To Pay or Not to Pay: A Look at the Economic Impacts of Ransomware
Bitcoin and the rise of ransomware
The birth of Bitcoin in 2009 opened the era of “financial democracy”, where monetary transactions can be made anonymously without any governing third party. However, every coin has two sides (no pun intended). Bitcoin’s anonymous nature has also allowed criminals to transfer funds safely. No surprise – as cryptocurrencies gain popularity, ransomware attacks have grown remarkably. Ransomware started to emerge on a global scale in 2012 and has quickly evolved to become one of the most common cyberattacks.
Ransomware is a type of malware infection that locks a user out of their device or database until a ransom payment is made to the attacker. Ransomware attacks are generally launched in one of two ways – the attacker can either block the user from accessing their device by disabling the operating system or prevent the user from accessing their data by encrypting them. The latter requires more technical skills. Different from data breaches where criminals sell stolen data for a profit, in a ransomware attack, the data are held hostage.
Examples of large-scale ransomware attacks include Locky in 2016, where a malicious macro virus was included in a Microsoft Word document delivered by email, as well as WannaCry in 2017, which affected Microsoft Windows systems directly and resulted in over 200,000 victims and 300,000 infected computers. As of today, there are more than 500 known ransomware types.
What are the economic impacts?
Before 2017: Wide targeting, low-risk approach
Ransom payments are made almost entirely by cryptocurrencies, mostly Bitcoin. Prior to 2017, cybercriminals took the low-risk approach, where attacks are launched widely against individual users and small businesses.
Just exactly how much money was lost due to ransomware? Academic researchers in Canada used sophisticated tracking to calculate the aggregate ransom payments between 2013 and mid-2017.
Ransomware attackers demand payments by broadcasting one or multiple randomly generated Bitcoin addresses where the victims need to send their money to. From various sources, the researchers collected the Bitcoin addresses related to ransom payments, obtaining 7,222 addresses related to 67 ransomware types.
The researchers then extracted all transaction data from the Bitcoin blockchain, obtaining 312,506,384 addresses. Next, they matched the 7,222 addresses with the full Bitcoin address list to eliminate those addresses that did not receive any ransom payment (perhaps no victims paid). Lastly, they applied a time filter to each address to make sure only transactions after the attack were captured. The final sample contained 7,118 addresses related to 35 ransomware types.
By tracing all transactions made to these addresses, the researchers were able to derive lower-bound conservative figures of the payments. The table below shows the top 15 ransomware types by total payment received between 2013 and mid-2017. Locky received the most payment, with a total of more than $7 million.
(Paquet-Clouston, M., Haslhofer, B., & Dupont, B. 2019)
Between 2013 and mid-2017, the researchers’ conservative estimate of the size of the ransomware market was at $12,768,536.
Source: Paquet-Clouston, M., Haslhofer, B., & Dupont, B. (2019). Ransomware payments in the bitcoin ecosystem. Journal of Cybersecurity, 5(1), 1–11.
After 2017: Narrow targeting, high-risk approach
The seemingly low figure provided by the above research might be relieving, but the bad news is that a new era has just begun.
Since 2017, we have seen a sudden increase in ransomware attacks aimed at big players asking for extremely high ransoms. For instance, attack on South Korean web provider Nayana in 2017 has resulted in the company paying $1 million, making it the most expensive ransom payment ever.
Attacks on government agencies started to take place in 2019. Consecutive attacks on three municipal governments of the United States – Riviera Beach, Lake City of Florida, and Jackson County of Georgia, ended up with the cities paying $600,000, $500,000, and $400,000 respectively.
Cities, schools, hospitals, businesses – everyone is now a potential victim of ransomware attacks. As the average ransomware payout skyrocketed to $41,000 in the third quarter of 2019, keeping your business protected is more crucial than ever. [Penta Security’s WAPPLES is an artificial intelligence web application firewall (WAF), highly effective against a variety of malware, including ransomware. Learn more at WAPPLES.]
To pay or not to pay: A logical analysis of ransom payment
Generally, demanded payment ranges from $100 to $1000 for individuals and much higher for organizations. Scholars in the United Kingdom used an economic approach to analyze ransom payments. By directly comparing them to kidnapping, game theory was used to better understand the motives and positions of each party involved.
The following results were derived from their analyses:
1) From the criminal’s standpoint, the optimal ransom demand increases as the victim’s willingness-to-pay increases. – It might be a good idea to stay low key about how valuable your database is.
2) From the criminal’s standpoint, the optimal ransom demand should not exceed the maximum amount the victim is able to pay, therefore, it is not in a criminal’s best interest to make a demand that the victim cannot afford. – Keep yourself fully protected, but act as if you don’t care.
3) From the criminal’s standpoint, if the victim does not pay the amount demanded, the data held hostage should be automatically destroyed. This is called random destruction. Without the threat of random destruction, the optimal ransom demand is 0, meaning it is in the criminal’s best interest to not make the attack. Thus, the criminal must impose random destruction in order to pose a real threat to the victim. The best way for a criminal to act is to not accept any counteroffers and let the system automatically destroy the data if the victim does not pay the demanded amount. – If random destruction is not applied, you are in a better position. Try your best to negotiate and bring the price down.
4) The criminal must return the victim’s files after a ransom is paid in order to guarantee their credibility.
5) Spillover effects occur between potential victims. For instance, if those who value their data the most invest in cyber protection, this benefits all others. – Keeping yourself protected benefits society as a whole.
6) However, the only way to completely eradicate ransomware is for all potential victims to have full protection, leaving no motives for criminals. – In the long run, it may be optimal for governments to subsidize spendings on cybersecurity.
Source: Cartwright, E., Hernandez Castro, J., & Cartwright, A. (2019). To pay or not: game theoretic models of ransomware. Journal of Cybersecurity, 5(1), 1–12.
A possible solution?
Since it is impossible for everyone to invest in cybersecurity, ransomware is unlikely to fade anytime soon. This is especially concerning for governments because spending tax money on ransom payments is a huge dilemma.
Late January, New York State made a proposal for the creation of a “Cyber Security Enhancement Fund”, urging small municipalities to upgrade their security measures. In order to force the upgrades, a newly proposed law would ban all government agencies from paying ransom starting in 2022. The two-year time frame allows cities to upgrade smoothly. Whether the law would be effective in stopping ransomware still awaits testing, but it is definitely worth a try – you never lose from investing in cybersecurity.