When a company pays a multimillion dollar ransomware blackmail demand, where do you think the money goes?