Abstract
Ransomware attacks continue to be a major concern for critical systems that are vital for society e.g., healthcare, finance, and transportation. Traditional cyber defense mechanisms fail to pose dynamic measures to stop ransomware attacks from progressing through various stages in the attack process. To this end, intelligent cyber deception strategies can be effective when they leverage information about attacker strategies and deploy deceptive assets to increase the cost or complexity of a successful exploit or discourage continued attacker efforts. In this paper, we present a novel game theoretic approach that uses deception-based defense strategies at each of the ransomware attack stages for optimization of the decision-making to outsmart attacker advances. Specifically, we propose a multistage ransomware game model that deploys a combination of deception assets i.e., honeytokens, honeypots, honeyfiles, and network honeypots in subgames. Using closed-form backward induction, we evaluated Subgame-Perfect Nash Equilibrium (SPNE). We perform a numerical analysis using real-world data and statistics pertaining to the impact of ransomware attacks in the healthcare sector. Our healthcare case study evaluation results show that the use of deception technologies is favorable to the defender. This work elucidates the profound implications of strategic deception in cybersecurity, demonstrating its capacity to complicate successful exploits and consequently bolster the defense of key societal infrastructures.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Canarytokens. https://canarytokens.org/generate. Accessed 16 Dec 2023
Deception-based Ransomware Defense. https://github.com/bhusalb/gt-ransomware-simulation. Accessed 20 May 2024
FBI Internet Crime Report 2022. https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf. Accessed 20 May 2023
How Do Hackers Get Caught and Exposed?. https://www.metacompliance.com/blog/phishing-and-ransomware/how-do-hackers-normally-get-caught. Accessed 20 Jan 2024
IBM: Average Cost of a Healthcare Data Breach Increases to Almost \$11 Million. https://www.hipaajournal.com/2023-cost-healthcare-data-breach/. Accessed 20 Jan 2024
Kippo. https://github.com/desaster/kippo. Accessed 16 Dec 2023
Ransomware: In the Healthcare Sector. https://www.cisecurity.org/insights/blog/ransomware-in-the-healthcare-sector. Accessed 20 Jan 2024
Spacesiren: A honeytoken manager. https://github.com/spacesiren/spacesiren. Accessed 16 Dec 2023
The Cost of Cybersecurity in Healthcare. https://www.cdw.com/content/cdw/en/articles/security/the-cost-of-cybersecurity-in-healthcare.html. Accessed 20 Jan 2024
The Latest 2023 Ransomware Statistics (2024). https://aag-it.com/the-latest-ransomware-statistics/. Accessed 20 Jan 2024
Aumann, R.J.: Backward induction and common knowledge of rationality. Games Econom. Behav. 8(1), 6–19 (1995)
Bercovitch, M., Renford, M., Hasson, L., Shabtai, A., Rokach, L., Elovici, Y.: HoneyGen: an automated honeytokens generator. In: Proceedings of 2011 IEEE International Conference on Intelligence and Security Informatics, pp. 131–136. IEEE (2011)
Cartwright, A., Cartwright, E.: The economics of ransomware attacks on integrated supply chain networks. Digit. Threats: Res. Pract. (2023)
Cartwright, E., Hernandez Castro, J., Cartwright, A.: To pay or not: game theoretic models of ransomware. J. Cybersecur. 5(1), tyz009 (2019)
Dameff, C., et al.: Ransomware attack associated with disruptions at adjacent emergency departments in the us. JAMA Netw. Open 6(5), e2312270–e2312270 (2023)
Feng, Y., Liu, C., Liu, B.: Poster: a new approach to detecting ransomware with deception. In: 38th IEEE symposium on security and privacy (2017)
Ganfure, G.O., Wu, C.F., Chang, Y.H., Shih, W.K.: RTrap: trapping and containing ransomware with machine learning. IEEE Trans. Inf. Forensics Secur. 18, 1433–1448 (2023)
Gómez-Hernández, J.A., Álvarez-González, L., García-Teodoro, P.: R-locker: thwarting ransomware action through a honeyfile-based approach. Comput. Secur. 73, 389–398 (2018)
Keijzer, N.: The new generation of ransomware: an in depth study of Ransomware-as-a-service. Master’s thesis, University of Twente (2020)
Kolodenker, E., Koch, W., Stringhini, G., Egele, M.: PayBreak: defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia Conference on Computer and Communications Security, pp. 599–611 (2017)
Lapan, H.E., Sandler, T.: To bargain or not to bargain: that is the question. Am. Econ. Rev. 78(2), 16–21 (1988)
Li, Z., Liao, Q.: Game theory of data-selling ransomware. J. Cyber Secur. Mob. 65–96 (2021)
Liu, S., Chen, X.: Mitigating data exfiltration ransomware through advanced decoy file strategies (2023)
Min, D., Ko, Y., Walker, R., Lee, J., Kim, Y.: A content-based ransomware detection and backup solid-state drive for ransomware defense. IEEE Trans. Comput. Aided Des. Integr. Circuits Syst. 41(7), 2038–2051 (2021)
Mokube, I., Adams, M.: Honeypots: concepts, approaches, and challenges. In: Proceedings of the 45th Annual Southeast Regional Conference, pp. 321–326 (2007)
Mphago, B., Bagwasi, O., Phofuetsile, B., Hlomani, H.: Deception in dynamic web application honeypots: case of Glastopf. In: Proceedings of the International Conference on Security and Management (SAM). p. 104. The Steering Committee of The World Congress in Computer Science, Computer ... (2015)
Müter, M., Freiling, F., Holz, T., Matthews, J.: A generic toolkit for converting web applications into high-interaction honeypots. Univ. Mannheim 280, 6–1 (2008)
Patyal, M., Sampalli, S., Ye, Q., Rahman, M.: Multi-layered defense architecture against ransomware. Int. J. Bus. Cyber Secur. 1(2) (2017)
Qin, X., Jiang, F., Cen, M., Doss, R.: Hybrid cyber defense strategies using honey-x: a survey. Comput. Netw. 109776 (2023)
Reeder, J.R., Hall, C.T.: Cybersecurity’s pearl harbor moment: lessons learned from the colonial pipeline ransomware attack (2021)
Săndescu, C., Rughiniş, R., Grigorescu, O.: HUNT: using honeytokens to understand and influence the execution of an attack. eLearn. Softw. Educ. 1 (2017)
Selten, R., Selten, R.: A Simple Game Model of Kidnapping. Springer, Heidelberg (1988)
Shaukat, S.K., Ribeiro, V.J.: RansomWall: a layered defense system against cryptographic ransomware attacks using machine learning. In: 2018 10th International Conference on Communication Systems & Networks (COMSNETS), pp. 356–363. IEEE (2018)
Sheen, S., Asmitha, K., Venkatesan, S.: R-sentry: deception based ransomware detection using file access patterns. Comput. Electr. Eng. 103, 108346 (2022)
Spitzner, L.: Honeypots: Tracking Hackers, vol. 1. Addison-Wesley Reading (2003)
Subedi, K.P., Budhathoki, D.R., Chen, B., Dasgupta, D.: RDS3: ransomware defense strategy by using stealthily spare space. In: 2017 IEEE Symposium Series on Computational Intelligence (SSCI), pp. 1–8. IEEE (2017)
Tandon, A., Nayyar, A.: A comprehensive survey on ransomware attack: a growing havoc cyberthreat. In: Data Management, Analytics and Innovation: Proceedings of ICDMAI 2018, vol. 2, pp. 403–420 (2019)
Wang, Z., Wu, X., Liu, C., Liu, Q., Zhang, J.: RansomTracer: exploiting cyber deception for ransomware tracing. In: 2018 IEEE Third International Conference on Data Science in Cyberspace (DSC), pp. 227–234. IEEE (2018)
Wilson, D., Avery, J.: Mitigating data exfiltration in storage-as-a-service clouds. arXiv preprint arXiv:1606.08378 (2016)
Yin, T., Sarabi, A., Liu, M.: Deterrence, backup, or insurance: a game-theoretic analysis of ransomware. In: The Annual Workshop on the Economics of Information Security (WEIS) (2021)
Yuill, J., Zappe, M., Denning, D., Feer, F.: HoneyFiles: deceptive files for intrusion detection. In: 2004 Proceedings from the Fifth Annual IEEE SMC Information Assurance Workshop, pp. 116–122. IEEE (2004)
Zhang, C., Luo, F., Ranzi, G.: Multistage game theoretical approach for ransomware attack and defense. IEEE Trans. Serv. Comput. (2022)
Zhao, Y., Ge, Y., Zhu, Q.: Combating ransomware in internet of things: a games-in-games approach for cross-layer cyber defense and security investment. In: Bošanský, B., Gonzalez, C., Rass, S., Sinha, A. (eds.) GameSec 2021. LNCS, vol. 13061, pp. 208–228. Springer, Cham (2021). https://doi.org/10.1007/978-3-030-90370-1_12
Acknowledgement
This material is based upon work supported by the National Science Foundation under award number CNS-2243619, and the National Security Agency under award number H98230-21-1-0260. Any opinions, findings, and conclusions or recommendations expressed in this publication are those of the author(s) and do not necessarily reflect the views of the National Science Foundation or the National Security Agency.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2025 The Author(s), under exclusive license to Springer Nature Switzerland AG
About this paper
Cite this paper
Neupane, R.L. et al. (2025). On Countering Ransomware Attacks Using Strategic Deception. In: Sinha, A., Fu, J., Zhu, Q., Zhang, T. (eds) Decision and Game Theory for Security. GameSec 2024. Lecture Notes in Computer Science, vol 14908. Springer, Cham. https://doi.org/10.1007/978-3-031-74835-6_8
Download citation
DOI: https://doi.org/10.1007/978-3-031-74835-6_8
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-031-74834-9
Online ISBN: 978-3-031-74835-6
eBook Packages: Computer ScienceComputer Science (R0)