Ransomware operators jack up their ransom demands by a factor of 2.8x if they detect a victim has cyber-insurance, a study highlighted by the Netherlands government has confirmed.

For his PhD thesis [PDF], defended in January, Dutch cop Tom Meurs looked at 453 ransomware attacks between 2019 and 2021. He found one of the first actions intruders take is to search for documents with the keywords “insurance” and “policy.” If the crooks find evidence that the target has a relevant policy, the ransom more than doubles on average.

In double-extortion attacks, where intruders threaten to publish data stolen from the victim unless the ransom is paid, those with insurance on average are quoted 5.5x more than those who don’t.

If a company has cyber-insurance, it’s assumed the insurer will cover the ransom, especially if not paying will lead to much higher recovery and cleanup costs, damages, and subsequent claims. Thus, it’s in the extortionists’ interests to ramp up their demands, but not too much, as they see insurers as a surefire source of funding. Paying the ransom encourages the crime, however, hence officials in America and Britain pushing against the practice.

Meurs said, of the intrusions he looked into, those with insurance paid the criminals 44 percent of the time, compared to 24 percent of the uninsured. In addition, insured victims paid a lot more – an average of €708,105 ($800,000, £600,000), compared to €133,016 ($150,000, £110,000) for their uninsured brethren.

Phishing emails with links were the most common point of infection, accounting for a third of successful attacks, with spam accounting for eight percent. Malicious mobile apps are also an important vector, accounting for 13 percent of successful infections, and one in ten attacks was down to poorly patched applications or operating systems.

My research shows that the ICT sector in particular pays high amounts. Companies from this sector often supply the ICT for many other companies, which means that multiple companies are victims of a single attack.

By far, the retail and wholesale trades were most likely to get hit, accounting for nearly 33 percent of reported infections in the data set, with an average payout of €112,793 ($130,000, £100,000). The IT sector is less popular but much more profitable, accounting for 14.7 percent of attacks but with the highest average payout of the top ten trades covered at €268,039 ($300,000, £230,000) – which makes them a very attractive target for criminals.

“I often read in chat messages that cybercriminals send to each other, or on illegal marketplaces where login details are sold, that they are specifically looking for companies from sectors that pay a lot,” the Dutch cop said.

“My research shows that the ICT sector in particular pays high amounts. Companies from this sector often supply the ICT for many other companies, which means that multiple companies are victims of a single attack. This may be why the willingness to pay is higher.”

Part of the problem of researching a topic like this is the reporting, he noted. Meurs said that only around 40 percent of ransomware attacks are actually reported to the police, although that’s better than online fraud scams, where only between 11.5 and 14 percent make it onto law enforcement’s radar.

But wait, there’s good news

There is a pretty good solution, Meurs said, and that’s to have a decent backup system.

According to the research, firms with a proper backup system were 27x less likely to pay criminals off, for the simple reason that they usually don’t need to. Even then, surprisingly, some do.

“In roughly 5 out of 100 cases in which a payment is made, victims do have the option to recover in a way other than paying, but they still choose to pay – for example to recover faster or to prevent reputational damage,” he said.

“In the remaining 95 cases, there is no other option to recover. In those cases, their entire IT infrastructure is broken and can no longer be repaired, making paying the ransom the only option to avoid bankruptcy.”

He also noted that while companies might think that they have a good backup system in place, most don’t. Meurs cited research claiming that 85 percent of backups fail to work properly, and such systems are actively targeted by the criminals the moment they get into a system. He recommends offsite backups.

“It is noteworthy that victims who lack backups generally pay lower ransoms than those who have backups that cannot be restored, with both the average ransom per attack and the cumulative amounts being lower,” he argued.

“One plausible explanation could be that businesses holding data considered valuable enough for ransom payments are generally more likely to employ backup systems, compared to those with less valuable data.”

Meurs opines that double-extortion ransomware is likely to become the dominant form of attack, by the very clear logic that it adds negligible risk to the criminal and increases the chances of a successful payout. And while Dutch payouts are trending down at the moment, that situation may change if new tactics emerge. ®