Wildfire is a variant of ransomware—the rapidly growing phenomenon where attackers trick people into clicking things they shouldn’t, then encrypt files or whole drives on their computers and demand payment for decrypting them.
This particular variant has been targeting victims in the Netherlands and Belgium, with spam emails written in perfect Dutch, and a dummy transport company as the sender that uses a Dutch web address.
Get Data Sheet, Fortune’s technology newsletter.
Around 5,300 people were successfully targeted in just one month. The emails told them they had missed deliveries and needed to fill in a form to schedule a new delivery. The form was rigged to infect the victims’ computers.
Victims were told to pay 1.5 bitcoins, or around $870, to rescue their files. In reality, the companies said, most victims were able to bargain down to 0.5 or 0.6 bitcoins.
Intel and Kaspersky worked with the Dutch police and the European Cybercrime Centre to develop the decryption tool that is now available for free download. They also managed to take down the servers that were pumping out the spam.
Intel and Kaspersky noted that Wildfire was programmed not to infect people in eastern European countries, making it likely that people from that region were responsible—and keen not to get the local authorities on their case.
Because they were able to get at the criminals’ servers, the companies and cops were able to establish that the operation was pulling in just under $80,000 a month. That’s just from targeting a pair of pretty small countries.
Meanwhile in the U.K., cybersecurity companies SentinelOne and NCC Group made a bunch of freedom-of-information requests and found that universities and hospitals were regularly being targeted.
For more on Intel, watch our video.
Bournemouth University (this writer’s alma mater, as it happens) was targeted 21 times over the last year, but said it had successfully resisted the attacks. That’s not surprising, given that it houses a major cybersecurity unit.
Of 60 National Health Service trusts that responded to questions about their experiences, 28 said they had been attacked and 31 said patient confidentiality stopped them from being able to comment. Just one said it had not been targeted.
However, the success of the ransomware model also encourages the criminals using it. Recent research suggested almost two-fifths of businesses in the U.S., Canada, the U.K. and Germany have suffered ransomware attacks in the last year.
It’s no surprise that law enforcement and the security industry are fighting this growing trend as hard as they can.