Abstract
Recently ransomware attacks have caused tremendous costs for businesses and society. Although cybersecurity researchers have developed best practices to protect computer systems from hackers, it is not expected that ransomware attacks will be prohibited in a near future mainly due to their complexity and profitability. Despite the wide research studies for developing the proactive approaches to protect the systems from ransomware attacks, facilitating the negotiation between attacker and victim after a successful attack has not been well investigated yet. As the attacker does not know the victim’s true valuation for the data and the victim does not know the minimum ransom value that can satisfy the attacker, bargaining for ransom value can be time-consuming causing extra interruption cost for the victim. On the other hand, as there is no guarantee that the attacker will in turn release the decryption key after the payment of ransom, many victims are reluctant to pay the ransom and they accept the cost of data loss. Therefore, it is important to facilitate the negotiation between the attacker and victim to accelerate the release of data. To this end, first, we propose a mechanism to assist the negotiation for ransom value without a Trusted Third Party (TTP). We study the fair ransom value and investigate the development of a double-sided-blind auction mechanism to achieve the incentive-compatibility. In the second part, we propose a mechanism enforcing the victim and attacker to make the payment and release of decryption key without a TTP. To achieve this goal, we create a dynamic game and set incentives such that the subgame perfect equilibrium matches our design goal. We utilize smart-contract for the implementation of our proposed mechanisms to alleviate the TTP requirement.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
Note that quantification of \(\mu \) and \(\delta \) are out of the scope of this paper.
- 2.
- 3.
- 4.
References
EMSISOFT (2021): The state of ransomware in the us: Report and statistics (2020). https://blog.emsisoft.com/en/37314/the-state-of-ransomware-in-the-us-report-and-statistics-2020/
EMSISOFT: The cost of ransomware in 2020. a country-by-country analysis (2020). https://blog.emsisoft.com/en/35583/report-the-cost-of-ransomware-in-2020-a-country-by-country-analysis/
SOPHOS: The state of ransomware (2021). https://secure2.sophos.com/en-us/medialibrary/pdfs/whitepaper/sophos-state-of-ransomware-2021-wp.pdf
COVEWARE: Ransomware payments fall as fewer companies pay data exfiltration extortion demands (2020). https://www.coveware.com/blog/ransomware-marketplace-report-q4-2020
Institute for Security and Technology. Combatting ransomware (2021). https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force-Report.pdf
Dargahi, T., Dehghantanha, A., Bahrami, P.N., Conti, M., Bianchi, G., Benedetto, L.: A cyber-kill-chain based taxonomy of crypto-ransomware features. J. Comput. Virol. Hacking Tech. 15(4), 277–305 (2019)
Al-rimy, B.A.S., Maarof, M.A., Shaid, S.Z.M.: Ransomware threat success factors, taxonomy, and countermeasures: a survey and research directions. Comput. Secur. 74, 144–166 (2018)
Laszka, A., Farhang, S., Grossklags, J.: On the economics of ransomware. In: Rass, S., An, B., Kiekintveld, C., Fang, F., Schauer, S. (eds.) Decision and Game Theory for Security. GameSec 2017. LNCS, vol. 10575, pp. 397–417. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-68711-7_21
Li, Z., Liao, Q.: Game theory of data-selling ransomware. J. Cyber Secur. Mob. 65–96 (2021)
Fang, R., Xu, M., Zhao, P.: Should the ransomware be paid? arXiv preprint arXiv:2010.06700 (2020)
Hernandez-Castro, J., Cartwright, A., Cartwright, E.: An economic analysis of ransomware and its welfare consequences. R. Soc. Open Sci. 7(3), 190023 (2020)
Dey, D., Lahiri, A.: Should we outlaw ransomware payments? In: Proceedings of the 54th Hawaii International Conference on System Sciences, p. 6609 (2021)
Green, M.: The future of ransomware (2017). https://blog.cryptographyengineering.com/2017/02/28/the-future-of-ransomware/
Karapapas, C., Pittaras, I., Fotiou, N., Polyzos, G.C.: Ransomware as a service using smart contracts and IPFS. In: 2020 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), pp. 1–5. IEEE (2020)
Asgaonkar, A., Krishnamachari, B.: Solving the buyer and seller’s dilemma: a dual-deposit escrow smart contract for provably cheat-proof delivery and payment for a digital good without a trusted mediator. In: 2019 IEEE International Conference on Blockchain and Cryptocurrency (ICBC), pp. 262–267. IEEE (2019)
Shapley, L.S.: A value for n-person games, Contributions to the Theory of Games, vol. 2, no. 28, pp. 307–317 (1953)
Shapley, L.S.: Cores of convex games. Int. J. Game Theory 1(1), 11–26 (1971)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2021 Springer Nature Switzerland AG
About this paper
Cite this paper
Vakilinia, I., Khalili, M.M., Li, M. (2021). A Mechanism Design Approach to Solve Ransomware Dilemmas. In: Bošanský, B., Gonzalez, C., Rass, S., Sinha, A. (eds) Decision and Game Theory for Security. GameSec 2021. Lecture Notes in Computer Science(), vol 13061. Springer, Cham. https://doi.org/10.1007/978-3-030-90370-1_10
Download citation
DOI: https://doi.org/10.1007/978-3-030-90370-1_10
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-90369-5
Online ISBN: 978-3-030-90370-1
eBook Packages: Computer ScienceComputer Science (R0)