University of Twente has investigated the decision-making processes of victims forced to pay ransom following ransomware attacks. UT researcher Tom Meurs and his colleagues analyzed data provided by the Dutch National Police and a Dutch incident response organization on 481 ransomware attacks.
They were able to show that organizations with recoverable backups were better able to avoid having to pay ransom. Data exfiltration led to higher ransom amounts paid. That was also the case for organizations insured against ransomware attacks. The paper is available as a preprint.
The researchers used a two-step system: First, the victims decided whether or not to pay the ransom. Second, in the event they did decide to pay, they determined the amount to be paid. “Because we assess the two steps at the same time, the results are more reliable than previous scientific research into ransom payments.”
The investigation into 481 ransomware attacks submitted to the team by the Dutch National Police and a Dutch incident response organization has yielded a number of important insights. Insurance led to paid ransom amounts that were up to 2.8 times higher, without influencing the frequency of payments. Data exfiltration led to paid ransom amounts that were up to 5.5 times higher, without influencing the frequency of payments. Organizations with recoverable back-ups were up to 27.4 times less likely to pay the ransom compared to victims without recoverable back-ups.
“The insights emphasize the importance for policymakers to focus on areas such as data exfiltration, the role of insurance, and the promotion of recoverable back-ups. The implementation of recoverable back-ups is an effective technological strategy that helps stop criminals from removing back-ups while they infiltrate your systems,” say the researchers.
Paper: ris.utwente.nl/ws/portalfiles/ … ime2023vPREPRINT.pdf