What influences a ransomware victim’s decision to pay? A Dutch researcher delves into this question, examining data from national police and incident responses spanning the past four years.
The study, led by Tom Meurs, a cybercrime researcher at the University of Twente, scrutinized 382 ransomware attacks reported to Dutch police and data from nearly 100 incidents provided by an incident responder. The majority of cases involved companies in the Netherlands, the world’s 18th-largest economy.
- Third-Party Incident Response Firms: Companies engaging with a third-party incident response firm display a higher willingness to pay extortionists.
- Insurance Coverage: While having insurance correlates with paying a higher ransom, it doesn’t necessarily increase the likelihood of paying initially. Companies with insurance paid significantly higher average ransoms, suggesting a potential moral hazard or the influence of ethical considerations.
- Data Exfiltration: In cases where ransomware actors exfiltrate data, companies are more prone to paying ransoms. Exfiltration leads to payments in 40% of cases, with averages exceeding €1.2 million.
- Backed-Up Data: Companies with backed-up data are less likely to pay a ransom. However, when they do, the average payment is higher than those without backups, potentially linked to the perceived value of data.
- Sector Variations: Despite having high backup rates, the information technology sector is a prime target for ransomware, paying an average of over €268,000. The explanation lies in the sector’s critical role in providing infrastructure and services to numerous clients, enhancing the leverage of ransomware groups.
In the period from 2019 to 2022, 28% of 430 victims reported paying a ransom, with an average of just over €431,000 and a median of €35,000. Understanding these dynamics provides valuable insights into the complex decision-making processes of ransomware victims.