What makes ransomware victims less likely to pay up?
There’s a good reason why ransomware gangs started exfiltrating victims’ data instead of just encrypting it: those organizations pay more.
University of Twente researcher Tom Meurs and his colleagues wanted to know which factors influence victims to pay the ransom or not, and which factors have an effect on the ransom amount organizations end up paying.
Based on the data provided by the Dutch National Police and a Dutch incident response organisation on 481 ransomware attacks between January 2019 and January 2023, they discovered that “cases involving exfiltration of data result in a higher probability of payment, as observed in 40% of such incidents, compared to 25% when no data exfiltration occurs.”
“Additionally, the average amount paid is substantially larger, approximately 1.2 Million euros when data is exfiltrated, as opposed to 89,407 euros when no data exfiltration is confirmed,” they noted.
Other crucial findings
The researcher found that the decision to pay depends on whether the victim organization has backups and whether they have hired an incident response (IR) company to deal with the attack.
Victim organizations that have recoverable backups were 27.4 times less likely to pay off ransomware attackers than those without recoverable backups.
“Additionally, our analysis showed that companies consulting the IR company were more willing to pay, as they sought guidance expert assistance in recovering from the ran- somware attack,” they pointed out.
Data exfiltration, insurance coverage and the yearly revenue of the victim, on the other hand, are factors that affect the ransom amount a victim will pay (if they decide to pay).
“Having insurance results in ransoms that are 2.7 times larger, data exfiltration corresponds to a 4.4 times increase in the ransom, and each 1% increase in a victim’s yearly revenue causes a 0.12% rise in the ransom paid,” they discovered.
To reduce the profitability of ransomware attacks, Meurs and his colleagues say policy makers and law enforcement should consider:
- Emphasizing the importance of having recoverable (offline) backups and urging companies to conduct ransomware attack simulations
- Encouraging companies and cyber insurance companies to pay less (if the victim org decides to pay)