To pay or not: game theoretic models of ransomware

Cartwright, Edward; Hernández-Castro, Julio; Cartwright, Anna

doi:10.1093/cybsec/tyz009

Cited by 50 publications

(33 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…While kidnapping and blackmail is typically in a terrorist context [23], ransomware may be modeled as kidnapping. The kidnapping aspect of ransomware was acknowledged at a practical level and the models of hostage were extended to study the role of irrational aggression and crime deterrence [11]. The game theoretic literature on kidnapping and blackmail gives insight on the optimal ransom that criminals should charge and the role of deterrence through preventative measures.…”

Section: Related Workmentioning

confidence: 99%

Game Theory of Data-selling Ransomware

Liao

2021

JCSANDM

View full text Add to dashboard Cite

We are experiencing the worst years of ransomware attacks with continuing news reports on high-profile ransomware attacks on organizations such as hospitals, schools, government agencies and private businesses. Recently a few ransomware attackers have gone beyond simply encrypting files and waiting for ransom. They threaten to release the data if the victims refuse their ransom request. In this paper, we propose a hypothetical new revenue model for the ransomware, i.e., selling the stolen data rather than publishing the data for free. Through a game-theoretical analysis between attackers and victims, we contribute a novel model to understand the critical decision variables for the proposed data-selling ransomware (which we refer as "ransomware 2.0") that sells data as well as demands ransom. We compare the role of reputation and the profitability of the data-selling ransomware with traditional ransomware ("ransomware 1.0") that demands ransom only and the data-threat ransomware ("ransomware 1.5") that demands ransom with the threat of releasing data for no compliance. Both theoretical modeling and simulation studies suggest that in general both ransomware 2.0 and 1.5 are more profitable than ransomware 1.0, while ransomware 2.0 is always more profitable than ransomware 1.5. Notably, common defensive measures that may work to eliminate the financial incentives of ransomware 1.0 may not work on ransomware 2.0, in particular the data backup practice and the never-pay-ransom strategy. Our findings also suggest that the uncertainties created by this new revenue model may affect attackers' reputation and users' willingness-to-pay, therefore, ransomware 2.0 may not always increase the profitability of attackers. Another finding of the study suggests that reputation maximization is critical in ransomware 1.0 and 1.5, but not in ransomware 2.0, where attackers could manipulate reputation for profit maximization.

show abstract

Section: Related Workmentioning

confidence: 99%

Game Theory of Data-selling Ransomware

Liao

2021

JCSANDM

View full text Add to dashboard Cite

show abstract

“…Additionally, many cybercriminals simply make use of the code or ideas from other relatively successful ransomware variants in order to make a quick profit [5] [6]. Also, the availability of Ransomware-as-a-Service (RaaS) [7] means cybercriminals can go to the underground market to purchase ransomware kits, such as Satan [8], allowing them to deploy their own ransomware variants without needing in-depth technical knowledge.…”

Section: Introductionmentioning

confidence: 99%

A Roadmap for Improving the Impact of Anti-ransomware Research

Pont

Oun

Brierley

et al. 2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

show abstract

“…In contrast, in our study, in the case of untargeted attacks with lateral movement, preventive actions effectively impact the spreading of the attack. Cartwright et al (2018) adapt the models by Lapan and Sandler (1988) and Selten (1988) to ransomware attacks and explore bargaining and deterrence strategies. In particular, they show that the likelihood of irrational aggression in the absence of payment and credible commitment to return files upon receipt of payment play key roles in incentivizing victims to pay the ransom.…”

Section: Literature Reviewmentioning

confidence: 99%

“…Last but not least, neither the kidnapping literature nor the extant literature on economics of ransomware capture the possibility of negative security network externalities which characterize worm cyberattacks. Cartwright et al (2018) mention potential spillover effects of deterrence when there are two customer categories but they do not tie these effects to the size of the vulnerable population. In the case of worm ransomware, due to autonomous lateral spreading, the higher the number of unpatched systems on a network, the higher the risk of infection to every single one of them.…”

Section: Literature Reviewmentioning

confidence: 99%