Hostname: page-component-76d6cb85b7-lcgwf Total loading time: 0 Render date: 2026-07-16T10:38:08.480Z Has data issue: false hasContentIssue false

From ransoms to ruin: Are extortion payments by ransomware victims insurable?

Published online by Cambridge University Press:  26 November 2025

Divya Ramjee*
Affiliation:
Department of Public Policy, Department of Criminal Justice, Rochester Institute of Technology, Rochester, NY, USA
Eireann Leverett
Affiliation:
Research and Development, Concinnity Risks, Cambridge, UK
*
Corresponding author: Divya Ramjee; Email: dqrgcj@rit.edu

Abstract

Cyber risk is an important consideration in today’s risk management and insurance industries. However, the statistical features of cyber risk, including concerns of solvency for cyber insurance providers, are still emerging. This study investigates the dynamics of ransomware severity, specifically focusing on different statistical dimensions of extortion payments from ransomware attacks across various ransomware strains and/or variants. Our results indicate that extortion payments are not identically distributed across ransomware strains/variants, and thus violate necessary assumptions for solvency determinations using classical ruin theory. These findings emphasize the importance of re-examining these assumptions under empirical data and implementing dynamic cyber risk modelling for portfolio losses from extortion payments from ransomware attacks. Additionally, such findings suggest that removing coverage for extortion payments from insurance policies may protect cyber insurance firms from insolvency, as well as create a potential deterrence effect against ransomware threat actors due to lack of extortion payment from victims. Our work has implications for insurance regulators, policymakers, and national security advisors focused on the financial impact of extortion payments from ransomware attacks.

Information

Type
Research Article
Creative Commons
Creative Common License - CCCreative Common License - BYCreative Common License - NCCreative Common License - ND
This is an Open Access article, distributed under the terms of the Creative Commons Attribution-NonCommercial-NoDerivatives licence (http://creativecommons.org/licenses/by-nc-nd/4.0), which permits non-commercial re-use, distribution, and reproduction in any medium, provided that no alterations are made and the original article is properly cited. The written permission of Cambridge University Press must be obtained prior to any commercial use and/or adaptation of the article.
Copyright
© The Author(s), 2025. Published by Cambridge University Press
Figure 0

Table 1. Summary statistics

Figure 1

Figure 1. Characteristics of extortion payments by ransomware victims over time in our dataset. (a) Quarterly plot of the number of extortion payments by ransomware victims from 2011 to 2024. (b) Quarterly plot of the summed USD amount for extortion payments by ransomware victims from 2011 to 2024. Note particularly that the decrease in payments in (a) does not lead to reductions in (b): bigger payments are happening less often for equivalent profits.

Figure 2

Figure 2. Variance of extortion payments according to ransomware strain or variant. Boxplot of log variance of extortion payments for each of the ransomware strains and variants in the data, including lower and upper quartiles and outliers. Variance was logged for numerical stability and to maintain positive values.

Figure 3

Figure 3. Ransom demand for WannaCry 2.0 ransomware and distributions of extortion payments. (a) Example WannaCry extortion demand note requesting a USD extortion payment be transferred in BTC. (b) WannaCry extortion payment frequency on a weekly basis, with extortion payments continuing after the initial primary campaign. (c) Kernel density estimation (KDE) of the bimodal distribution of fixed-price WannaCry extortion payments.

Figure 4

Figure 4. Value of Deadbolt and Ryuk extortion payments over time. (a) Value of Deadbolt extortion payments from January 2022 through September 2022. (b) Value of Ryuk extortion payments from August 2018 through January 2022.

Figure 5

Figure 5. (top) Probability density function (PDF) graphs for (a) WannaCry, (b) Deadbolt, and (c) Ryuk extortion payments demonstrating the probability density at specific amounts across the range of payment values, respectively. (bottom) Cumulative distribution function (CDF) graphs for (d) WannaCry, (e) Deadbolt, and (f) Ryuk extortion payments demonstrating the probability that a random extortion payment is less than or equal to an extortion amount across the range of payment values, respectively.

Figure 6

Figure 6. Pairwise Kolmogorov–Smirnov test (KS test) heat maps for distance with p-values. (a) Heat map of pairwise KS test between all ransomware strains/variants in our dataset. (b) Heat map of corresponding p-values for the results of the KS test in (a).

Supplementary material: File

Ramjee and Leverett supplementary material

Ramjee and Leverett supplementary material
Download Ramjee and Leverett supplementary material(File)
File 14.3 MB
Submit a response

Comments

No Comments have been published for this article.