Cybercriminals are becoming increasingly sophisticated in selecting their victims and determining the amount of the ransom. For example, they are targeting companies in high-paying industries and demanding more ransom if a company is insured.
This is evident from the doctoral research by Tom Meurs, cybercrime specialist with the police, after he examined more than 500 ransomware incidents between 2019 and 2023 among SMEs.
One of the most striking conclusions from the study is that companies with cyber insurance pay an average of 2.8 times more in ransom than those without insurance. Cybercriminals deliberately try to find out if a company is insured. Tom explains, "Once they have gained access to a system, they actively look for documents with names like 'insurance' or 'policy.' This additional information gives cybercriminals a better bargaining position, leading to higher ransom payments."
The study also shows that companies with a well-established backup system are 27 times less likely to pay ransom in cyber attacks. "Cybercriminals who are in a victim's network deliberately look for backups, and delete them," says Tom. "So just having backups is not enough to recover your files. It is important to have backups that cannot be modified by unauthorized people on your network. Offline backups are the simplest solution for that, but I've also seen cloud solutions come along."
Trade companies, including retail and wholesale, are the most frequent victims of ransomware (32.6% of attacks), with an average ransom amount of €112,793. The construction sector follows with 17.9% of cases, and the ICT sector is less frequently affected (14.7%), but does have the highest ransom payments with an average of €268,039.
According to Meurs, cybercriminals take a targeted approach: "I often read in instant messages that cybercriminals send to each other, or on illegal marketplaces where login credentials are sold, that companies from high-paying sectors are specifically sought."
The government, including the Digital Trust Center (DTC), advises ransomware victims not to pay a ransom. Paying does not guarantee that data will be returned or remain unchanged. In addition, it increases the likelihood of repeated extortion and encourages cybercrime. Police are seeing ransomware being used directly to buy login credentials from (new) victims.
Meurs' research shows that companies often have no choice but to pay a ransom: "In roughly 5 out of 100 cases in which payment is made, victims do have the option of recovering in a way other than paying, but choose to pay anyway - for example, to recover faster or avoid reputational damage. In the remaining 95 cases, there is no other option to recover. In those cases, their entire IT infrastructure is broken and unrecoverable, making paying a ransom the only option to avoid bankruptcy."
Police interventions play an important role in combating ransomware, but no single approach proves sufficient on its own. Above all, companies must take measures themselves to drastically reduce the chances of a successful attack.
Use properly secured or offline backups. Companies with well-established backup systems are 27 times less likely to pay ransom. Cybercriminals try to delete backups as soon as they are in your system.
Set multifactor authentication (MFA) on all major systems.
Train employees in cyber awareness, about, for example phishing and social engineering to minimize human error.
Check your cyber insurance and its discoverability to intruders. Make sure what they find about it does not contain unintended incentives to increase the ransom.
Work with the DTC and sector initiatives, and report suspicious activities directly to the police.
