On a Tuesday morning in 2021, staff at Ireland’s Health Service Executive opened laptops to find files replaced by ransom notes. Surgeries canceled. Cancer treatments delayed. Ambulances rerouted. The attack was not a movie plot — it was ransomware, a business model that encrypts an organization’s data and demands payment, usually in cryptocurrency, for the decryption key. Hospitals, school districts, city governments, and Fortune 500 firms have all been hit. The question is no longer whether ransomware happens but how often, to whom, and whether anyone should pay.

This guide explains how ransomware works from initial breach to Bitcoin wallet, why public institutions are disproportionately vulnerable, what “double extortion” changed about the economics of crime, and what defenders — and citizens — can realistically do. If you have not read our cybersecurity basics guide, start there for password hygiene and backups; this article builds on that foundation to explain an entire criminal industry.

What ransomware actually does

At its core, ransomware is malicious software that makes data unusable until a victim pays for recovery. Early variants simply encrypted files on a single machine. Modern campaigns deploy across entire networks — file servers, backups, cloud sync folders, hypervisors — in hours.

The typical sequence:

Initial access — A phishing email with a malicious attachment, a stolen VPN password sold on a forum, an unpatched internet-facing server, or a compromised managed service provider (MSP) that holds keys to hundreds of clients.

Lateral movement — Attackers map the network, escalate privileges to domain administrator, disable security tools, and locate backups. They often dwell for days or weeks before triggering encryption — learning where the valuable data lives.

Encryption and ransom note — Files get encrypted with strong cryptography. Ransom notes appear on screens and in directories, pointing to a Tor site with payment instructions.

Extortion — Demands range from tens of thousands for small businesses to $50 million or more for large enterprises. Payment is requested in Bitcoin or increasingly Monero for harder-to-trace transfers.

Optional data leak — Many groups now steal data before encrypting and threaten to publish it if the ransom is not paid — “double extortion.”

Decryption keys sometimes work; sometimes they do not. Attackers have delivered broken decryptors, re-extorted victims who paid once, or simply disappeared. Paying is a gamble, not a guarantee.

From hobbyist vandalism to ransomware-as-a-service

Ransomware did not start as a billion-dollar industry. Early strains like CryptoLocker (2013) proved that anonymous payment rails — Bitcoin especially — could monetize encryption at scale. Criminals iterated fast.

Ransomware-as-a-service (RaaS) professionalized the model. Affiliates rent access to proven malware platforms (historically groups like REvil, Conti, LockBit — names rotate as law enforcement disrupts infrastructure). The platform operator takes a cut; affiliates handle intrusion and negotiation. Skill floor dropped. Volume surged.

Initial access brokers sell footholds separately — a market of specialists who compromise networks and auction credentials to the highest bidder. Ransomware operators buy access the way legitimate firms buy leads.

Negotiation firms and payment facilitators emerged on the defense side — controversial consultants who advise victims, negotiate with criminals, and sometimes arrange Bitcoin transfers. Insurers often drive the decision calculus when cyber policies cover ransom payments.

The result is a supply chain of crime mirroring legitimate software: developers, distributors, sales, customer support (criminal help desks for decryption issues are real), and finance. Law enforcement takedowns — seizure of servers, arrests of affiliates, recovery of wallet keys — interrupt but rarely eliminate the ecosystem. New brands rebrand old code within weeks.

Why hospitals and cities get hit

Attackers follow money and leverage. Hospitals and municipal governments offer both — poorly.

Legacy systems — Medical devices, billing software, and civic ERP platforms run on outdated operating systems that cannot be patched without vendor certification. An MRI machine running Windows 7 is a ransomware magnet.

24/7 operations — Downtime kills. A factory might tolerate two days offline; a trauma center cannot. Attackers know urgency increases payment probability.

Underfunded IT — Public sector security budgets trail private enterprise. Small IT teams cover thousands of endpoints. Cybersecurity basics — multifactor authentication, offline backups, patch cadence — are known best practices but inconsistently funded.

Interconnected dependencies — A county clerk’s office connects to courts, jails, tax systems, and schools. Compromise one vector, encrypt a region.

High-impact data — Patient records and citizen PII fuel double extortion. Regulatory fines for data breaches add pressure beyond operational recovery.

Notable cases illustrate the pattern:

Hollywood Presbyterian Medical Center (2016) — Among the first high-profile US hospital payments (~$17,000 in Bitcoin), normalizing public discussion of ransom as a line item.

WannaCry (2017) — Worm-like spread via NSA-leaked exploit; UK’s NHS disrupted at scale despite relatively low ransoms demanded — showed cascade failure from unpatched systems.

Colonial Pipeline (2021) — Fuel supply panic on the US East Coast; company paid ~$4.4 million (partially recovered by FBI); spotlight on critical infrastructure.

HSE Ireland (2021) — Refused to pay; months of recovery; national health system strain.

City governments — Baltimore, Atlanta, and smaller municipalities repeatedly paralyzed — property transfers halted, water billing stopped, police records inaccessible.

The victims are not stupid. They are constrained — by budget, by regulation, by the moral imperative to keep treating patients while IT rebuilds from bare metal.

The Bitcoin payment question

Cryptocurrency is not essential to ransomware logically — criminals used Western Union and prepaid cards in earlier eras — but Bitcoin solved a coordination problem: cross-border, pseudonymous settlement without a bank that can freeze the account mid-transfer.

How payment works — Victims receive a wallet address and deadline. Some negotiations reduce the price. Payment is visible on the blockchain; wallet clustering analytics link flows to exchanges where cash-out happens — leading to seizures when criminals slip.

Who pays — Surveys vary; a meaningful fraction of victims pay, higher among organizations with cyber insurance and active negotiators. Payment is illegal in some jurisdictions to sanction-listed groups but often treated as desperate business decision elsewhere.

Ethical and strategic debate — FBI and CISA generally advise against payment: it funds criminals, encourages repeat attacks, and does not ensure recovery. Insurers and boards sometimes calculate payment as cheaper than rebuild — especially when backups failed or data exfiltration threatens HIPAA-scale liability.

Sanctions complications — Paying groups designated as terrorist or sanctioned entities creates legal exposure for victims and facilitators — adding risk to an already fraught choice.

Trend toward Monero — Some groups prefer privacy coins to evade tracing; Bitcoin still dominates headline cases due to liquidity and victim familiarity.

Citizens rarely pay directly — but they absorb costs through tax increases after municipal recovery, insurance premium hikes, and delayed medical care.

Double extortion and the data leak site economy

Encrypt-only attacks assumed backups would eventually restore operations without payment. Double extortion — steal first, encrypt second — attacks that assumption.

Attackers upload terabytes to leak portals: employee SSNs, customer credit cards, executive emails, patient diagnoses. Even if IT restores from backup, criminals threaten publication unless paid a second time. Some run triple extortion — DDoS attacks or calls to customers and journalists amplifying pressure.

Leak sites operate as dark-web press rooms with countdown timers — grotesque parody of SaaS product marketing. Data sometimes sells to fraudsters even when victims pay, because trust between criminals and victims is zero-sum.

For hospitals, leaked patient data triggers HIPAA investigations, class actions, and reputational damage exceeding ransom amounts. For cities, leaked police internal affairs files and resident data create political crises. The extortion surface expanded from availability (can we work?) to confidentiality (what will the public see?).

Defenders responded with immutable backups, network segmentation, and exfiltration detection — monitoring outbound data flows for anomalous uploads. None are foolproof against patient adversaries with weeks inside the network.

Anatomy of a modern intrusion (simplified timeline)

Understanding attack timelines helps boards fund prevention before headlines arrive.

Day 0 — Phishing email or stolen VPN creds. Single workstation compromised.

Days 1–7 — Credential dumping, Active Directory reconnaissance, privilege escalation. Attackers identify backup servers and security appliance admin consoles.

Days 7–21 — Data staging: compress and upload to cloud storage or attacker infrastructure during off-peak hours. Mapping of critical apps — Epic EHR, SAP, SCADA if misconnected.

Day X — Encryption payload deployed via Group Policy or remote execution. Backup deletion scripts run. Ransom notes propagate.

Hour X+1 — SOC alerts if present; often too late. CEO on emergency call with legal, insurance, FBI field office.

Weeks 1–6 — Rebuild Active Directory, restore backups (if viable), manual malware eradication, public disclosure, regulatory notification, credit monitoring offers.

Organizations with mature detection compress dwell time from weeks to days — the difference between contained incident and existential crisis. Cybersecurity basics like enabling MFA on every remote access path directly attacks the most common Day 0 vectors.

Defensive layers that actually matter

No single product stops ransomware. Defense in depth is cliché because it works when funded.

Identity and access — MFA everywhere, especially VPN and email. Phishing-resistant FIDO2 keys for admins. No shared local administrator passwords.

Patching and asset inventory — You cannot patch what you do not know exists. Internet-facing services updated within days of critical CVEs, not months.

Backup strategy — 3-2-1 rule: three copies, two media types, one offline or immutable. Test restores quarterly — untested backups are wishful thinking. Ransomware specifically hunts backup agents.

Network segmentation — Clinical networks separated from guest WiFi and email workstations. Domain admin accounts never used for email browsing.

Endpoint detection and response (EDR) — Behavioral monitoring catches lateral movement signatures missed by antivirus.

Email filtering and user training — Reduce phishing success; training alone is insufficient but complements technical controls.

Incident response plan — Pre-negotiated forensics firm, legal counsel, communication templates. First call should not be “who do we hire?” during encryption.

Supply chain scrutiny — MSP compromise remains a top vector; vendors must meet same standards as internal IT.

Public institutions struggle to implement every layer simultaneously — which is why federal grant programs and cyber insurance mandates increasingly tie funding to baseline controls.

Law enforcement, regulation, and international limits

Ransomware is transnational by design — developers in one country, servers in another, victims everywhere. Jurisdiction friction slows response.

FBI and partners — Encourage reporting via IC3; provide indicators of compromise; occasionally recover wallets or seize infrastructure (LockBit disruptions, Hive takedown). Reporting helps collective defense even when individual recovery seems hopeless.

OFAC sanctions — Designating wallet addresses and groups changes payment calculus for US entities.

Bilateral friction — Safe havens where extradition is unlikely allow operators to persist. Diplomatic pressure and occasional arrests of travelers in allied countries punctuate otherwise uneven enforcement.

Disclosure rules — SEC cyber incident reporting, HIPAA breach notification, GDPR timelines — force transparency that aids epidemiological tracking of campaign patterns.

Proposed payment bans — Some legislatures debate prohibiting public entities from paying ransoms — reducing incentive but potentially lengthening recovery for under-resourced victims. Unresolved policy tension.

Law enforcement wins are real but episodic. Defenders should assume no rescue — build as if payment and decryption will not be available.

Insurance, moral hazard, and the cost spread

Cyber insurance grew from niche to standard for mid-size firms and municipalities. Policies may cover ransom negotiation, forensics, business interruption, and legal defense.

Moral hazard critique — Insurers paying ransoms allegedly fuels the ecosystem — criminals target insured victims knowing coverage exists. Insurers respond with mandatory control audits, higher premiums after claims, and co-pay structures for ransom.

Premium inflation — Post-2020 ransomware wave, many organizations faced 2–3x premium increases or non-renewal unless implementing specified controls (MFA, EDR, offline backups).

Self-insurance — Large cities and hospital systems sometimes absorb risk — betting on resilience over premiums — with mixed outcomes.

Citizens pay regardless — through taxes funding recovery bonds, through hospital bills reflecting IT security surcharges, through insurance premiums embedded in every product price.

What citizens should demand and what they can do

Individual citizens are rarely ransomware targets directly — but they depend on institutions that are.

Demand funded IT for public services — School board and city council elections should treat cyber hygiene as infrastructure comparable to bridges. Cheap IT is expensive after encryption.

Ask hospitals about backup and downtime plans — Transparency pressures accountability without requiring public vulnerability maps attackers could abuse.

Personal hygiene still matters — Reused passwords on work email become organizational entry points. Follow cybersecurity basics: password manager, MFA, skepticism toward urgent attachments.

Support breach notification without voyeurism — When leak sites publish stolen data, sharing links amplifies harm to neighbors whose medical records exposed.

Recognize downtime as real harm — Delayed chemo is violence by proxy. Ransomware is not victimless financial crime.

The AI and datacenter angle (emerging risk)

Ransomware operators follow compute and data concentration. AI training clusters and cloud regions hold valuable intellectual property — model weights, customer datasets — making hyperscale facilities attractive targets. A encrypted model checkpoint or poisoned training pipeline could extort differently than city hall — threatening trade secrets rather than property deeds.

AI-assisted phishing lowers barrier to convincing spear-phish — cloning executive voices and writing flawless lures. Defenders use AI for anomaly detection. Arms race accelerates both sides.

Critical infrastructure overlap grows as power grids and water systems add remote monitoring — OT/IT convergence expands attack surface if segmentation fails.

Some campaigns skip encryption entirely — pure extortion based on stolen data alone — avoiding forensic noise encryption triggers while still demanding payment.

Supply chain attacks — Compromise software update channels (SolarWinds pattern) or MSP tools to hit thousands downstream simultaneously. Ransomware groups purchase access from supply-chain specialists.

Initial access market commoditization — Prices for VPN creds and RDP ports listed like commodities; ransomware becomes final monetization step in a pipeline.

Regulatory mandatory minimum controls — NIS2 in EU, US state laws requiring baseline security for covered entities — slowly raising floor.

Decryption tools occasionally released when law enforcement captures keys — free recovery for specific strains if victims identify variant early.

Conclusion: treat ransomware as infrastructure failure

Ransomware is not a mysterious hacker genius problem. It is a predictable outcome of under-maintained systems, concentrated leverage, anonymous payments, and criminal specialization — applied against institutions society refuses to fund adequately until after catastrophe.

Paying Bitcoin does not fix the structural gap. Backups, MFA, segmentation, and tested incident response fix more — not perfectly, but enough to change negotiation dynamics from desperation to choice.

When the next hospital delays surgery or city stops issuing marriage licenses, the story is not exotic cyber wizardry. It is encryption plus extortion plus budget — and the bill eventually reaches everyone who assumed IT was someone else’s problem.

Lumen is edited by Leo Hartmann. Related: Cybersecurity Basics Everyone Needs · Data Centers Energy and Water