Ransomware: How attacker's effort, victim characteristics and context influence ransom requested, payment and financial loss


In recent years, ransomware attacks have led to disastrous consequences for victims, not just due to the payment ransom amount but also due to the recovery costs associated with these attacks. So far only a few empirical studies have analysed the financial impact of ransomware attacks. This study aims to understand the expected financial gains for attackers and financial losses of victims after a ransomware attack. To do so, we build a dataset based on 453 ransomware attack investigation reports in the Netherlands reported to the Dutch Police between 2019 and 2022. Using rational choice model of crime (RCM) and crime scripting we hypothesise that the effort of an attacker, victim characteristics and context variables influence not only the ransom requested by an attacker but also the financial losses reported by victims. We use generalised linear models to evaluate and quantify this influence. Our results show that attacker's efforts such as using Ransomware-as-a-Service (RaaS) and victim characteristics such as industry sector, contribute to the ransom requested by attackers and financial losses reported by victims. We also show that the availability of recoverable backups explains the likelihood of victims paying the ransom. A limitation of the present study is the interpretation of the results due to selection bias of victims willing to report to the police. Despite this limitation, we argue that our methodology and results lay the groundwork for future large-scale empirical studies and add to our understanding of attacker and victim behaviour.

Symposium on Electronic Crime Research, eCrime 2022