of unlocking frozen accounts is\r\noften key for enterprises and organisations—for some, such as law firms, any downtime can be life threatening.\r\nAn October 2019 survey by data security startup Datto, polled 2,400 managed service providers, finding that the\r\naverage ransom attack cost $46,800 in downtime—10 times the average ransom demand.\r\nAs a result, companies such as Proven Data stockpile bitcoin for contingencies. “That’s part of the service—\r\nhaving that bitcoin readily available so there’s no delay in getting a company up and running as soon as possible.”\r\nsaid Congionti. \r\nhttps://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc\r\nPage 3 of 6\n\nAnother survey, in 2018, by security solutions provider Code24 suggested that victims were stockpiling\r\ncryptocurrency to minimize costs and disruption in the wake of a ransomware attack. The research found that\r\nalmost three-quarters of Chief Information Security Officers chose to stash cryptocurrency for such an eventuality.\r\nBut it’s notable that the study was conducted at the height of the cryptocurrency boom, when prices were\r\nmarching ever upward.\r\nMonero more dangerous than Bitcoin, says German Finance Ministry\r\nSo-called privacy cryptocurrencies such as Monero are more likely to be used for illegal activities than Bitcoin,\r\naccording to a report published on Monday by Germany’s Federal Ministry of Finance. In its \"First National Risk\r\nAnalysis 2018/2019,” the agency examined to what extent cryptocurrencies endanger financial security. It found\r\nthat Monero, rather than Bitcoin, better enables anonymous transaction opportunities in money laundering and\r\nterrorist financing on the Darknet. “Due to the increa...\r\nThe policies of insurance companies may also be compounding the issue. Driven partly by the spread of\r\nransomware, the cyber insurance market has grown rapidly. Between 2015 and 2017, US cyber premiums doubled\r\nto an estimated $3.1 billion, according to the most recent data available.\r\nInvestigative non profit ProPublica published a report in August which found that insurance companies are\r\nhelping to pay ransoms—inadvertently but essentially encouraging hackers to continue these attacks for profit. \r\nIndustry giant AIG reported in July that ransomware was its second leading cause of claims in 2018 and expected\r\nto increase in 2019. While the number of attacks had actually decreased, AIG said they have also become more\r\ncostly, as the targets have become more specific. Criminals increasingly extort institutions that have deeper\r\npockets and readily pay the ransom to minimize disruption to their operations\r\nRansomware’s impact on bitcoin\r\nSome analysts believe all this ransomware activity is bound to affect bitcoin’s price.\r\n“Ransomware has helped put bitcoin in the news and we know that the price of bitcoin goes up whenever it is in\r\nthe news,” said De Montfort University’s Cartwright  “So, ransomware also partly drives the price of bitcoin.”\r\nCartwright believes that the effect of a ransomware attack is significant enough to warrant inclusion in any\r\nalgorithmic trading model that factors in external events, thus taking advantage of prospective price movement in\r\nthe wake of an attack. \r\nBut that doesn’t help local governments, businesses and law enforcement agencies, who are desperate for\r\nsolutions to ransomware attacks that threaten to cripple them. \r\nhttps://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc\r\nPage 4 of 6\n\nRYUK ransomware is named after the god of death in the anime Death Note. Image: Flickr\r\nLast summer, in response to hackers demands for millions of dollars, a coalition of 227 US mayors vowed not to\r\npay. Which might well be the best solution.\r\nData recovery experts, including Proven Data, report that ransomware attacks increasingly show the\r\ncharacteristics of organized cybercrime, and fear that many ransom payments end up in the hands of terrorist\r\ngroups. Through paying a ransom, local governments are inadvertently funding them.\r\nA concerted attack\r\nGovernment officials hope that, though better security, they can properly protect cities from these kinds of attacks.\r\nCongionti suggested that the government should make it mandatory for businesses to go through some basic\r\nsecurity protocols, as well.\r\nAnd this year, the White House and U.S. Senate approved versions of a bill that would allow the Department of\r\nHome Security to invest in resources to help states and cities deal more effectively with ransomware attacks.\r\nEither way, a policy of not paying ransom ought to help eradicate the scourge of ransomware.\r\nBut for now,  RYUK, a particularly robust ransomware that can sometimes even find and destroy backups, is on\r\nthe rise. It’s named after the god of death in the anime, Death Note, and is believed to have originated in North\r\nKorea. \r\nOver the first five months of 2019, RYUK hit more than 500 schools and earned hackers more than $3 million in\r\nbitcoin. And security experts expect it, and new ransomware attacks against local governments, will only ramp up\r\nin 2020. \r\nAt the ripe adult age of 30, Popp’s invention is adept at outrunning most efforts to thwart it. This is not a happy\r\nbirthday\r\nhttps://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc\r\nPage 5 of 6\n\nDaily Debrief Newsletter\r\nStart every day with the top news stories right now, plus original features, a podcast, videos and more.\r\nSource: https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc\r\nhttps://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://decrypt.co/15394/how-ransomware-exploded-in-the-age-of-btc"
	],
	"report_names": [
		"how-ransomware-exploded-in-the-age-of-btc"
	],
	"threat_actors": [],
	"ts_created_at": 1775439142,
	"ts_updated_at": 1775791259,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ed1286fbe53d5728d434993e1bf0d46b0a7d4c35.pdf",
		"text": "https://archive.orkl.eu/ed1286fbe53d5728d434993e1bf0d46b0a7d4c35.txt",
		"img": "https://archive.orkl.eu/ed1286fbe53d5728d434993e1bf0d46b0a7d4c35.jpg"
	}
}