Negotiating, Paying, and Reporting After Ransomware Victimisation

Ransomware is currently considered one of the most significant online threats. However, little is known about the nature and extent of ransomware victimization among citizens and businesses.

Centre of Expertise Cyber Security

ransomware

Ransomware is widely regarded as one of the major online threats, yet there is limited insight into the scale of ransomware victimization among citizens and entrepreneurs. In addition, more knowledge is needed about how victims respond to ransomware attacks: whether they negotiate and/or pay the ransom, whom they report the incident to, and which factors are associated with these decisions. This study analyzes the factors that contribute to negotiating, paying, and reporting among Dutch citizens, freelancers, and small and medium-sized enterprises (SMEs).

Problem Statement

How often do Dutch citizens and businesses fall victim to ransomware, how do they respond in terms of negotiating, paying, and reporting, and how does this relate to the advice provided by public and private organizations that support ransomware victims?

Research Methods

  1. A survey among Dutch citizens (n = 856) and entrepreneurs (n = 188) who have been victimized by ransomware, focusing on the incident, its impact, and decision-making behavior.
  2. A survey among Dutch citizens (n = 4,082) and entrepreneurs (n = 2,501) not victimized by ransomware, focusing on their willingness to negotiate, pay, and report in a fictional scenario (vignette).
  3. Interviews with law enforcement, cybersecurity experts, and IT service providers (n = 10).
  4. An expert meeting

Duration

May 2023 to May 2025 (completed)

Results

The results show that approximately 4.5% of citizens and freelancers and 11.5% of SMEs have been victimized by ransomware at some point. For some victims, this resulted in financial or emotional consequences, including feelings of unsafety. None of the citizens or freelancers, and only a few entrepreneurs, negotiated after an attack, although non-victims were more willing to do so in a fictional ransomware scenario. Most respondents did not pay the ransom, partly due to a lack of trust in regaining access after payment or for ethical reasons. Factors such as the ransom demand, having a backup, the threat of data leakage, and advice to pay also played a role in the decision to pay, although differences exist between groups.

Although the majority of non-victims indicated they would contact the police in a fictional ransomware scenario, fewer than one in three actual victims did so. Many sought help from another party, such as a cybersecurity company. Reasons for not contacting the police included resolving the problem independently or with the help of another party, and the belief that the police would not be able to help. In addition, citizens’ willingness to report was related to the ransom demand and advice to pay. Based on these findings, the study provides points of reference for preventing or mitigating the consequences of ransomware attacks, and the role of the police and other public or private parties in doing so.

Funding

This research was funded by Politie en Wetenschap.

Contact

Sifra Matthijsse: [email protected]
Susanne van ’t Hoff-de Goede: [email protected]
Rutger Leukfeldt: [email protected]