> They asked what is the most money that can be extracted in just a few hours in an automated fashion (no time to investigate targets manually one at a time) and crypto is the obvious answer.

A decade ago my root/123456 ssh password got pwned in 3-4 days. (I was gonna change to certificate!)

Hetzner alerted me saying that I filled my entire 1TB/mo download quota.

Apparently, the attacker (automation?) took over and used it to scrape alibaba, or did something with their cloud on port 443. It took a few hours to eat up every last byte. It felt like this was part of a huge operation. They also left a non-functional crypto miner in there that I simply couldn't remove.

So while they could cryptolock, they just used it for something insidious and left it alone.