Who pays, and why: A researcher examines the ransomware victim’s mindset

What makes one ransomware victim more likely to pay up than another? That’s what one Dutch researcher set out to find, analyzing national police and incident response data on hundreds of cases over the last four years.

Companies that work with a third-party incident response firm are the most willing to pay their extortionists, he found. Having insurance coverage, or data exfiltrated in the attack, correlated with paying a higher ransom but not necessarily to paying a ransom in the first place.

The study led by Tom Meurs, a cybercrime researcher at the University of Twente, examined 382 ransomware attacks reported to Dutch police, as well as information provided by an incident responder on nearly 100 attacks. The vast majority of the cases involved companies within the Netherlands, which has the world’s 18th-largest economy.

Among 430 victims from 2019-2022, 28% reported paying a ransom, with the average amount just over €431,000 (about $469,781) and the median €35,000 (about $38,138).

Companies with insurance paid on average significantly higher ransoms, of €708,105 (about $771,600) compared to $133,016 ($144,940).

“Perhaps this is due to exposed moral hazard: since someone else is paying for the victim, the victim is willing to pay a larger amount,” the authors wrote. “However, exposed moral hazard would also imply a larger proportion of victims be willing to pay the ransom. Perhaps ethical considerations or partial coverage by insurance might explain this difference in our results.”

Companies with backed-up data were less likely to pay a ransom but, when they did, on average paid more than those with no backups, likely because “businesses holding data considered valuable enough for ransom payments are generally more likely to employ backup systems, compared to those with less valuable data.”

Perhaps not surprisingly, in situations where ransomware actors exfiltrate data, companies are much more likely to pay ransoms — doing so in 40% of cases, compared to one-quarter of cases not involving exfiltration. The average payment in those cases is more than 13 times higher, at approximately €1.2 million (about $1.31 million).

Companies who hired incident response firms were significantly more likely to pay a ransom, at just over half, compared with just 21% of companies who only reported incidents to the police.

Despite having a high rate of backups, companies in the information technology sector were the “most lucrative target” for ransomware actors, paying more than €268,000 ($291,800) in ransoms on average.

“One explanation is that ICT companies often provide critical infrastructure or services to numerous clients,” they wrote. “Consequently, if such companies experience downtime due to a ransomware attack, it can have a cascading impact on a large number of clients, thus providing ransomware groups with greater leverage to demand larger ransoms.”

Correction: A previous version of this article incorrectly said that data exfiltration increased the likelihood of a company paying a ransom. It increases the amount of payment but does not correlate with a higher likelihood of payment.