The Secret Payments That Keep Global Ransomware Attacks Going

‘Ransoms are being paid left, right, and center,’ one tech expert said.

Save

The Secret Payments That Keep Global Ransomware Attacks Going — Illustration by The Epoch Times, Getty Images
Illustration by The Epoch Times, Getty Images

August 03, 2025Updated:August 05, 2025

Cyberattacks—usually involving ransomware—are making the news almost every day, and experts say artificial intelligence (AI) is being deployed to help the attackers find their targets more quickly.

Ransomware is a type of malicious software—or malware—that prevents a user from accessing his or her computer files, systems, or networks and demands that he or she pay a ransom for their return, according to the FBI.

The dozens of ransomware attacks in the United States in July included incidents at Susan B. Allen Memorial Hospital in Kansas, Cookeville Regional Medical Center in Tennessee, and California-based IT company Ingram Micro.

The number of reported ransomware attacks worldwide in 2024 was 5,289, up by 15 percent from 2023, according to the U.S. Office of the Director of National Intelligence.

But those figures do not include the vast majority of attacks, which were not reported, according to Andy Jenkinson, fellow at the Cyber Theory Institute and author of the book “Stuxnet to Sunburst: 20 Years of Digital Exploitation and Cyber Warfare.”

“Ransomware is huge,” he told The Epoch Times. “Ransoms are being paid left, right, and center. There are two types of ransomware attacks: one that becomes public and one that becomes covered up.”

PurpleSec, a U.S. cybersecurity company, estimates that the average cost of a ransomware attack has risen since 2019 from $761,106 to $5.14 million.

Ransoms Paid in Crypto

Jenkinson said ransoms are almost always paid in bitcoin and other cryptocurrencies, which are harder to trace than bank transfers.

Comparitech keeps a database of ransomware attacks around the world, and Jenkinson said cybercrime—including cyberscams that are carried out using stolen data—costs $32 billion per day globally.

A July report by Sophos, based on a survey of cybersecurity leaders in 17 countries, found that nearly 50 percent of companies have paid ransoms and that the median payment was $1 million.

Adnan Malik, a lawyer who is head of data protection at Barings Law in Manchester, UK, told The Epoch Times that companies do not openly declare that they have paid a ransom.

An image of a seized ransomware website is displayed during a Justice Department news conference in Washington on Jan. 26, 2023. As artificial intelligence is increasingly used to support cyberattacks, some officials are seeking to curb the crime by limiting ransom payments, which they say fuel cybercrime. Kevin Dietsch/Getty Images

“They will try and brush it under the carpet,” Malik said. “They will try and disguise it as some other expense.”

He said companies often haggle with ransomware attackers.

“Hackers will start with a very absurd amount, and it’s not uncommon for a demand in millions to be reduced to a couple of hundred thousand,” he said. “It happens all the time.”

James Babbage, director-general for threats at the UK National Crime Agency, told the BBC’s “Panorama” program recently that “it is the paying of ransoms which fuels this crime.”

“We would in general discourage victims from paying ransoms, but every victim needs to make their own choice,” he said.

Paul Abbott was the director of KNP Logistics Group, a trucking company in the UK that had to close down in September 2023 as a direct result of a ransomware attack. Its closure meant the loss of 730 jobs.

Abbott told The Epoch Times that a night shift worker had noticed a problem with the company’s computer systems and called in the IT support team, which initially did not think that it was anything malicious.

He said the team carried out a controlled shutdown restart.

“During the restart, they discovered a text file which was embedded into one of the servers that was a ransom note from the Akira group, and obviously the root cause of the issue became very clear at that point,” he said.

Akira is one of the best-known ransomware groups.

“It’s easy money for people that know what they’re doing,” Abbott said.

Enforcement Efforts

On July 22, the UK government announced plans to ban ministries, state-owned agencies, schools, hospitals, and operators of critical national infrastructure from paying ransom demands to cybercriminals.

Jenkinson said other issues need to be addressed first.

“Banning ransom payments without fixing the root vulnerabilities is like offering heart transplants to junk food addicts without changing their diet,” he said. “The UK’s proposal risks driving cybercrime further underground while treating symptoms, not causes.

“Unless we tackle the insecure systems and poor cyberhygiene that enable these attacks, we’re applying plasters to a thousand cuts while leaving the knife untouched.”

Europol, the police force for the European Union, said it took part in a July 22 operation that led to the arrest, in Kyiv, Ukraine, of the alleged administrator of the XSS.is forum, which it said was one of the most influential Russian-language cybercrime platforms.

The alleged administrator of XSS.is, a Russian-language cybercrime forum, is arrested in Kyiv, Ukraine, on July 22, 2025. XSS, short for cross-site scripting, is a cyberattack method that injects malicious code into trusted websites to steal data or hijack user sessions. Europol

XSS, or cross-site scripting, is a common form of cyberattack that injects malicious scripts into trusted websites to steal data or hijack user sessions.

Europol said the XSS forum had more than 50,000 registered users and was a “key marketplace for stolen data, hacking tools, and illicit services.”

In May 2024, the U.S. State Department offered a $10 million reward for information leading to the arrest of Dmitry Khoroshev. The department said he was the administrator of the LockBit ransomware group.

The State Department said LockBit had carried out attacks on more than 2,500 victims around the world, including about 1,800 in the United States, and had obtained at least $150 million in ransom payments in the form of digital currency.

The UK National Crime Agency said Khoroshev was known as LockBitSupp, and “provided ransomware-as-a-service (RaaS) to a global network of hackers or ‘affiliates,’ supplying them with the tools and infrastructure to carry out attacks.”

Russian national Dmitry Khoroshev, the alleged administrator of the LockBit ransomware group, in file images. The State Department said LockBit attacked more than 2,500 victims globally—about 1,800 in the United States—and collected at least $150 million in cryptocurrency ransom payments. UK National Crime Agency

Poor Data Infrastructure

Jenkinson said false narratives have suggested that cybercriminals are becoming “more sophisticated” and are all based in countries such as Russia and other former Soviet republics, beyond the reach of the law.

Jenkinson pointed to recent attacks perpetrated by Scattered Spider, a group of U.S. and UK hackers that was believed to include a number of teenagers.

In May, one of the alleged leaders of Scattered Spider, 23-year-old Tyler Buchanan, a UK national, was extradited from Spain to the United States to face charges of conspiracy to commit computer intrusion, wire fraud, and aggravated identity theft in California.

Premium Picks

FBI, CISA Warn About International Ransomware Threat Using ‘Double Extortion Model’

US Cracks Down on Russian Ransomware Networks

Ransomware Hackers Publish Data Stolen in Nova Scotia Power Cyberattack

The U.S. Justice Department said Buchanan and his co-conspirators allegedly stole cryptocurrency worth millions of dollars following cyberattacks on more than 45 companies based in the United States, Canada, and the UK.

“I don’t think the attacks are more sophisticated,” Jenkinson said. According to him, the narrative that cybercriminals are increasingly “sophisticated” is a “get out of jail” statement deployed by corporations and governments to try to explain why the attacks are getting more persistent and more serious.

He said the truth is that the attackers are exploiting basic flaws in most corporations’ security systems. These systems often do not encrypt stored data and use cloud computing servers, which are not secure.

Malik agreed, saying: “The hackers are good, but some of the systems that organizations have here are very poor.

“By and large, most organizations have very poor data infrastructure, very poor systems that allow hackers entry into their system.”

Jenkinson said open source intelligence is being exploited.

“I can look at any organization anywhere in the world, and ... their ... internet-facing assets—their websites, IP addresses and servers—and I can show you if they’re easily hackable or not,” he said.

“The reality is the security teams, the defenders of the realm, aren’t doing their job well enough. AI is definitely being utilized and exploited to identify the gaps.”

An IT researcher displays a ransomware-infected computer at the High Security Laboratory of the National Institute for Research in Computer Science and Automation in Rennes, France, on Nov. 3, 2016. Experts say over-reliance on commercial cloud servers leaves systems more exposed to cyberattacks. Damien Meyer/AFP via Getty Images

Jenkinson said a large part of the problem is over-reliance on commercial cloud server services, which he said have “exposed positions.”

He said that after 9/11, President George W. Bush gave an order that every major technology provider in the United States must allow the National Security Agency (NSA) to have “back door” access to its data.

“So now what you’ve got is cybercriminals exploiting exactly the same gaps that the NSA were exploiting from 2001 onwards, if not before,” he said.

The Cybersecurity and Infrastructure Security Agency publishes dozens of alerts about ransomware, malware, and other scams targeting corporations and public bodies in the United States.

“America suffers around 70 to 80 percent of the world’s cyberattacks,” Jenkinson said. “They are the most reliant country in the world on digital communications for everything, from where you pump your gas in the morning, from when you switch your lights on, everything relies on digital communications through industrial control systems.”

Malik said the consequences of hacking someone’s financial, personal, or medical data can be far-reaching.

“If you receive a letter to say your email address and your home address is now available because someone’s hacked into ‘ABC Limited,’ it might not make much of a difference,” he said.

“But the moment the letter says your national insurance number has been breached, your date of birth, your spouse’s details, your children’s details, a copy of your passport, that is enough information for anyone to impersonate you.

“It’s enough information for someone to try and open a bank account to try and gain credit, and the consequences of this can be far-reaching and severe.”

We had a problem loading this article. Please enable javascript or use a different browser. If the issue persists, please visit our help center.