PhD research ransomware in the Netherlands

On January 24, Tom Meurs obtained his PhD at the University of Twente on the subject of " Double-extortion ransomware: a study of cybercriminal profit effort and risk ". Double extortion ransomware involves both encrypting data and stealing it. If the victim does not pay the ransom for the encryption, they are threatened by making the data public. Tom works at the Dutch Police, and in his research he studied data from Dutch ransomware attacks between 2019 and 2023. The central research question is about the motivations of cybercriminals, how does double-extortion ransomware affect the profit, effort and risks for attackers?

The research shows that the decision-making of cybercriminals can best be understood by analyzing their profit, effort and risks. This insight helps to better combat ransomware and for organizations to better defend themselves against it. In addition to the central research question, the research contains a wealth of information about ransomware attacks in the Netherlands. A selection from the analysis:

• 60% of ransomware attacks on medium and large organizations are not reported. This percentage is even higher for small organizations. With the reporting obligation in NIS2, the number of reported incidents is expected to increase significantly;
• Larger organizations are more likely to be targeted because they are able to pay larger ransom amounts;
• Double extortion leads to larger ransom payments, and is thus more lucrative for cybercriminals (despite the greater effort required compared to regular ransomware);
• Attacks on NAS devices usually yield smaller ransom amounts, but these attacks are also largely automated. The cybercriminal adjusts his modus operandi: lower yields and therefore higher volume and more automation;
• Furthermore, it appears that criminals can also bluff about the stolen data, which costs them little additional effort and can yield more ransom (if the victim cannot verify the claim);
• Finally, it has been shown that interventions by, for example, the police help, because they adversely affect the potential profits for criminals and increase the effort required.

‍

Likelihood of a ransomware attack

• The figures show that large companies annually have a 1.3% chance of falling victim to ransomware (approximately 1 in 75);
• For medium-sized companies this is 0.6% (approximately 1 in 160).

‍

Ransom and financial damages

• The average (financial) damage suffered from a ransomware incident is over half a million (EUR 513,534);
• There are major differences per sector, size (turnover) of the organization and whether cyber insurance is available;
• When cyber insurance is in place, companies pay up to 2.7 times more ransom because criminals know the insurance will cover the costs;
• Companies with good backups were able to limit losses;
• Having good (recoverable) backups has the biggest effect on ransoms, with these companies being 27 times less likely to pay.

‍

"The bigger the turnover of a company, the better. There are no specific reasons to choose a particular company. If there is a target, it must be attacked. It doesn't matter where the target is, we attack everyone. There is no time or need to prepare an attack on a specific target, because there is always enough work. Our targets are companies, capitalists." - recorded quote from an affiliate of ransomware group Lockbit.

‍

Tackling ransomware

The research focused on the profit, effort and risks of cybercriminals. Ransomware is lucrative because it is profitable and the chance of being caught is low. Interventions by the police, such as arresting perpetrators, taking down servers, freezing crypto assets and releasing decryption tools have a clear effect. The profitability decreases for the cybercriminal and the chance of being caught increases.

For companies, the best approach is undoubtedly to increase your digital resilience. Can you recover from an attack? In the case of Ransomware, a recoverable backup is essential. First, the backups must be made with proper frequency. Companies must also test whether the backups can be restored within a reasonable time, to help get the business going again. Cyber ​​insurance seems less effective, at least the the research shows in case insurance is in place, almost 3 times higher ransoms are paid. Coverage of consequential damage (besides the ransom payment) is of course also applicable. It seems logical to me that cyber insurers will become stricter on, for example, a recoverable backup.

This research has provided valuable insights into the motives of cyber criminals and how the police can respond to this. With the NIS2 (cyberbeveiligingswet), which will come into effect in Q3 of this year, a reporting obligation will come into effect for approximately 7,000 to 10,000 organizations. In the coming years, we will hopefully gain much more insight into cyber incidents and how we can control them. Tom Meurs has already made the necessary recommendations for follow-up research in his thesis. I therefore foresee great research opportunities at the NCSC, as a central reporting point for NIS2 cyber incidents.

‍

‍