University of Twente (UT) researchers, led by Tom Meurs, scrutinized the decision-making process of victims in 481 ransomware attacks. The analysis included data from the Dutch police and a Dutch incident response party. The researchers employed a two-step model, simultaneously estimating the victim’s decision to pay the ransom and the ransom amount if paid.
The key findings provide valuable insights into the dynamics of ransomware payments. Notably, organizations with recoverable backups demonstrated a remarkable 27.4 times lower likelihood of succumbing to ransom demands compared to those without such backups. On the other hand, having insurance was associated with a 2.8 times higher ransom amount paid, although it did not affect the frequency of payments. Another significant revelation was that data exfiltration led to a 5.5 times higher ransom amount paid, without impacting payment frequency.
These insights hold substantial implications for policymakers, highlighting the need to address critical areas such as promoting recoverable backups and managing the risks associated with data exfiltration. The study underscores the effectiveness of implementing recoverable backups as a technological strategy to thwart criminals attempting to manipulate or delete backups while residing within systems.