Ransomware Economics: A Two-Step Approach To Model Ransom Paid.

Ransomware poses a significant and pressing challenge in today's society. Mitigation efforts aim to reduce the profitability of ransomware attacks. Nevertheless, limited research has analysed factors that influence the size of ransom and willingness of businesses to pay a ransom. This study aims to address this existing gap by conducting an empirical investigation that focuses on the ransom paid by victims. Extending on past research, we analyse 382 ransomware attacks reported to the Dutch Police and/or handled by an Incident Response (IR) company. One challenge of modeling ransom payments is the large proportion of victims who did not pay, which leads to zero-inflation. We tackled this problem by employing a hurdle model, which effectively deals with zero-inflation by capturing ransom paid as a two-step decision-making process: first, victims decide whether to comply with the ransom demands, and if they choose to do so, they then need to determine the acceptable ransom amount. The results indicate that the presence of backups and the decision to go to an IR company play a pivotal role in the decision whether to pay the ransom or not. In addition, our findings identify insurance coverage, data exfiltration, and annual revenue of the victim as key determinants affecting the ransom amounts. Specifically, having insurance results in ransoms that are 2.8 times larger, data exfiltration corresponds to a 5.5 times increase in the ransom, and each 1% increase in a victim's yearly revenue causes a 0.12% rise in the ransom paid. In concluding our paper, we present practical policy recommendations that take into account the two crucial decision-making steps outlined in our study, focusing on data exfiltration and insurance.