It started, with pirates.
“I have always been really interested in people. What makes people tick? How do people organise? What scuppers people’s dreams and how do they get back at the society?” says Anja Shortland, 53.
The professor of political economy at King’s College, London, was born in Germany, studied engineering and economics at Oxford University, earned a PhD in international relations from London School of Economics, and built a career studying the economics and mechanics of crime networks: syndicates that take people hostage, steal fine art, hack into systems with ransomware.
At 46, she wrote her first book Kidnap: Inside the Ransom Business (2019); next came Lost Art: The Art Loss Register Casebook (2021).
The latest in what she calls her “unholy trinity on extortive crime” is We Know You Can Pay a Million: Inside the Dark Economy of Hacking and Ransomware (released as Dark Screens in the US). Due for release on April 9, it explores the large corporate set-ups that have grown up around the ransomware industry.
Her research in this area began in 2010. “I was the mother of a four-year-old boy who was really interested in pirates,” she laughs. This filled her head with questions: how are ransom rates set for ships; how do these businesses run; where does that confidence come from to commandeer a ship?
Tracing how ransoms are paid, Shortland began to explore the interplay between such crime and insurance, and discovered that Lloyd’s of London, for instance, now has “a whole stable of hostage negotiators, security consultants, and a hive of activity around such transactions.” Having moved this far from her original focus area of civil wars, conflict dynamics and peace dividends, she began to dig further.
Gangs that hold entire companies hostage, she learnt, now have corporate set-ups, with call centres and helplines, salaried employees and even HR departments. How exactly does this weird world function? How deep do the dangers go? Excerpts from an interview.
* You have an interesting analogy about the real cost of ransomware…
The most stunning aspect is the amount of havoc wreaked by ransomware compared to the amount collected by criminals. For a gain of $900 million by ransomware gangs in 2025, the cost to global business was estimated at a whopping $74 billion. It’s like trashing a car to steal a pair of sunglasses!
* What can you tell us about how the ransom rates are set?
Once a gang has access to a person’s computer or an organisation’s system, it can find out exactly where that person or company stands. They might even find one’s insurance certificate; they know your turnover, and exactly how much your cash reserve is.
Recently in the UK, the Jaguar Land Rover system was attacked and production was set back by weeks. Marks & Spencer, at one point last year, was basically flying blind in terms of what should be in stores, what they should be ordering, what had been sold. (In both cases, the companies did not confirm whether they eventually paid a ransom.)
Our critical infrastructure can be targeted. The vulnerabilities we created with our communication systems are against us. I wrote the book because I think people are a little bit too blasé about a perfectly predictable catastrophe.
* You write that major attacks are designed using social engineering. What does that mean?
Social engineering involves attacking companies via their employees, rather than hacking into computer systems directly. For example, criminals might entice someone to open an attachment to an email, click an insecure link, or divulge a password.
Sometimes the hackers phone in and pose as employees of the company; say, an engineer or manager who is out of the office and needs access to a particular file or service. Sometimes an employee may be blackmailed, or even roped into the conspiracy.
Social engineering often preys on people’s best traits: collegiality, curiosity, friendliness. But equally successfully on their greed, envy or boredom.
* It isn’t just about money, is it?
What happens if a ransomware group deliberately targets a country? Take the Costa Rica attack in 2022. (The pro-Russian Conti Group claimed the first group of attacks and demanded a $10 million ransom in exchange for not releasing information stolen from the ministry of finance).
There were huge repercussions on people’s lives. Traders weren’t able to get export and import licences, people weren’t getting their salaries.
Before that, in 2021, the security management company Kaseya was attacked by the REvil group, impacting over 1,000 companies, and exposing the soft underbelly of IT security.
Do we want security or a little more convenience? What’s the right stance here? I want people to think about the trade-offs.
* These attacks have evolved quite rapidly.
Ransomware didn’t really become feasible until 2013, because there wasn’t, until the internet became widespread enough, a convenient way of getting malware into people’s computers. We had to wait for asymmetric encryption. Cryptocurrency has been the final piece of the puzzle, making it possible for criminals to safely accept ransom payments. The culture of silence around such attacks helps the criminals.
And now there are groups doing their government’s explicit or implicit bidding at running this kind of malware too.
* Meanwhile, AI looks set to arm both sides.
AI will make it easier for ransomware gangs to target companies and identify insecurities in systems. On the other hand, computer security firms are using AI to scan for suspicious activity more effectively as well. As my book shows, computer security and cybercrime are in an ongoing arms race between well-matched sides.
* Does the idea of ransom-war worry you?
We have seen ransomware being used for the purpose of ransom-war, but mostly it is used entirely for profit. Such attacks also, of course, hurt GDP. What I am more worried about, however, is not the steady drip-drip-drip of criminals leaching off global business, but the risk of a major outage in critical national infrastructure, and the lives and livelihoods that may be put at risk through that.
* On a more personal note, when not teaching or writing, where would we find you?
You would probably find me in the garden, workshop or music room. I am a flautist, a beekeeper and a potter!
.
CLICK ON THE LINK?: A QUICK LOOK BACK
* The world’s first piece of ransomware was created in 1989, by evolutionary biologist Joseph L Popp Jr, a 39-year-old who had been working part-time for the World Health Organization. At some point, possibly because he was denied a permanent position, he devised his scheme.
* He duplicated a questionnaire on 20,000 floppy discs and dispatched them by post to WHO researchers across 90 countries. Each disc contained a Trojan virus. Inserted into a computer, the malware made the device unusable until a “licence fee” of $189 had been sent, in cash or cashier’s cheque, to a post-office box in Panama.
* The damage was sweeping. While some recipients were able to un-hack their computers themselves, others lost all the work on their devices. In 1990, Popp Jr was arrested for blackmail, extradited to the UK and eventually ruled unfit to stand trial due to mental illness. He died in 2007. It is still unclear whether he acted alone.
