On the Economics of Ransomware

While recognized as a theoretical and practical concept for over 20 years, only now ransomware has taken centerstage as one of the most prevalent cybercrimes. Various reports demonstrate the enormous burden placed on companies, which have to grapple with the ongoing attack waves. At the same time, our strategic understanding of the threat and the adversarial interaction between organizations and cybercriminals perpetrating ransomware attacks is lacking. In this paper, we develop, to the best of our knowledge, the first game-theoretic model of the ransomware ecosystem. Our model captures a multi-stage scenario involving organizations from different industry sectors facing a sophisticated ransomware attacker. We place particular emphasis on the decision of companies to invest in backup technologies as part of a contingency plan, and the economic incentives to pay a ransom if impacted by an attack. We further study to which degree comprehensive industry-wide backup investments can serve as a deterrent for ongoing attacks.

[1]  Engin Kirda,et al.  UNVEIL: A large-scale, automated approach to detecting ransomware (keynote) , 2016, SANER.

[2]  Moti Yung,et al.  Cryptovirology , 2017, Commun. ACM.

[3]  Yu Yang,et al.  Automated Detection and Analysis for Android Ransomware , 2015, 2015 IEEE 17th International Conference on High Performance Computing and Communications, 2015 IEEE 7th International Symposium on Cyberspace Safety and Security, and 2015 IEEE 12th International Conference on Embedded Software and Systems.

[4]  Alexandre Gazet,et al.  Comparative analysis of various ransomware virii , 2010, Journal in Computer Virology.

[5]  Moti Yung,et al.  Cryptovirology: extortion-based security threats and countermeasures , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[6]  Nicolas Christin,et al.  Secure or insure?: a game-theoretic analysis of information security games , 2008, WWW.

[7]  Stefano Zanero,et al.  HelDroid: Dissecting and Detecting Mobile Ransomware , 2015, RAID.

[8]  Patrick Traynor,et al.  CryptoLock (and Drop It): Stopping Ransomware Attacks on User Data , 2016, 2016 IEEE 36th International Conference on Distributed Computing Systems (ICDCS).

[9]  Leyla Bilge,et al.  Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks , 2015, DIMVA.

[10]  Levente Buttyán,et al.  A Survey of Interdependent Information Security Games , 2014, ACM Comput. Surv..

[11]  Hal R. Varian,et al.  System Reliability and Free Riding , 2004, Economics of Information Security.

[12]  Jens Grossklags,et al.  Blue versus Red: Towards a Model of Distributed Security Attacks , 2009, Financial Cryptography.

[13]  Jens Grossklags,et al.  Social Status and the Demand for Security and Privacy , 2014, Privacy Enhancing Technologies.

[14]  Quanyan Zhu,et al.  Game theory meets network security and privacy , 2013, CSUR.

[15]  Michael D. Smith,et al.  How Much Security Is Enough to Stop a Thief?: The Economics of Outsider Theft via Computer Systems and Networks , 2003, Financial Cryptography.

[16]  Xin Luo,et al.  Awareness Education as the Key to Ransomware Prevention , 2007, Inf. Secur. J. A Glob. Perspect..

[17]  Alexander Fink,et al.  Kidnap insurance and its impact on kidnapping outcomes , 2014 .

[18]  Qinyu Liao,et al.  Ransomware: A New Cyber Hijacking Threat to Enterprises , 2009 .

[19]  Adam Doupé,et al.  Behind closed doors: measurement and analysis of CryptoLocker ransoms in Bitcoin , 2016, 2016 APWG Symposium on Electronic Crime Research (eCrime).

[20]  Jens Grossklags,et al.  What Can Behavioral Economics Teach Us about Privacy , 2008 .

[21]  Ted O’Donoghue,et al.  Doing It Now or Later , 1999 .

[22]  Todd Sandler,et al.  Why concessions should not be made to terrorist kidnappers. , 2016 .

[23]  M Baddeley,et al.  Information Security: Lessons from Behavioural Economics , 2011 .