Ransomware is a cybercrime idea as old as the computer itself. The idea is simple: break into a victim’s computer, encrypt all their files, and demand payment for decryption. That being said, the social dynamics at play during this interaction are anything but simple. Generally speaking, the cybercriminal has one goal: to get paid. In order for the victim to pay, they must trust that upon payment they will get their files back. This simple dichotomy gives rise to the Ransomware Trust Paradox
The Paradox
The Ransomware Trust Paradox, an idea coined by Max Smeets in April 2025, refers to the idea that inherently untrustworthy individuals or groups engaging in illegal access to often sensitive data must convince their victims of their trustworthiness to meet their ends (Smeets, 2025). This shows a marked difference between ransomware and other forms of both digital and conventional crime. Think about a bank robbery: both the robber and the ransomware operator have the same goal, to make money, but the bank robber is never trusted by the victim. Rather, they achieve their ends by force. What makes this idea so fascinating to me is the lengths ransomware groups will go to to secure trust from victims. To get an idea for this, let’s first look at the first ransomware, and see what is done differently today.
The First Ransomware
The story of the first ransomware is an interesting one, to say the least. It was created by Joseph Popp, an evolutionary biologist from Harvard working on AIDS research in the 80s. The malware was distributed by mailing floppy discs to attendees to a WHO conference on, believe it or not, AIDS research (O’Kane et al., 2018). Popp was quickly found and arrested, and while no one knows why he did this, his idea led to the creation of an entirely new criminal enterprise in ransomware. In premise, Popp’s ransomware worked on the same basic principle of ransomware today: infect a computer, encrypt everything, and demand payment for it back, but there were several key differences between Popp’s ransomware and modern ransomware. For one, his ransom note (the message telling victims what is happening and what they should do about it) was primitive and nowhere near visually appealing. On top of that, payment was asked to be sent to a PO Box in Panama (O’Kane et al., 2018). There was no clear indication of who the money was being sent to, or how sending cash to Panama would allow one to get their files back. Put yourself in the shoes of a researcher in the 80s. You probably wouldn’t pay in this situation, right?
Ransomware Today
These days, there are plenty of ransomware groups following in Popp’s footsteps taking various approaches to gaining trust. One ransomware group, Darkside, states plainly in their ransom note that they are here to make money, and if they did not return on their promise to decrypt their victim’s data, no one would pay them going forward (Smeets, 2025). This approach is backed by psychology. Studies have shown that, when marketing to a customer, companies that state their intentions plainly are more likely to gain trust (Dayal, 1999). This extends to the ransomware domain because ransomware operators are also trying to gain trust to receive payment. Another group, BlackCat, engages in anonymous “press releases” to clear up rumors about themselves. In this instance, various news outlets had misattributed attacks to BlackCat, and their “press release” attempted to clarify that they were not making any purely malicious attacks, their sole purpose was to make a deal and return the encrypted data (Smeets, 2025). Another vector of trust groups have exploited rests in User Interface (UI) design. Studies show that just changing the UI in a payment portal increased the number of users who shared their contact information by 31.3% (Yashimi, 2020). This demonstrated that interfaces based on familiar items or other interfaces makes people more likely to give up information (Yashimi et al., 2020). During Conti’s time operating as a ransomware group, they exploited this by using a professional looking ransom note, and sleek payment portals that made victims feel like they were completing a legitimate business transaction. There are many other strategies too, including providing 24/7 customer support, and referring to victims as “customers” (Smeets, 2025).
How Much Damage Does Ransomware Cause?
While it is hard to know exactly how much ransomware is costing year over year, many estimates exist. One estimate from the FBI placed ransomware at a market worth of 200 million USD, with one ransomware family (Cryptowall) totalling 18 million USD in losses in the US alone (O’Kane et al., 2018). How much ransomware operators are asking for in one attack varies by the operator and sometimes by the estimated worth of data encrypted. One company, Symantec, put average ransoms around 679 USD, with some as large as 6285 USD (O’Kane et al., 2018). This of course varies with the price of bitcoin, which is the most popular way for operators to demand payment (Huang et al., 2017). But who is paying these large ransoms? Turns out that, according to a study by Huang et al., 74.5% of Cerber (another family of ransomware) targets were residential. Because these numbers were based on internet service providers, this means that most targets used residential routers, so likely households. While the study is limited in scope due to these numbers being only related to one family of ransomware, these numbers are striking. While only somewhere between 1% and 3% of victims pay the ransom (O’Kane et al., 2018), one can easily see how lucrative the ransomware business is.
Overall, the Ransomware Trust Paradox is a theory that I find fascinating, the idea that criminal enterprises engaging in explicitly untrustworthy activities are exploiting trust to meet their ends is something never seen in the criminal world before the introduction of ransomware. Tracing ransomware from its roots reveals the importance of this paradox in the operations of modern ransomware groups, and helps us think about how to better defend against them. Going forward, individuals and corporations can use this idea to make better value judgments when they are hit by ransomware, and better understand how to defend themselves against it.
References
Dayal, S., Landesberg, H., & Zeisser, M. (1999). How to build trust online. Marketing Management, 8(3), 64. Retrieved from https://www.proquest.com/scholarly-journals/how-build-trust-online/docview/194194113/se-2
Huang, D. Y., Aliapoulios, M. M., Li, V. G., Invernizzi, L., Bursztein, E., McRoberts, K., Levin, J., Levchenko, K., Snoeren, A. C., & McCoy, D. (2018, May 1). Tracking Ransomware End-to-end. IEEE Xplore. https://doi.org/10.1109/SP.2018.00047
O’Kane, P., Sezer, S., & Carlin, D. (2018). Evolution of ransomware. IET Networks, 7(5), 321–327. https://doi.org/10.1049/iet-net.2017.0207
Shutterstock. (2024). Ransomware. In Ransomware explained: How it works and how to remove it.
Smeets, M. (2025). The Ransomware Trust Paradox. https://virtual-routes.org/wp-content/uploads/2025/04/Virtual-Routes-Pharos-Report-Series-No.-2.pdf
Yashmi, N., Momenzadeh, E., Taghipour Anvari, S., Adibzade, P., Moosavipoor, M., Sarikhani, M., & Feridouni, K. (2020). THE EFFECT OF INTERFACE ON USER TRUST; USER BEHAVIOR IN E-COMMERCE PRODUCTS. Proceedings of the Design Society: DESIGN Conference, 1, 1589–1596. https://doi.org/10.1017/dsd.2020.103
