Episode 352: Inside the Ransomware Economy: Incentives, Governance, and Risk with Anja Shortland

This episode hosts Professor Anja Shortland, returning to the podcast following her previous appearance in 2021,  to examine how ransomware has evolved into a sophisticated and highly organised form of cybercrime, operating as a global market shaped by incentives, reputation, and weak governance. The conversation explores the scale of the threat, with billions in annual losses, and how attacks extend far beyond encryption to include data theft, business disruption, and systemic risk across both public and private sectors. We discuss how ransomware groups operate in practice, from initial access and reconnaissance to pricing ransoms based on a victim’s ability to pay, as well as the rise of “double extortion” tactics that increase pressure even when organisations have strong backups. 

The episode also considers the broader ecosystem that sustains ransomware, including the blurred lines between criminal and state-linked actors, and the expanding role of insurers, negotiators, and cybersecurity specialists in managing incidents. A central theme is the tension between individual and collective responses: while paying ransoms may minimise immediate damage for victims, it reinforces the long-term viability of the model. 

Professor Anja Shortland is Professor of Political Economy at King’s College London. Her research focuses on how criminal markets function in environments where formal governance is weak or absent, including piracy, kidnapping, art theft, and ransomware. She is the author of We Know You Can Pay a Million: Inside the Dark Economy of Hacking and Ransomware (published in North America as Dark Screens: Hackers and Heroes in the Shadowy World of Ransomware), where she examines the economic structures, incentives, and actors shaping the global cybercrime ecosystem. 

The International Risk Podcast brings you conversations with global experts, frontline practitioners, and senior decision-makers who are shaping how we understand and respond to international risk. From geopolitical instability and organised crime to cybersecurity threats and hybrid warfare, each episode explores the forces transforming our world and what smart leaders must do to navigate them. Whether you’re a board member, policymaker, or risk professional, The International Risk Podcast delivers actionable insights, sharp analysis, and real-world stories that matter.

The International Risk Podcast is sponsored by Conducttr, a realistic crisis exercise platform. Conducttr offers crisis exercising software for corporates, consultants, humanitarian, and defence & security clients. Visit Conducttr to learn more.

Dominic Bowen is the host of The International Risk Podcast and Europe’s leading expert on international risk and crisis management. As Head of Strategic Advisory and Partner at one of Europe’s leading risk management consulting firms, Dominic advises CEOs, boards, and senior executives across the continent on how to prepare for uncertainty and act with intent. He has spent decades working in war zones, advising multinational companies, and supporting Europe’s business leaders. Dominic is the go-to business advisor for leaders navigating risk, crisis, and strategy; trusted for his clarity, calmness under pressure, and ability to turn volatility into competitive advantage. Dominic equips today’s business leaders with the insight and confidence to lead through disruption and deliver sustained strategic advantage.

Tell us what you liked!

Transcript

00:00
Anja Shortland
We as willing victims are very much part of that ecosystem. So many things could be prevented just with a little bit better cyber hygiene.

00:11
Elisa Garbil
Welcome back to the International Risk Podcast, where we discuss the latest world news and significant events that impact businesses and organisations worldwide.

00:20
Dominic Bowen
Today’s episode is sponsored by Conducttr. It’s a crisis exercising software that’s built for corporates, consultants, humanitarian teams, and defence and security organisations. It lets you build exercises fast using its intuitive scenario editor and ready-made content. I’ve used Conducttr and I can testify that if you use PowerPoint or Excel still, well it’s time to start looking at Conducttr. If you want your teams to be genuinely ready for the next crisis, then Conducttr is certainly worth a look. And before we start today, I have a quick favour to ask you. If you listen to The International Risk Podcast and you find it useful, please follow and subscribe wherever you are watching and listening today. In return, my commitment to you is simple that every week we will keep raising the bar with better guests, sharper questions and more practical takeaways for you that you can use to make better decisions. And if there is someone you want on the show, tell me. We read all of your comments, and we act on them. Let’s get onto the show.

01:23
Dominic Bowen
Ransomware is a mature criminal industry with brands, affiliates, and often even with their own HR departments, and the stakes are massive.
Today’s guest is Professor Anja Shortland. She’s the Professor of Political Economy at King’s College in London and, honestly, she’s one of the clearest thinkers on how criminal markets actually function and why ransomware has become one of the most dangerous and profitable forms of transnational crime. We had Anja on the podcast in Episode 53 back in 2021 when we discussed piracy as well as stolen and looted art. That was a great conversation if you’re interested, so go back and have a listen to that. Professor Anja Shortland studies what happens when crime, markets, and weak governance all collide.
I’m Dominic Bowen, the host of the International Risk Podcast, and we discuss here the topics that really matter. In today’s episode, we’re examining the international risk of hacking, and we’re doing it through the lens of Anja’s new book, ‘We Know You Can Pay a Million: Inside the Dark Economy of Hacking and Ransomware’. If you’re listening to us from North America, you’ll find the book under a slightly different title. It’s called ‘Dark Screens: Hackers and Heroes in the Shadowy World of Ransomware’. We’ll include links in the show notes below.
Anja, welcome back to the International Risk Podcast.

02:37
Anja Shortland
How lovely to be talking to you again.

02:39
Dominic Bowen
What’s been keeping you busy since we spoke five years ago? My gosh, time flies.

02:45
Anja Shortland
Indeed, yes. So I’m still in that grey zone between legal entities and criminal organisations. Still fascinated by that tricky trade where somebody’s just been victimised by a criminal organisation who then has to get into a transaction with them and successfully complete that transaction, get their treasure back. As you said, my first book was on kidnap and piracy, the second was on art recovery, and now we have a third one in my unholy trinity. It’s about ransomware and stolen data and how you can retrieve those.

03:23
Dominic Bowen
They really are interesting topics. I’ve got your book on stolen art on my bookshelf, and it’s a great read. I do encourage people to go back and listen to that episode.
People can think it’s a little bit morbid, but, at least once a week, I’m traveling around Europe speaking on a variety of topics – often it’s around geopolitics and hybrid threats. Increasingly, I’m speaking to government agencies, corporate entities, and at conferences about organised crime and its penetration into civil society and its penetration into the corporate world. It’s amazing even today, despite the fact that we’re talking about this so often, how many people still go ‘no, surely that’s not real, that doesn’t really happen in 2026’.

04:00
Anja Shortland
Yeah, what we have with cybercrime is a curious situation in which some states smile on cybercrime as long as no Russian people get hacked and unharmed by a ransomware gang’s activities. It’s kind of fine for them to needle and leech on Western interests, whereas Western businesses, there is a consensus that they should not be targeting critical national infrastructure, but anything below that level, that’s kind of okay, as far as the Russian government, for example, is concerned. That makes it extremely difficult for law enforcement to do anything other than taking down virtual infrastructures off these gangs, which, of course, is a rather more limited threat than putting people behind bars.

04:47
Dominic Bowen
Yeah, very much. I think we’ll explore that in our conversation today. Over the last decade, I think cyber risk has been sitting at the top of most companies’ risk registers and so much so that I think over the last decade, there’s been significant levels and amounts of capital expenditure and investment that cybersecurity, and the risk mitigation around our information security, is so high. I actually often advocate that other risks need a greater focus and other risks are actually more material to many companies today.
But from your research, help us understand how big, how should we quantify or qualify the risk of hacking and ransomware today?

05:28
Anja Shortland
So ransomware is just one of many cybercrime problems. So there’s all the fraud business, there is theft, but ransomware is quite a big business model. It’s difficult to estimate how big exactly it is, I’ve seen figures of around 75 billion US dollars last year in terms of the total losses from it. It’s not a very efficient crime, in the sense, that the ransomware gangs who are behind the attacks only managed to get about 900 million out of that massive damage that they created. It’s a big problem because of business interruption, about third-party liabilities, about mitigating the risk to people of losing confidential data.
There is a lot of stuff that goes on behind the scenes in the recovery stage. Companies have got so much better, or large companies have got so much better at becoming more secure and more resilient. But this is also something that hits the public sector. It happens to universities, it happens to schools, it happens to hospitals, it happens to councils, it can happen to water companies, anybody who’s not at the cutting edge of cybersecurity, for whom cybersecurity never makes it to the top of the list. What’s really important for me, and why I wrote this book, is that a lot of people think that cybersecurity is something that they can outsource to a cybersecurity department that sits somewhere and, if they don’t pick up that you’ve got a stupid password, then it’s their problem. I’m saying, no, it’s all of our problem. We make individual decisions, but in the end, it’s about collective security.

07:14
Dominic Bowen
Let’s have a look at Sweden, where I am today. Now, last year, there were more than 200 Swedish municipalities, so local government offices that were affected after a single breach by an IT supplier, and this put huge amounts of sensitive data at risk. That was just the latest in a really long list of incidents in what is ultimately a very tax-heavy country. In 2019 in Sweden, 2.7 million encrypted call recordings. That was nearly 200,000 hours of sensitive health and medical discussions that were released. In 2022, telehealth provider, Kry, which is the largest telehealth provider in Sweden, leaked patient and doctor contact data onto Facebook, and in 2024, a Swedish municipality was victim to hackers who stole over 200 gigabytes of personnel files and contracts. So many different types of hacks, so many different types of victims and information that was released. Can you help us understand the different motivators of hackers? Because they’re not all after the same thing, are they?

08:14
Anja Shortland
Most of the hacking that I’m looking at is profit motivated, so this is locking up data to get into an extortion situation with a company or a non-governmental organization, or a council or a hospital. What they’re interested in is to sell the victim one of two things, or perhaps both.
The first one is they’ve locked up the data, they’ve encrypted it in a way that it’s impossible for the victim to solve the puzzle without getting a decryption key from the hackers. You can get around that by having really good backups and just say, thanks, but no thanks, I don’t need to decrypt the data because I can reload everything that we had.
Quite a lot of companies have been really good at increasing their resilience to that kind of attack. So a new generation of ransomware responded to that and said, yes, you might not need our help with the decryption, but we’ve got a leak site, and on this leak site we’re going to post that we have breached you.
So if you don’t want that breach to become known, you better get going. This is what we have, these are the confidential files that we have. Do you want to keep that private, or do you not?
In my book, I cover an attack on a US company called Planned Parenthood, and you can imagine that they’re in a lightning rod position when it comes to US politics around reproductive choice. If your patient records are at risk, then you really do listen, even if you could restore everything from backups.
So double extortion was a way of giving the ransomware model a second life after really good investment in cybersecurity around backups.

10:07
Dominic Bowen
It’s quite interesting, you use the word ‘impossible’ once your information has been encrypted, and there’s still a lot of conversation amongst companies and government actors about should we or should we not pay a ransom? In your book, did you look into the actual options if a company or a government agency decides that they’re not going to pay the ransomware, the sort of challenges they have? But also likewise, even if they do decide to pay the ransomware, the sort of challenges that they’re going to face around criminality, about actually raising the money, about transferring the money.

10:36
Anja Shortland
Yeah, quite a few companies decide that they don’t need to engage with the hackers on decryption because they’ve got good backups, or like the British Library in the UK, they decided, actually, we might as well go back to the card catalogue.
Yeah, not everyone pays, and in fact, about 75% of breached organizations now don’t pay, but it’s not that difficult to breach. Therefore, there’s still 25% of companies that do and the hackers tend to sniff around the servers for a while, and they know quite a lot about your profit and loss accounts and how much cash reserves you have. Perhaps they’ve even found the insurance certificate and then they just take that. So to me, in the book, I’m really examining that sort of problem where you think, yes, you do want to have a really cool plan for how you create a recovery, especially if you’re an insurer and you’re on a hook for the losses, you want to make those losses as small as possible. But on the other hand, if you just throw money at the problem, yes, it goes away for your client. But as you pointed out, it creates problems for others. If you relieve the criminals of any responsibilities for the rebuild because you’ve got wraparound care for your customers, what are they going to use that time for? Probably running more attacks.

11:54
Dominic Bowen
Of course, you mentioned earlier that some states smile on these sort of activities, and we know that many actors increasingly are mixing motivations, particularly groups tied to North Korea, Russia, Iran, India, China, have been reported to combine espionage with financial theft, with ransomware, with wiping attacks, depending on the strategic moment, depending on where they can raise and what the motivation is. Some operators also reuse criminal tooling and even impersonate other ransomware groups to try and hide state intent, which is one of the reasons that many companies, and many that fund defenders, really struggle to tell the difference between a crime and an act of conflict. Can you tell us about the links between state-based actors, state-backed actors and state-sanctioned hacker groups, and what’s the difference between them and does it even matter?

12:40
Anja Shortland
If you’re the victim, it probably doesn’t really matter, you’ve got a big problem already. If you’re trying to make a ransom payment to a proscribed organisation, then of course that is illegal, so that removes some options.
In my book, I discuss countries where hacking is organised almost like a government department. Not really sure whether it sits in the Department of Defense or the Department of Trade, because getting Bitcoin from ransomware attacks is one way of evading sanctions. For example, in North Korea, kids are essentially trained from a young age to be part of the cyber task force. It’s almost not seen as cybercrime, even though theft and extortion are crimes, because they’re doing it as civil servants.
Then you have the Russian model. There’s a book by Max Smeets on the Conti group, where leaked internal chats showed how the group operated. He described them as looking like a badly run internet startup, and that’s exactly what they are. There is no real need to hide, you can have an office, meet staff, and operate more openly.
The more state backing there is, the more leniency and cooperation these groups receive, and the easier it becomes to solve the basic problem of running a cybercriminal organisation with people you don’t know.

14:05
Dominic Bowen
And that division of labour, the fact that it’s a recurring service, the fact they’ve got multiple distribution channels, they’re reinvesting their profits in operations and that really almost professionalised supply chain of extortion is probably consistent with what you’ve argued that ransomware is a mature market. It’s not just this temporary crime spike.
What are the defining features that make this a real industry as opposed just to another type of crime?

14:29
Anja Shortland
So one of the big problems, and you already hinted at this, is that trust paradox where you’ve just been victimised by somebody and they say, only I can set things right and you need to give me some money.
If that worked as a business model, then we can all do it. I can just send you an email and say, Dominic, I’ve just taken you hostage and only I can do this. You don’t know whether I’m any good at encryption. You don’t know whether I’ve actually taken you hostage or whether this is just a piece of scareware.
So for people to really make money from it and for victims to pay, you’ve got to develop a reputation. You’ve got to develop a brand.
And then you say, OK, I’ve been hit by Lockbit. I better listen up. If it is Lockbit, then you look on the FBI website and they say, well, if you can’t rebuild, then pretty much you’ve just got to do it. You’ve just got to pay the ransom. So a reputation is super valuable. But on the other hand, not that super valuable because sometimes it might just be better for you to break your word. So we had this exit scam with Alfie where they had breached a major US healthcare provider and insurer. They’d got a $22 million ransom.
The way the affiliate model runs is that if somebody can breach a company, they get 70, 80 or even 90% of the proceeds. But if it’s 22 million and your employee doesn’t know who you are, do you really want to give 90% of 22 million to somebody you don’t know? In the case of Alfie, they decided that they weren’t, and they just decided to ditch the brand and then turned up with ransomware that looked very similar, with a different new name.
So reputations are worthwhile, but reputation can also be ditched. You can start from scratch. It looks like a landscape with lots of firms, but if you keep taking pictures of that landscape, it’s constantly evolving. There are people disbanding, there are new people coming up, new names, brands that overreach, that breach too many and then weren’t able to rebuild, etc.

16:38
Dominic Bowen
Very interesting, and I’ll take this opportunity, Anja, to remind our listeners that if you prefer to watch your podcasts, the International Risk Podcast is always available on YouTube. So you can look for us on YouTube, search for the International Risk Podcast, and you’ll find us there, and please do subscribe and like our content. It really is important to us.
Now, Anja, your research often looks at what happens when states cannot reliably provide order. I’m wondering if ransomware is basically a digital version of the same governance problem that you and I discussed back in 2021 around kidnapping and piracy because it really draws the links for me around weak enforcement, a private negotiation that you just talked about, and these informal rules about filling a vacuum when a state doesn’t provide services, doesn’t provide security, doesn’t provide assistance when something goes wrong.
Have you seen in your research when you’re looking at these different areas from piracy to looted and stolen art to ransomware, are you seeing a commonality around the frameworks, and when states aren’t providing that order that really they’re expected to?

17:41
Anja Shortland
Yes, indeed. That’s what fascinates me about this question about what fills that gap where normally you think there is going to be some third party enforcement if your contracts don’t come right, if your service provider does not deliver what they have promised. If there’s a blank slate and the state is not on your side and you have to hide your transaction, then that space gets filled with all sorts of interesting institutions and people, problem solvers. What I also see, which for an economist is super interesting, is the role of insurance in filling that gap.
So what you have in all of these cases is insurance companies that are on the hook for potentially very large losses. Losses that are in all cases multiplied by victims who don’t know what they’re doing, who have a tendency to throw money at the problem. So often insurance companies step into this space and say, OK, we’ve insured you for cybercrime. If something happens, all you need is to call this one number. You don’t need to curate a response with your head done in by the fact that your company is hemorrhaging money. All you need is to call this one number, and you can see that this is actually a really attractive product, even if the insured amount is minimised. But nonetheless, you want the one number. You don’t want to be at the end of everybody’s list when it comes to solving your problem.
With that number, you’re put in touch with a privacy lawyer, the computer security, the forensics, the PR, everything is taken care of, the ransom negotiation. I don’t know how many people know how to source 4.2 million worth of Bitcoin within 72 hours. You probably want a specialist for that. So it’s that wraparound care package that exists for those who are insured, and then there are all sorts of providers who mimic that if you’re not insured. So yes, it’s a very busy, interesting ecosystem.

19:59
Dominic Bowen
It’s quite interesting, I often underestimate that still. Obviously, my full-time occupation is a strategic advisor and a risk advisor to companies all across Europe. My preferred work is to work proactively, to work with companies and government agencies to minimize the outcome of risk. But it’s interesting, when we look at our budgets and our forecasting and our performance, what we invoice the clients. It’s amazing how much clients will actually pay just to have access to me and my colleagues, how much my employer actually charges just to give them that phone number so that when there is an emergency, when there is a crisis, they can call Dominic Bowen or they can call one of my colleagues. It’s quite interesting how much companies are willing to pay for that instead of paying for the preparatory work or ideally the best companies will pay for both. But I always find that really, really interesting.

20:43
Anja Shortland
Often with insurance, they also push you towards that and say, can we see what your plan B is? Can we just walk you through what would happen if? Can we just have a scenario? Can we just play this through in the boardroom?
It’s been super interesting to have Kidnap for Ransom and the ransomware side by side and my unholy trinity of extortive crime, because with art theft and particularly with Kidnap and Hijack for Ransom, you have a super concentrated market at Lloyd’s of London where there’s the insurers can set very tight protocols. These are the norms. This is what you need to do if you want to have this kind of insurance. We expect you to do A, B, C, D, etc., and this is how you resolve it.
With cyber insurance, the clue’s already in the name. This is cyber insurance. This is not ransomware insurance. This is not some bespoke product. It’s a product that was developed all over the world. For all sorts of problems of which ransomware at the first was only the tiniest part of any. So all the protocols were designed around different kinds of cyber mischief and threats. We don’t have a group of people like we had with Kidnapped for Ransom that sat down and said, well, how are we going to deal with this problem collectively? But every insurance company said, how are we going to minimise our losses?
So what is individually rational, which is to throw money at the problem, of course, creates this massive collective problem.

22:12
Dominic Bowen
As we discussed at the start of the episode, Anja, the European title of your book, ‘We Know You Can Pay a Million’, I think is brilliant because it really captures the attacker’s logic. They’re not just asking who is vulnerable, but they’re asking who can pay, and I think that sophisticated selection of victims is really important. I know even just at the International Risk podcast, if we do an episode that might be seen as negative towards Russia or negative towards Israel, I know for the next week, there’ll be attempts to hack our website just consistently that the week that those episodes are released. But ultimately, they also know that the International Risk Podcast doesn’t have a lot of funds. So usually that hacking dies off relatively quickly.
But I’m wondering, for companies that have the ability to pay a million in ransom, how sophisticated is that victim selection and what are the signals that ransomware groups are looking for to decide who is worth targeting?

23:04
Anja Shortland
I’m not sure that the decision-making process is at the targeting stage. So that is just the phishing email. And then once you’re in, you have a sniff around. They see what’s there. They look at your accounts. They can look at everything. Often they spend two, three, four days in the servers. And that’s also an opportunity for companies to realise that something fishy is going on and close down their servers before the problem really starts. So there’s usually a period before the encryption starts because they’re looking around. And it’s not that they target the ones that can afford a million, but they can say, oh, we know that you can afford 1.4 million, and that’s exactly what we’re going to ask you for.
Sometimes they just get it wrong, they don’t know how much to ask for, they misjudge something. One of the things that I cover in my book is the attack on the Royal Mail, where they thought they had the entirety of the British postal system at their mercy, but in fact they’d only got a smaller part of the enterprise, which was a parcel distribution centre at Heathrow. They said, oh well, we think you can pay 80 million. And said, no, we’re just this tiny part. We’re not going to pay 0.5% of the value of a parent company to save this little division. So it’s a ransom negotiation that went nowhere. So sometimes they get it wrong. But often they pitch it exactly right because they don’t have time. They don’t want to spend five weeks negotiating. They just want to take the money and run the next series of attacks.

24:41
Dominic Bowen
Now, and I find that when boards and executive teams are discussing ransomware, the conversations are generally very shallow. There’s a reliance on what the chief information officer or the chief information security officer says, and there’s very little questioning, often because no one wants to look stupid in front of their peers or ask a question that might show their ignorance, which I think is a real shame because it means that CIOs and CISOs are very rarely challenged at the executive or board level about the actual threat landscape or about the company’s genuine vulnerabilities. But from your research and the conversations you’re having, what is it that business leaders and even our political leaders, what are they getting wrong about the economics of extortion, about the negotiation and about the recovery efforts?

25:25
Anja Shortland
One of the big problems is about collective versus individual interests here. So we’ve never had that collective approach to this problem. Everyone is thinking about how can we get online again within the shortest period of time, how much is it going to cost us to rebuild, how much is it going to cost us to decrypt with the criminal’s help. And you make that calculation and find it’s going to cost you three times as much to rebuild from backups. And therefore you go and buy the decryption key.
But of course, that creates problems for everyone else down the line, because if a quarter of firms pay, then that still makes this one of the most lucrative forms of cybercrime. And we’re just not getting rid of the threat. I really hope that people will understand more about that landscape and how we as willing victims are very much part of that ecosystem. We are the substrate in which all of this grows. I really want politicians to get involved in talking about what is a good stance, how can we become more secure, how can we become more resilient.
To me, that starts with the individual who decides what they want to put online, whether they’ve got a backup plan. It’s all of these little things where I want to empower people to make slightly better decisions. So many things could be prevented just with a little bit better cyber hygiene.

27:09
Dominic Bowen
And one of the big stories is that Anthropic, it’s explicitly pushing Claude into vulnerability discovery and defensive code review. And in February, the company said that Claude had found over 500 vulnerabilities in production, open source code bases, and that launched Claude Code Security as a limited preview for defenders. In early April, Anthropic announced that Claude Mythos, saying it would help a small set of major companies fix and find weaknesses in their critical software, and I think that really matters to international risk because it suggests that these frontier models of AI are moving from coding assistance into security assistance, which initially is a great story. It’s something we should all be really excited about.
But of course, the upside is faster discovery of bugs, fantastic for the defenders. These are the same capabilities that attackers want, that attackers are analyzing. They’re looking at code, looking for exploits, looking to generate more convincing malicious payloads.
So what’s your read on the current situation? Is this just marketing or is this generally something that we need to be worried about? How do you read that current dialogue around these different AI models and their ability to save us or destroy us with their ability to identify gaps?

28:24
Anja Shortland
I’ve been looking at the history of ransomware from 89, but particularly from 2013 and it’s always been this race between attackers and defenders. All these mutations of ransomware over time are responding to new capabilities, new weaknesses, new ways of discovering the weaknesses.
So, to me, yes, it will probably be the next chapter of the updated version. It will need to be. I’m extremely concerned about this, and yes, great banks are going to get this. They’re going to get a chance to upgrade their systems, but what about Hackney Council in London? What about Thames Water?
Even if they knew that there was a weakness, would they even understand the output of this model? So given that there is so much that is vulnerable, and given how fast these systems operate, I think criminals will be able to find weaknesses much faster than our general ability to fix them.

29:27
Dominic Bowen
Yeah, there’s a common graph I draw on the board for clients when I’m describing the differences as to the maturity and the speed of learning and making changes that government agencies have compared to corporate actors who have pressure from board members and shareholders. Then the difference between non-state actors and organized criminal groups who have zero restraint, zero boundaries,
and how much faster they make changes and how much faster they can. It’s always that difference between the three, between the criminals and corporate actors and corporate actors and state actors, including our security services, that leaves us really vulnerable, and I think I certainly agree with you, Anja, and just to wrap up the conversation, when you look around the world, Anja, out of all the risks, and of course, you’ve got a fantastic background and everything from piracy off the coast of Africa to lost and stolen art across Europe and now ransomware run around the world. But there’s so many more. What are the international risks that concern you the most?

30:19
Anja Shortland
Well, with cybercrime, it’s probably my main concern at the moment, and what we’ve been relying on in this world since 2021 has been a consensus that cybercriminals should not be targeting critical national infrastructure. So we had that slightly accidental attack on the Colonial Pipeline in 2021, which the US president had a chat with the Russian president and they agreed that civilised states do not shelter criminals that attack the US critical national infrastructure. So I was most upset when the American president a few weeks ago said, well, of course we can attack critical national infrastructure as part of our war. Given that Iranian hacktivists can easily find weapons-grade malware in the darknet, if they can find access and if they have Claude to find access, they do not need B2s and B52s to bomb Western civilisation back to the Stone Age. They can just switch off the lines.

31:27
Dominic Bowen
Yeah, very concerning indeed. So thanks very much for exploring that. Well, I really enjoyed our conversation today, Anja.

31:33
Anja Shortland
Yeah, me too. Thank you so much for asking me back on your pod.

31:37
Dominic Bowen
Well, that was a great conversation with Professor Anja Shortland. She’s the Professor of Political Economy at King’s College in London and I really enjoyed our conversation today where we examined the international risk of hacking through the lens of a new book under the European title, ‘We Know You Can Pay a Million: Inside the Dark Economy of Hacking and Ransomware’. And in the US, under the title ‘Dark Screens: Hackers and Heroes in the Shadowy World of Ransomware’.
Today’s podcast was produced and coordinated by Ella Burden. I’m Dominic Bowen, your host. Thanks very much for listening, we will speak again in the next couple of days.

32:09
Elisa Garbil
Thank you for listening to this episode of The International Risk Podcast. For more interviews and articles visit theinternationalriskpodcast.com. Follow us on LinkedIn, BlueSky and Instagram for the latest updates and to ask your questions to our host Dominic Bowen. See you next time.