Women and young people are “significantly more likely” to pay ransomware demands if targeted by cyber criminals, according to the first large-scale study into online extortion.
Researchers including Professor Edward Cartwright of De Montfort University Leicester (DMU) have identified a range of factors which indicate whether someone would be willing to pay a ransom demand if their photographs or documents were encrypted in a ransomware attack.
Professor Cartwright, Director of DMU’s Institute for Applied Economics and Social Value and member of the Cyber Technology Institute, said: “Our results can help inform the policy response to ransomware.
“First, it can inform awareness campaigns run by law enforcement. We’ve seen that general cyber security awareness campaigns have a relatively poor record in getting messages across. Our results suggest young people (18-35) and women were much more likely to consider paying a ransom and so we need campaigns that speak better to that audience.
“Second, we get a sense of how damaging ransomware can be. Our is the first large scale study into the individuals willingness to pay ransomware and we find that between 5 to 23% of people are willing to pay. This, unfortunately, means ransomware attacks on individuals can be highly lucrative for cyber-criminals.“
The team surveyed nearly 1,800 people to get a representative sample of the UK population and asked them what they kept online. Some 79% stored photos, 47% music and 29% work documents.
Researchers asked them if they would be willing to pay £300 ransom in the event they received an extortion demand.
They chose the £300 sum as this was the average sum demanded from individuals by CryptoLocker – and early form of ransomware that infected computers locking up files and demanding money (usually in the form of Bitcoin) to restore access.
They found 77% said they would not pay, either on principle or because they did not trust the criminals. Of the 23% who would pay up, they were mostly female, or aged 18-35. People with children and those who were more concerned about data leaks were also increasingly likely to pay the ransom.
Professor Cartwright said: “If this proportion was applied to the general population, then it is easy to see how ransomware can be highly profitable for criminals. For instance, if there are 10,000 victims of a ransomware campaign and 20 per cent pay £300, then the criminals make £600,000. Current ransomware attacks primarily target businesses but these numbers suggest that we will see cyber-criminals also target individuals in the future.”
Posted on Monday 9 May 2022