The Ransomware Pricing Paradox: An Empirical Study of the Six Stages of Ransomware Negotiations

Tom Meurs, Anna Cartwright, Edward Cartwright, Harold Houba and Daniel Woods
Additional contact information
Tom Meurs: Dutch Police
Anna Cartwright: Independent researcher
Edward Cartwright: De Montfort University
Harold Houba: Vrije Universiteit Amsterdam and Tinbergen Institute
Daniel Woods: University of Edinburgh

No 25-052/VII, Tinbergen Institute Discussion Papers from Tinbergen Institute

Abstract: Ransomware has become the most common cyber risk for businesses. The rise is not driven by attackers using innovative attacks, but instead by deteriorating negotiation outcomes. The average payment grew by almost 20,000% since 2018. However, it remains unclear why attackers can demand ever higher ransoms. Our study explores potential explanations: lack of backups, cyber insurance, access to incident response (IR) firms, data exfiltration, and negotiating style. We model negotiation as a six-stage model: attacker intent, victim engagement, discount offer, discount magnitude, payment decision, and re-extortion. We test hypothetical explanations for ransom outcomes using two datasets: (1) 481 police-reported incidents (2019–2023); and (2) 237 negotiation transcripts from 23 ransomware groups.

JEL-codes: C7 D22 D9 (search for similar items in EconPapers)
Date: 2025-10-14
References: Add references at CitEc
Citations:

Downloads: (external link)
https://papers.tinbergen.nl/25052.pdf (application/pdf)

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:tin:wpaper:20250052

Access Statistics for this paper

More papers in Tinbergen Institute Discussion Papers from Tinbergen Institute Contact information at EDIRC.
Bibliographic data for series maintained by Tinbergen Office +31 (0)10-4088900 ().