2.1. Heavy-tailed distributions and cyber insurance

Heavy-tailed distributions, i.e. distributions with tails that take longer to approach zero than exponential distributions, appear frequently in statistical analyses regarding cybersecurity threats (e.g., Bryson, Reference Bryson1974; Edwards et al., Reference Edwards, Hofmeyr and Forrest2016; Eling and Wirfs, Reference Eling and Wirfs2016; Florêncio and Herley, Reference Florêncio and Herley2011; Hult and Lindskog, Reference Hult and Lindskog2011; Maillart and Sornette, Reference Maillart and Sornette2010; Romanosky, Reference Romanosky2016; Shevchenko et al., Reference Shevchenko, Jang, Malavasi, Peters, Sofronov and Trueck2023). Such distributions can appear when investigating different types of cybersecurity threats, e.g. estimating infected devices amongst certain Internet of Things (IoT) manufacturers, as well as in studies related to actuarial assessments, insurance, and models of risk for cybersecurity threats (Biener et al., Reference Biener, Eling and Wirfs2015; Dacorogna et al., Reference Dacorogna, Debbabi and Kratz2023; Jung, Reference Jung2021; Rodríguez et al., Reference Rodríguez, Noroozian, van Eeten and Gañán2021). While there is some research that attempts to fit a single distribution to a loss model for cybersecurity threats, there is less peer-reviewed work that comprehensively examines the foundational underpinnings of why cybersecurity threats are heavy-tailed (August et al., Reference August, Dao and Niculescu2022; Kolesnikov et al., Reference Kolesnikov, Markov, Smagulov and Solovjovs2022; Laszka et al., Reference Laszka, Farhang and Grossklags2017; Santini et al., Reference Santini, Gottardi, Baldi and Chiaraluce2019). Some studies have sought to determine if different driving processes are independent and can be accounted for in modelling, though these have primarily used existing datasets related to data breaches and not ransomware incidents (e.g., Eling and Wirfs, Reference Eling and Wirfs2016; Xu et al., Reference Xu, Schweitzer, Bateman and Xu2018; Zeller and Scherer, Reference Zeller and Scherer2022). Looking at ransomware attacks in particular, prior literature includes modelling of losses for ransomware attacks with traditional assessments of aggregate cyber risk across various cybersecurity threats and has not sufficiently explored evaluating risk based on the specific type of cybersecurity threat and any unique underlying driving processes (Axon et al., Reference Axon, Erola, Agrafiotis, Uuganbayar, Goldsmith and Creese2023; Caporusso et al., Reference Caporusso, Chea and Abukhaled2019).

Heavy-tailed distributions also appear in losses associated with financially motivated cybersecurity threats over time. Over the last two years, BECs and extortion breaches (including ransomware attacks) accounted for approximately one-fourth and one-third of financially motivated attacks, respectively. Additionally, BECs had a median transaction amount of $50,000 USD in both years, while according to the Federal Bureau of Investigation’s Internet Crime Complaint Center (IC3) ransomware incident complaint data, “the median loss associated with ransomware and other extortion breaches has been $46,000 [USD], ranging between $3 [USD] and $1,141,467 [USD] for 95% of cases” (FBI, 2024; Verizon, 2024). Extortion amounts vary by ransomware strain or variantFootnote ¹ due to differences in the attack behaviours and choices of targets (perhaps specific to a sector). Extortion payments also vary over time, with these temporal factors having ramifications for risk management.

Previously, Leverett et al. (Reference Leverett, Jardine, Burns, Gangwal and Geer2020) used power laws to study the characterization of ransomware-related extortion payments by their averages. In particular, the authors highlighted that data from recent years suggests that the exponent of the power laws might be testing the boundaries of the insurability of paying ransoms with insurance policies. Their findings indicated this was the result of no stable, defined first moment under recent exponents. Additionally, Leverett et al. concluded that power laws perform a good distribution fit to ransom payments due to the diversity induced by multiple sub-population distributions. This is consistent with other research on mixture models and power law tails (Patriarca et al., Reference Patriarca, Heinsalu, Marzola, Chakraborti and Kaskin.d.). Furthermore, the work of Cartwright and Cartwright predicts that a mixed distribution would be an emergent property of a diversity of differential pricing by different groups (Hernandez-Castro et al., Reference Hernandez-Castro, Cartwright and Cartwright2020).

General liability insurance to cover losses involves some type of risk assessment and related pricing. While some providers assess an overall risk, others use more advanced methods (e.g. spatial analysis, AI-driven modelling, etc.) to determine insurance tiers and premiums based on different subsets of risks. For cyber insurance providers, such granularity does not currently exist, and many providers focus coverage on cybersecurity threats as a monolith (i.e. treating DDoS, fraud, ransomware, etc. as one) despite the reality that the insureds incur different losses driven by different processes. For example, a qualitative analysis of cyber insurance policies from 5 years ago reports that the average premium for most insured parties is between $10,000 and $25,000 (USD), with some providers setting limits up to $10–$50 million (USD) and others offering extreme loss coverage for certain industries with limits in the hundreds of millions of dollars (Romanosky et al., Reference Romanosky, Ablon, Kuehn and Jones2019). At present, there is still limited publicly available information regarding how cyber risk is determined, how cyber risk changes based on industry and sector, and how premiums are ultimately determined (CISA, 2021; Romanosky et al., Reference Romanosky, Ablon, Kuehn and Jones2019; Woods et al., Reference Woods, Agrafiotis, Nurse and Creese2017).

Fundamentally, cybersecurity threats are merely technologically elevated forms of adversarial actions already in existence, such as theft, fraud, sabotage, and extortion/ransom. It follows then that cyber risk is no different than other types of uncertain adversarial risks that can be assessed as a straightforward function of threat, vulnerability, and impact (Geer et al., Reference Geer, Jardine and Leverett2020). However, because of the ubiquity of technological systems and potential for wide-ranging and compounding consequences, cybersecurity threats can not only be thought of as their own new risk class but can also require providers to reassess many other risk classes (Wolff, Reference Wolff2022). A 2023 study found that providers were nearly split as to whether cyber risk is treated as its own unique class versus incorporated into other existing risk classes (Romanosky and Petrun Sayers, Reference Romanosky and Petrun Sayers2023).

Nearly 25 years ago, Dr. Ross Anderson aptly detailed the risk issues of cyber insurance that still ring true today: “Around 2000, the end of the dotcom boom created a downswing that coincided with the Millennium bug scare. Even now that markets are returning to normal, some kinds of cover are still limited because of correlated risks. Insurers are happy to cover events of known probability and local effect, but where the risks are unknown and the effect could be global (for example, a worm that took down the Internet for several days), markets tend to fail (Anderson, Reference Anderson2001).” Additionally, previous research has demonstrated how two tiers of cyber risk consideration creates potential barriers to a healthy cyber insurance market: “the first tier is the correlation of cyber-risks within a firm (i.e. correlated failure of multiple systems on its internal network) and the second tier is the correlation in risk at a global level (i.e. correlation across independent firms in an insurer’s portfolio)” (Anderson, Reference Anderson2001; Böhme and Kataria, Reference Böhme and Kataria2006). The second tier—of interest in our study—is often known as ‘accumulation’ or ‘aggregation’ of risk in a portfolio.

Alongside a split consensus as to how cyber risk is handled, cyber insurance providers are considerably varied on exclusions to coverage. While many providers offer policies that cover aspects of first-party liability with little to no variance in costs across customers, there is a pronounced division as to whether extortion payments are covered under the same policies (Woods et al., Reference Woods, Agrafiotis, Nurse and Creese2017; Romanosky et al., Reference Romanosky, Ablon, Kuehn and Jones2019). Cyber insurance firms that choose to exclude extortion payments from coverage can simplify considerations for solvency and premium pricing, though their offerings may not be as enticing to customers who are hoping for protection on extortion payments. However, insurance providers who do offer coverage of these payments face a challenging predicament of how to model high variability in losses incurred, including inconsistent extortion amounts demanded by different groups for different victim companies within different industries and sectors, varied clustering in time, and frequency of payments.

Pricing models in insurance are designed to have an underwriting loss ratio (ULR), and in the cyber insurance industry, it is not uncommon for that ratio to be 40–45 percent. For example, “although insurers experienced a range of outcomes in 2023…overall performance held strong in the face of market softening and rebounding frequency; the 2023 loss ratio of 42 percent [wa]s the lowest since calendar year 2018” (AON, 2023). This translates to premium pricing that leads to 42 cents of loss for every dollar generated in a given year. However, the ULR for some years can be worse than others, wherein losses may even exhaust the premium reserves. In these cases, the volatility of cyber risk has a cost outwith the pricing model, and the role of capital reserves and solvency determinations helps cover this (Mildenhall and Major, Reference Mildenhall and Major2022). Solvency can be achieved with four components: 1) the evaluation of liabilities; 2) the evaluation of assets; 3) the level of the premiums of long-term policies; and 4) reinsurance (Pentikäinen, Reference Pentikäinen1967). We also see similar statements when we examine only insurance pricing literature: “Premium covers only the cost of risk transfer…In practice capital costs are split between on-balance sheet costs, estimated via cost-of-capital, and the cost of reinsurance” (Mildenhall and Major, Reference Mildenhall and Major2022).

This then leads to the fundamental question of the present study: should extortion payments be included in cyber insurance policies? Model risk—risk of potential loss an institution may incur due to decisions based on inadequacies in internal models (e.g. financial risk measurement and valuation models)—is an acknowledged and long-standing issue in the field of financial risk modelling (e.g., Sibbertsen et al., Reference Sibbertsen, Stahl and Luedtke2008; Klüppelberg et al., Reference Klüppelberg, Straub and Welpe2014; Blanchet and Murthy, Reference Blanchet and Murthy2019). As simplified representations of complex phenomena, models are inherently prone to inaccuracies. Understanding the contexts and mechanisms of model failure is crucial for effective decision-making and policy design. For cyber insurance providers, determining if extortion payments are or are not i.i.d., the latter violating the classical model of ruin theory, would reduce model risk in certain solvency determination circumstances. Thus, our null hypothesis for this study is that extortion payments made to threat actors are independent and identically distributed within and across ransomware strains and variants.

2.2. Dynamics of ransomware attacks and ransom demands

As discussed, traditional model risk calculations and solvency determinations assume a certain degree of environmental stability and predictability—conditions that do not hold for cybersecurity threats. The adversarial nature of such threats creates a feedback loop of escalation that undermines static risk models. As a result, cyber insurers face significant challenges in accurately assessing pricing coverage and capital reserve requirements in a market where risk conditions can shift rapidly and unpredictably. The predator–prey paradigm offers a compelling framework for conceptualizing the dynamic interplay between threat actors and defensive systems and has been investigated in prior research (e.g., Ford et al., Reference Ford, Bush and Bulatov2006; Furnell, Reference Furnell2008; Kumar et al., Reference Kumar, Mishra and Panda2016; Ud Din et al., Reference Ud Din, Masood, Samar, Majeed and Raja2017; Ding et al., Reference Ding, Zhang and Chen2019; Axon et al., Reference Axon, Erola, Agrafiotis, Uuganbayar, Goldsmith and Creese2023; Gorman et al., Reference Gorman, Kulkarni and Schintler2004).

Analogous to biological ecosystems, where evolutionary pressures drive reciprocal adaptations between predators and their prey, the cybersecurity domain is characterized by continuous cycles of offensive innovation and defensive response (Nye, Reference Nye2010; Whyte, Reference Whyte2015; Axon et al., Reference Axon, Erola, Agrafiotis, Uuganbayar, Goldsmith and Creese2023). Threat actors, equipped with increasingly sophisticated tools and techniques, exploit vulnerabilities across digital infrastructures, prompting defensive countermeasures. These countermeasures, while temporarily reducing the efficacy of attacks, often induce adversaries to modify tactics, thereby perpetuating an evolutionary arms race. The resulting co-adaptive cycle mirrors ecological population fluctuations, where increases in attack prevalence are typically met with heightened defensive posture, and lulls in threat activity may inadvertently foster vulnerability through strategic or resource-driven complacency (Nye, Reference Nye2010; Axon et al., Reference Axon, Erola, Agrafiotis, Uuganbayar, Goldsmith and Creese2023).

The Lotka–Volterra model (Lotka, Reference Lotka1925; Volterra, Reference Volterra1926), a foundational construct in mathematical biology for describing predator–prey population dynamics, can be repurposed to simulate the interaction between cyber attackers and defenders within digital ecosystems. In this adapted framework, attackers are analogized to predators whose success is contingent upon the availability and vulnerability of targets (prey), while defenders represent the adaptive capacity of systems to mitigate and withstand these threats (Gorman, Reference Gorman, Kulkarni and Schintler2004; Axon et al., Reference Axon, Erola, Agrafiotis, Uuganbayar, Goldsmith and Creese2023). The coupled differential equations describe how the “prey” population—symbolizing the robustness or density of defended assets—grows in the absence of attack, while the “predator” population—denoting the intensity or frequency of cyber threats—increases through successful exploitation (Gorman et al., Reference Gorman, Kulkarni and Schintler2004):

(2.1) $$ dH/ dt=H\left(a- aP\right) $$

(2.2) $$ dP/ dt=P\left(-b+ bH\right), $$

where H(t) and P(t) represent the magnitude of prey and predator populations, respectively, a is the growth rate of the prey population in the absence of predators, and b is the rate at which a predator population will decrease without a sufficient amount of prey to feed upon. When transposed to cybersecurity threats, this model facilitates the quantitative examination of adversarial dynamics, enabling researchers to predict emergent threat behaviours, evaluate the temporal efficacy of defence strategies, and optimize proactive interventions in complex and evolving threat environments.

Ransomware attacks provide a particularly salient manifestation of predator–prey dynamics, wherein threat actors operate as strategic predators targeting digital ecosystems that often lag in defensive evolution. The cyclical nature of these attacks mirrors ecological interactions: as vulnerabilities proliferate through expanded digital infrastructure, inconsistent patching, stolen credentials, and human error, attackers adapt with increasing sophistication. This predator–prey relationship also has significant implications for the economics of ransomware. As defenders have improved response capabilities (i.e. stronger backup protocols, endpoint protections, and regulatory oversight) and refuse to pay extortion demands, ransomware threat actors have been forced to adapt. This can be seen in threat actors shifting to double and triple extortion techniques, including threats to leak stolen data or contact victims’ customers directly.

The predator–prey framework also invites a deeper examination of the empirical patterns these interactions produce. As discussed, unlike in other insurance areas where past loss experience provides a relatively stable foundation for forecasting future claims, cyber risk is shaped by a volatile and fast-changing threat environment that complicates predicting changes in cyber risk (Marotta et al., Reference Marotta, Martinelli, Nanni, Orlando and Yautsiukhin2017). The challenges posed by this dynamic nature for underwriting are additionally compounded by data availability issues. Existing literature has highlighted the diminishing value of historical data as cyber threats evolve more rapidly than underwriting models can (Eling and Wirfs, Reference Eling and Wirfs2016). Thus, the relevance of historical data for quantifying cyber risk and informing premium-setting is inherently short-lived (Shetty et al., Reference Shetty, McShane, Zhang, Kesan, Kamhoua, Kwiat and Njilla2018). This temporal limitation challenges insurers’ ability to differentiate between levels of cyber maturity across customers and may contribute to pricing strategies based more on market competition than on evidence-based risk segmentation—making reliance on premium pricing for solvency considerations even more hazardous.

2.3. Solvency and modelling considerations

The probability of ruin refers to the likelihood that an insurer’s liabilities will exceed its assets in present value terms at a specified future date, resulting in insolvency. It serves as a key metric for evaluating an insurance company’s risk of insolvency and overall risk exposure. Solvency determinations in classical ruin theory rely on a key assumption of independent and identically distributed (i.i.d.) claims based on a compound Poisson process characterized by a Poisson distribution (Lundberg, Reference Lundberg1903). The i.d.d. assumption has been well-documented in existing literature (e.g., Gerber, Reference Gerber1988; Dickson, Reference Dickson2005; Hult and Lindskog, Reference Hult and Lindskog2011), with more recent work also examining the assumption regarding heavy-tail distributions (Beck et al., Reference Beck, Blath and Scheutzown.d.). For a Poisson distribution, the assumption of i.i.d. is satisfied when random events in different time segments are independent and identically distributed. Additionally, a Poisson distribution also assumes that events in the sample are non-simultaneous, i.e. two or more events do not occur at the same time, and that the probability of an event occurring is not conditional on the number of previous events that have occurred within a small time period (Gill and Bao, Reference Gill and Bao2024).

In classical ruin theory, the Cramér-Lundberg model is the foundational mathematical model for testing solvency against a stochastic claims process (Lundberg, Reference Lundberg1903). Specifically, claims γ with i.i.d. inter-arrival times at time t according to a Poisson process N(t) with claim frequency γ can be defined as

(2.3) $$ \Upsilon (t)=\sum \limits_{i=1}^{N(t)}{X}_i, $$

where i.i.d. claim amounts X_i occur based on a compound Poisson process with distribution Γ and positive mean μ with finite variance. For an insurance provider that starts with initial capital reserves $ \phi \ge 0 $ and collects premiums at a constant rate c > 0, total assets $ \Phi $ at time $ t $ for $ t\ge 0 $ can be defined as

(2.4) $$ \Phi (t)=\phi + ct-\sum \limits_{i=1}^{N(t)}{X}_i. $$

With this model, the primary objective is to evaluate the probability of ultimate ruin $ \Psi $ , i.e. bankruptcy, denoted as

(2.5) $$ \Psi \left(\phi \right)=\mathrm{\mathbb{P}}\left(\Phi (t)<0,\mathrm{for}\ \mathrm{some}\hskip0.32em t|\Phi (0)=\phi \right) $$

which occurs when $ \Phi (t)<0 $ at some $ t $ (Dufresne and Gerber, Reference Dufresne and Gerber1989; Constantinescu and Thomann, Reference Constantinescu and Thomann2005; Wüthrich and Merz, Reference Wüthrich and Merz2013).

This classical model of ruin theory can also be adapted to account for i.i.d. claim amounts $ {X}_i $ occurring based on other distributions, including exponential distributions and other variations. The Sparre–Anderson model expands the Cramér–Lundberg model to consider the i.i.d. assumption where claim inter-arrival times follow arbitrary distribution functions (Andersen, Reference Andersen1957). Essentially, instead of assuming exponentially distributed inter-arrival times, the Poisson process allows for inter-arrival times to have any distribution as long as the inter-arrival times are i.i.d. with a finite mean. The Sparre-Anderson model is also defined as

(2.6) $$ \Phi (t)=\phi + ct-\sum \limits_{i=1}^{N(t)}{X}_i,\mathrm{for}\hskip0.32em t\ge 0, $$

but $ N{(t)}_{t\ge 0} $ follows the Poisson process with arbitrary distribution functions for i.i.d. claim amounts $ {X}_i $ (Thorin, Reference Thorin1974).

The i.i.d. requirement is a common assumption underlying statistical analyses (Gill and Bao, Reference Gill and Bao2024). Simply, a dataset of random variables is assumed to be i.i.d. if each random variable has the same probability distribution as the others but is produced without being conditional on any other variable in the dataset. In mathematical terms, the assumption of i.i.d. relies on random variables $ X $ and $ Y $ in a sample being independent, defined as

(2.7) $$ P\left(X\cap Y\right)=P(X)P(Y), $$

and the sample of $ n $ random variables, $ {X}_i,{X}_2,\dots, {X}_n $ , being identically distributed with each variable $ {X}_i $ having the same mean $ \mu $ and variance $ {\sigma}^2 $ , defined as

(2.8) $$ E\left({X}_i\right)=\mu \hskip0.22em \mathrm{and}\hskip0.32em Var\left({X}_i\right)={\sigma}^2. $$

Random variables that are identically distributed do not necessarily all have the same probability. Furthermore, the i.i.d. assumption is only met when $ n $ random variables are both independent and identically distributed—violation of either independence or being identically distributed within the sample means that the variables are not i.i.d. (Gill and Bao, Reference Gill and Bao2024).

This study examines whether the identically distributed requirement for i.i.d. is satisfied for extortion payments, including common violations such as the underlying distribution of the sample shifting over time, known as “concept drift” (Webb et al., Reference Webb, Hyde, Cao, Nguyen and Petitjean2016). Random variables must share the same probability distribution, but that distribution can be of any type, such as normal distribution, exponential distribution, Poisson distribution, etc. More precisely, random variables in a sample are considered identically distributed if and only if the cumulative distribution function (CDF)—the probability that a random variable will take on a value equal to or less than said value in a sample—of each random variable is the same as that of other random variables in the sample. Additionally, as the CDF is the integral of the probability density function (PDF), which is the probability that a random variable will take on a value equal to said value in a sample, it follows that identically distributed random variables in a sample would have the same PDF (Gill and Bao, Reference Gill and Bao2024).

In this study, we specifically assess whether the i.i.d. assumption for sub-claim cryptocurrency extortion payments within claim amounts $ {X}_i $ is satisfied for both Cramér-Lundberg and Sparre–Anderson models.

3.1. Data

The data in this study are extortion payments paid in Bitcoin (BTC) cryptocurrency to ransomware threat actors using one of 145 ransomware strains or variants between 2011 and 2024. Cryptocurrency transaction data have been a source of data for research on ransomware threat actors and victims in previous studies (e.g., Wang et al., Reference Wang, Pang, Chen, Zhao, Huang, Chen and Han2021; Turner et al., Reference Turner, Ikram and Uhlmann2025). The dataset was created by the authors. Extortion payment amounts were collected from the public ledger for the Bitcoin blockchain using BTC addresses, as explained in the next subsection. The structure of our data does not reveal how many victims did not pay extortion amounts, as we are only able to conduct our analyses on observed transactions. Transactions of zero do not show up in the blockchain, but we do discuss payment ratios below.

Regarding the completeness of our aggregated dataset, one limitation is that the data included are a sample of convenience, and we acknowledge that there are many payments not present. Regarding the reliability of our data, each extortion amount was verified by transaction information on the BTC blockchain, and sometimes in the news as well. We excluded any extortion amounts that could not be confirmed by the blockchain public ledger; thus, the data included in this study are traceable and peer-reviewable. Replication and validation of this study’s findings can be conducted by requesting data from authors; independently recreating the dataset based on our Methodology; or using crowdsourced data, e.g. the ransomware project, or data from a blockchain analytics firm such as Chainalysis (Cable, Reference Cable2024).

3.2. Methodology

Bitcoin addresses were gathered by extracting BTC addresses from malware binary samples and ransom notes from confirmed ransomware attacks, following existing accepted practices. For example, one could acquire malware binary samples from publicly available repositories used by security researchers, incident responders, and/or forensic analysts (e.g. VirusShare), as well as publicly available scanning and verification tools for malware (e.g. VirusTotal). Malware binary samples are executable files that contain code for executing the malware on a device or system for an attack, and these samples are often used for reverse engineering for cybersecurity research (Ferguson et al., Reference Ferguson, Kaminsky, Larsen, Miras and Pearce2008).

The process for aggregating BTC addresses involved using a regular expression to extract BTC addresses from malware binary samples and text files associated with ransomware attacks. To protect against false positives, every BTC address was validated with the address validation mechanisms publicly available on the Rosetta Code website (RosettaCode, n.d.). After a BTC address was validated as a legitimate BTC address, soft attribution was performed via fuzzy hashing—a matching technique using a hash function to focus on common patterns or structures and allow for small variations or differences—of the ransom note or the malware itself, e.g. with TLSH (Trendmicro Locality Sensitive Hash). With this technique, each malware binary sample was assigned a ransomware strain or variant by matching the binary malware sample or the ransom note to previous samples from a known ransomware strain or variant. Many of these soft attributions have been validated with other data sources, such as Ransomlook, that classify BTC addresses into ransomware strains and variants (Dulaunoy et al., Reference Dulaunoy, FafnerKeyZee and Harper2024). When this soft attribution was not possible, the BTC address was put into a bucket known as “unaffiliated” until soft attribution may be possible in the future. All of these unaffiliated addresses ( $ N $ = 2022) were excluded from this study.

Once collated into a ransomware strain or variant, extortion payments to the BTC address were traced using the public BTC blockchain. We focused only on the incoming transactions (extortion payments from victims) and not on outgoing transactions (withdrawals by threat actors). Confirmed transactions were converted to US dollar (USD) amounts using the average price of BTC on the day of the transaction, which is a standard practice in any research assessing the value of cryptocurrency or other digital assets over time (Conti et al., Reference Conti, Gangwal and Ruj2018; Cable et al., Reference Cable, Gray and McCoy2024). Additionally, to explore if the demand value of extortion amounts was independent of fluctuating BTC price, we analysed a 3-year moving average of both BTC price and extortion payments to establish a lack of correlation (see Appendix A).

Herein, we conduct descriptive statistics of our data, as well as empirical analyses of specific ransomware strains/variants and incidents. We then determine whether the i.i.d. assumption is valid for extortion payments across and within our data using multiple tests, including a Kruskal–Wallis, Spearman’s Correlation, Cramer von Mises, and Kolmogorov–Smirnov. Violations of either independence or identical distribution for extortion payments violate the i.i.d. assumption, suggesting that ransom demands are generated by the different processes (tools, tactics, and procedures) associated with certain ransomware strains/variants or specific threat actors.