In May 2021, a ransomware attack on Colonial Pipeline — which supplies roughly 45 percent of the East Coast's fuel — forced a five-day shutdown that produced fuel shortages across the southeastern United States, long lines at gas stations, panic buying, and a declaration of regional emergency in multiple states. The attackers, a criminal group operating out of Russia known as DarkSide, received a ransom payment of approximately $4.4 million in Bitcoin. The FBI subsequently recovered a portion of it. The pipeline eventually came back online.
The entire disruption was caused by criminals with keyboards, motivated by money, operating from a country that provides them sanctuary. That is the ransomware threat in its current form — not science fiction, not a distant possibility, but a demonstrated capability to produce significant national-scale disruption through attacks on civilian infrastructure.
The Evolution of Ransomware
Early ransomware was a relatively unsophisticated crime. Malware encrypted a victim's files; the victim paid a modest sum to get the decryption key. The targets were individuals and small businesses, the ransoms were measured in hundreds of dollars, and the operators were often individual criminals rather than organized groups.
The transition to what security researchers call "big game hunting" — targeting large organizations for large ransoms — changed the risk calculus entirely. Modern ransomware operations are structured like businesses, with affiliate models that allow technical operators to focus on malware development while recruiting partners to handle intrusion and deployment. They maintain customer service operations to facilitate ransom negotiations. They conduct due diligence on victims' financial positions to calibrate demands. They threaten to publish stolen data — double extortion — to increase pressure on victims who might otherwise restore from backups.
The professionalization of ransomware has produced attacks that are more targeted, more sophisticated, and more damaging than anything the early criminal ecosystem could have generated.
The Sanctuary Problem
The most operationally significant fact about ransomware is that the most capable and damaging groups operate with effective impunity from Russia and several other states. This is not because these governments are incapable of arresting their own citizens. It is because they choose not to — or because the criminal groups have relationships with state security services that make them politically untouchable.
DarkSide, the Colonial Pipeline attackers, dissolved shortly after the attack following what appeared to be pressure from Russian authorities — pressure motivated not by law enforcement principles but by the diplomatic heat the attack generated. The group's members are believed to have reconstituted under different names. No one has faced criminal accountability.
This arrangement serves Russian strategic interests. Criminal ransomware groups provide deniable disruptive capability against Western infrastructure. If they become diplomatically inconvenient, pressure can be applied — demonstrating Russian leverage over the groups and providing a diplomatic off-ramp. The arrangement is not accidental.
The Target Set
Ransomware groups have demonstrated a willingness to attack targets with potentially lethal consequences. Hospitals have been targeted during the COVID-19 pandemic. Water treatment facilities have been compromised. School districts, municipal governments, and emergency services have faced attacks that degraded their ability to function.
The healthcare sector has been particularly targeted, in part because hospitals face acute pressure to restore operations quickly — making them more likely to pay — and in part because patient care creates direct life-safety consequences that increase payment urgency. Several hospitals have reported incidents in which patient care was compromised during ransomware attacks.
The Policy Response
U.S. policy has shifted meaningfully in response to ransomware's emergence as a national security threat. Ransomware attacks on critical infrastructure have been elevated to a priority comparable to terrorism within federal law enforcement. The Treasury Department has sanctioned cryptocurrency exchanges that facilitate ransom payments. International partnerships to share intelligence and coordinate law enforcement actions have expanded.
These measures have produced some results — arrests, infrastructure seizures, ransom recoveries. They have not fundamentally disrupted the ransomware ecosystem. As long as capable groups can operate from jurisdictions that will not extradite them, and as long as cryptocurrency provides a relatively frictionless payment mechanism, ransomware will remain a profitable and politically tolerated activity.
The gap between the sophistication of the threat and the adequacy of the response is where the risk lives — and it is a gap that the next major attack will make impossible to ignore.