The UT investigated the decision-making process of victims who had to pay ransoms during ransomware attacks. UT researcher Tom Meurs and his colleagues analyzed 481 ransomware attacks, data from the Dutch police and a Dutch incident response party. Organizations with recoverable backups in particular were often better able to avoid paying ransoms. Data exfiltration led to a higher ransom paid. This was also the case for organizations that are insured against ransomware attacks.
The researchers used a two-step model: First, victims decide whether to pay the ransom or not. And second, if victims decide to pay, they determine the ransom amount to be paid. “Because we estimate the two steps simultaneously, the results are more reliable than previous scientific studies of ransom payments.”
Important Insights
Based on 481 ransomware attacks from the Dutch police and a Dutch incident response party, we arrive at a number of key insights: Insurance led to a 2.8x higher ransom amount paid, without affecting the frequency of payments. Data exfiltration led to a 5.5 times higher ransom amount paid, without affecting the frequency of payments. Organizations with recoverable backups were 27.4 times less likely to pay the ransom compared to victims without recoverable backups.
“The insights highlight the importance for policymakers to focus on areas such as data exfiltration, the role of insurance and promoting recoverable backups. Implementing recoverable backups is an effective technology strategy to prevent criminals from deleting backups while they are in your systems.”
NOTE: From the full article, this other finding on backups may seem counterintuitive at first:
“Regarding backups, it seems that having recoverable backups leads to a lower probability of payment, observed in only 11% of cases. However, the average ransom paid per attack and the total ransom paid are higher compared to scenarios with other backup conditions. It is noteworthy that victims who lack backups generally pay lower ransoms than those who have backups that cannot be restored, with both the average ransom per attack and the cumulative amounts being lower. One plausible explanation could be that businesses holding data considered valuable enough for ransom payments are generally more likely to employ backup systems, compared to those with less valuable data. The Kruskal Wallis test with null hypothesis that all backups measures lead to same r ransom paid, results in KW=49.65, df=3, p-value<0.001. This indicates that having backups leads to more ransom paid.”
During Ecrime 2023 in Barcelona, Tom Meurs’ paper received the prize for the best article .
The co-authors of the study are: Edward Cartwright (De Montfort University, UK), Anna Cartwright (Oxford Brookes University, UK), Marianne Junger (UT, BMS-IEBIS), Raphael Hoheisel (UT, BMS-IEBIS), Erik Tews (UT, EEMCS-SCS), Abhishta Abhishta (UT, BMS-IEBIS).
Source: University of Twente
via Politie.nl