Ransom as a Business Model

Posted 2026-05-11

The Canvas learning management system was hacked a couple of days ago, so this seems like a good time to point out that extortion, if it’s professional enough, is indistinguishable from any other fee-for-service arrangement. The victim pays for the return of something that was theirs, the captor provides a guarantee of safety, intermediaries take a cut, and everyone has an interest in the transaction completing cleanly.

In 1994, when the FARC guerrilla organization in Colombia was near the height of its power, kidnapping was a line item in its budget. The organization maintained specialized units for identifying targets, executing abductions, holding captives in jungle camps, and conducting negotiations. Insurance companies led by Lloyd’s of London responded by creating kidnap-and-ransom (K&R) policies for multinational corporations, and specialist firms like Control Risks Group built a business on negotiating with kidnappers. By the late 1990s, an abduction in Colombia, Venezuela, or the Philippines was like buying a house: the kidnapper demanded a high figure, the negotiator offered a low one, and after weeks or months of back-and-forth they agreed on something in the middle and settled up in cash.

Both sides had an interest making this running smoothly; in particular, kidnappers who killed hostages damaged their own reputations with future potential clients. Researchers studying the “industry” found that K&R specialists worked hard to prevent ransom inflation: they trained negotiators to push back, kept payment records confidential, and advised clients not to advertise their coverage, because a public policy was an advertisement for kidnapping your staff.

The rise of ransomware attacks over the last decade has followed the same path. The 2017 WannaCry attack encrypted hundreds of thousands of computers across 150 countries in a single weekend, demanding Bitcoin payments in exchange for decryption keys; the attack was later blamed on North Korean state actors. Four years later, the DarkSide ransomware group (probably based in Russia) shut down the Colonial Pipeline in the United States and demanded approximately $4.4 million in Bitcoin. The company paid within hours.

Modern ransomware groups operate on an affiliate model: the core developers write the malware and maintain the payment infrastructure, while affiliates handle the actual intrusions. On the other side of the table, cybersecurity firms handle the details just like Control Risks Group did, and cyber insurance policies now cover ransom payments, which means that insurance companies are wrestling with the same concerns about moral hazard and ransom inflation that Lloyd’s was worrying about in the 1990s.

When Colonial Pipeline paid DarkSide, they almost certainly broke US Treasury rules prohibiting payments to sanctioned entities. Governments have been consistently inconsistent in their positions on this: they urge companies not to pay while acknowledging privately that there is no realistic alternative. This is the same ambivalence that surrounded K&R payments in the 1980s, when Western governments officially discouraged negotiating with kidnappers while intelligence services routinely assisted with exactly that.

see the whole series · email me

Dudley2022: Renée Dudley and Daniel Golden: The Ransomware Hunting Team: A Band of Misfits’ Improbable Crusade to Save the World from Cybercrime. Farrar, Straus and Giroux, 2022, 9780374603304.
Shortland2019: Anja Shortland: Kidnap: Inside the Ransom Business. Oxford University Press, 2019, 9780198815471.