And on the flip side, compensation plans that encourage people to stay to arbitrary dates are probably a mistake.
That's where I'm at today. There's a lot of money resting on my staying at a company for a year. I don't feel like I've been working effectively with the culture or team, and I'm pretty sure both me and the employer would be better served by my leaving, except the financial incentive, sunk cost, and avoiding having a "I worked here for only 6 months" on my resume is enough to justify me staying an extra 6 month.
Potentially not coincidentally "percent of engineers who stay a year" is one of the key metrics of the team that sets up the compensation structure...
I get the impression you're taking what you know of attacks against consumers, and just assuming that attacks against large organizations work the same way. They (generally) don't.
With a consumer attack it's get execution on a computer, encrypt some files, and ransom them back. This might earn a few hundred dollars per computer, and isn't worth putting a whole lot of effort into any individual.
At a corporate level it's get some level of access, use that access to get control of a whole lot more access - and also to get control of servers that actually matter instead of users workstations that mostly don't. Maybe try and delete the backups, often exfiltrate a bunch of data, then encrypt things. If you exfiltrated the data the ransom potentially includes not just the offer to decrypt things but also a promise not to distribute the exfiltrated data.
This is all reasonably high touch "work". They've got to figure out how to move laterally inside that specific companies network. They've need to figure out what data is actually important (especially if the goal is to sell it). And so on. Unfortunately it appears to pay well enough to justify the effort. Companies are routinely paying millions of dollars in ransom.
I don't have stats to back this up (internal or otherwise), but my impression is that most successful attacks against enterprise targets are phishing attacks targeting employees to steal credentials.
Why hospitals? They have lots of money (same as any big organization) and a very good reason to pay up. It would be far from the first time a hospital was attacked. It wouldn't even by the first time it directly resulted in a death [0]. Unfortunately ransomware operators aren't very ethical.
Considering the timing it could also be geopolitical unfortunately, people dying from a ransomware attack could substantially raise the general tension level in the US.
Lots of high value malware is actually targeted. Things like running phishing campaigns to try and steal credentials from someone inside the institution.
It's substantially less likely, especially if you don't buy the geopolitics angle, but potentially these criminals even have some unpatched vulnerability in a common deployed piece of software, which would allow them to skip the phishing part entirely.
That's where I'm at today. There's a lot of money resting on my staying at a company for a year. I don't feel like I've been working effectively with the culture or team, and I'm pretty sure both me and the employer would be better served by my leaving, except the financial incentive, sunk cost, and avoiding having a "I worked here for only 6 months" on my resume is enough to justify me staying an extra 6 month.
Potentially not coincidentally "percent of engineers who stay a year" is one of the key metrics of the team that sets up the compensation structure...