"I was told to buy a software or lose my computer. I ignored it": A study of ransomware


Camelia Simoiu, Stanford University; Christopher Gates, Symantec; Joseph Bonneau, New York University; Sharad Goel, Stanford University


Ransomware has received considerable news coverage in recent years, in part due to several cases against high-profile corporate targets. Little is known, however, about the prevalence and characteristics of ransomware attacks on the general population, what proportion of users pay, or how users perceive risks and respond to attacks. Using a detailed survey of a representative sample of 1,180 American adults, we estimate that 2%--3% of respondents were affected over a 1-year period between 2016 and 2017. The average payment amount demanded was $530 and only a small fraction of affected users (about 4% of those affected) reported paying. Perhaps surprisingly, cryptocurrencies were typically only one of several payment options, suggesting that they may not be a primary driver of ransomware attacks. We conclude our analysis by developing a simple proof-of-concept method for risk-assessment based on self-reported security habits.

Open Access Media

USENIX is committed to Open Access to the research presented at our events. Papers and proceedings are freely available to everyone once the event begins. Any video, audio, and/or slides that are posted after the event are also free and open to everyone. Support USENIX and our commitment to Open Access.

@inproceedings {238329,
author = {Camelia Simoiu and Joseph Bonneau and Christopher Gates and Sharad Goel},
title = {"I was told to buy a software or lose my computer. I ignored it": A study of ransomware},
booktitle = {Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019)},
year = {2019},
isbn = {978-1-939133-05-2},
address = {Santa Clara, CA},
pages = {155--174},
url = {https://www.usenix.org/conference/soups2019/presentation/simoiu},
publisher = {USENIX Association},
month = aug

Presentation Video