Abstract
Ransomware has emerged as one of the most severe cyber risks with perpetrators encrypting and extorting thousands of organizations. Targeted organizations face transactional uncertainties, such as not knowing whether the attackers will actually decrypt the data if they decide to pay the ransom. Existing research shows that ransomware groups build credibility to overcome these transactional uncertainties and thereby successfully run their business in the long-term. However, how this credibility is constructed remains unclear. Considering the ransom payment-decision as a principal–agent problem and drawing on signaling theory, we analyze 105 real negotiation chats from five ransomware groups to identify credibility signals that reduce transactional uncertainty. In total, we identified six credibility signals, e.g., test decryption and proofs of stolen data. We contribute to the ransomware literature by explaining how ransomware groups build credibility in the ransom payment-decision, introducing a signaling perspective to ransomware research and empirically by documenting concrete signal types. Practically, our findings inform incident responders and decision-makers by identifying which evidentiary requests most reliably indicate attacker capability or intent.
Recommended Citation
Hoevel, Gilbert G., "Credibility Signals in Ransomware Negotiation Chats: Implications for the Ransomware Payment-Decision" (2025). WISP 2025 Proceedings. 3.
https://aisel.aisnet.org/wisp2025/3