Falling victim to ransomware

Ransomware attacks have increased over the years. The aim of this study is to understand how ransomware attacks unfold and what factors are associated with the decision-making of victims.

Centre of Expertise Cyber Security

Ransomware

In recent years, the number of ransomware attacks has grown significantly. The impact on victims and society can be substantial, leading to disrupted business processes, data loss, and financial damage. There are also indications of rapid development and increasing professionalization in the methods used by cybercriminals. Developing effective countermeasures against ransomware is therefore essential. To achieve this, greater insight is needed into how both perpetrators and victims of ransomware act and which considerations play a role in their decision-making.

Objective

The objective of this dissertation is twofold. First, the aim is to create a better understanding of the way ransomware attacks unfold by examining the crime-commission process, factors associated with victimization and dynamics of victim-offender interactions. Second, the goal is to gain more insight into the factors associated with the decision-making processes and behavior of victims in relation to negotiation, payment of a ransom demand and reporting. This gives a more comprehensive understanding of the ransomware phenomenon, which can in turn inform on potential interventions to prevent ransomware attacks, mitigate the consequences of attacks and support victims.

Project Duration

2021–2025

Interim Results

So far, the research has resulted in the following publications:

  • Matthijsse, S. R., van ’t Hoff-de Goede, M. S., & Leukfeldt, E. R. (2023). Your files have been encrypted: a crime script analysis of ransomware attacks. Trends in Organized Crime.
    https://doi.org/10.1007/s12117-023-09496-z

    This publication uses a crime script analysis based on 44 court documents and 10 expert interviews. It outlines the various stages of a ransomware attack. The crime script demonstrates how the ransomware ecosystem has become increasingly professionalized. Criminal groups, for example, invest time, money, and effort in malware and infrastructure, outsource parts of the process, and sometimes even offer customer support to victims. The crime script also provides insight into facilitating factors, such as security vulnerabilities that allow access to victims’ systems or the existence of cryptocurrency mixers that facilitate money laundering.
     
  • Matthijsse, S. R., Moneva, A., Van ’t Hoff-de Goede, M. S., & Leukfeldt, E. R. (2023). Examining ransomware payment decision-making among small- and medium-sized enterprises. European Journal of Criminology, 22(4), 625-645. https://doi.org/10.1177/14773708241285671

    This study uses a survey with a vignette experiment conducted among 445 owners and managers of Dutch small- and medium-sized enterprises to gain more insight into the factors that are related to the decision to pay the ransom in the event of ransomware victimization. Findings show that the likelihood that the ransom is paid is low. While the affordability of the ransom demand seems unrelated to the likelihood of paying, being advised by a cybersecurity company to pay the ransom and not having a back-up significantly increases the likelihood of the ransom being paid.
     
  • Matthijsse, S. R., Van ’t Hoff-de Goede, M. S., & Leukfeldt, E. R. (2025). To report or not to report: Exploring the motivations and factors associated with reporting of ransomware victimisation among entrepreneurs. Journal of Criminal Justice, 97https://doi.org/10.1016/j.jcrimjus.2025.102378

    The current study uses two surveys to explore reporting behaviour among freelancers and small and medium-sized enterprises in the Netherlands. One survey was conducted among entrepreneurs who were victimised by ransomware (n=189). Another survey was conducted among entrepreneurs who were not victimised by ransomware (n=2,496) and included a vignette experiment. While about 92% of the entrepreneurs in the vignette experiment indicated that they would contact the police, only about 18% of the victims did, citing reasons such as solving it themselves or with the help of another party and the belief that the police will not do anything about it. Reporting to the police and to other organisations was related to the emotional and financial impact. There was no association between a negative affective response and situational factors such as having a back-up and reporting among victims and non-victims.

Contact

Sifra Matthijsse: [email protected]