On the Economics of Ransomware

Abstract

While recognized as a theoretical and practical concept for over 20 years, only now ransomware has taken centerstage as one of the most prevalent cybercrimes. Various reports demonstrate the enormous burden placed on companies, which have to grapple with the ongoing attack waves. At the same time, our strategic understanding of the threat and the adversarial interaction between organizations and cybercriminals perpetrating ransomware attacks is lacking.

In this paper, we develop, to the best of our knowledge, the first game-theoretic model of the ransomware ecosystem. Our model captures a multi-stage scenario involving organizations from different industry sectors facing a sophisticated ransomware attacker. We place particular emphasis on the decision of companies to invest in backup technologies as part of a contingency plan, and the economic incentives to pay a ransom if impacted by an attack. We further study to which degree comprehensive industry-wide backup investments can serve as a deterrent for ongoing attacks.

Proofs

1.1 A.1 Proof of Lemma 1

From Eq. (3), we have that the best-response strategy \(p_i^*\) of organization i is

$$\begin{aligned} p_i^* \in&\mathop {{{\mathrm{argmax}}}}\limits _{p \in \{0, 1\}} \left[ W_j - C_B \cdot b_i - \beta \left( \frac{F_j + (1 - p) \cdot L_j}{b_i} + T_j + p \cdot r \right) \right] \end{aligned}$$

(9)

$$\begin{aligned}&= \mathop {{{\mathrm{argmax}}}}\limits _{p \in \{0, 1\}} p \cdot \left( \frac{L_j}{b_i} - r \right) . \end{aligned}$$

(10)

Clearly, \(p_i^* = 1\) is a best response if and only if \(\frac{L_j}{b_i} - r \ge 0\), and \(p_i^* = 0\) is a best response if and only if \(\frac{L_j}{b_i} - r \le 0\).   \(\square \)

1.2 A.2 Proof of Lemma 2

From Eq. (2), we have that the best-response strategy \(b_i^*\) of organization i is

$$\begin{aligned} b_i^* \in \mathop {{{\mathrm{argmax}}}}\limits _{b_i \in \mathbb {R}_+} \left[ W_j - C_B \cdot b_i - \beta \frac{F_j}{b_i} \right] . \end{aligned}$$

(11)

To find the maximizing \(b_i^*\), we take the first derivative of the payoff, and set it equal to 0:

$$\begin{aligned} -C_B + \beta \frac{F_j}{{b_i^*}^2} = 0 \end{aligned}$$

(12)

$$\begin{aligned} b_i^* = \pm \sqrt{\beta \frac{F_j}{C_B}} , \end{aligned}$$

(13)

Since \(b_i \in \mathbb {R}_+\), the only local optima is \(b_i^* = \sqrt{\beta \frac{F_j}{C_B}}\). Further, the payoff is a concave function of \(b_i\) as the second derivative is negative, which means that this \(b_i^*\) is the global optimum and, hence, a unique best response.    \(\square \)

1.3 A.3 Proof of Lemma 4

The best-response ransom demand \(r^*\) is

$$\begin{aligned} r^* \in&\mathop {{{\mathrm{argmax}}}}\limits _{r \in \mathbb {R}_+} \left[ \sum _j \sum _{i \in G_j} V_j(a_1, a_2) \cdot r \cdot p_i^*(r) \right] - C_A \cdot (a_1 + a_2) - C_D \end{aligned}$$

(14)

$$\begin{aligned}&= \mathop {{{\mathrm{argmax}}}}\limits _{r \in \mathbb {R}_+} \sum _j \sum _{i \in G_j} V_j(a_1, a_2) \cdot r \cdot 1_{\left\{ r \le \frac{L_j}{\hat{b}_j}\right\} } \end{aligned}$$

(15)

$$\begin{aligned}&= \mathop {{{\mathrm{argmax}}}}\limits _{r \in \mathbb {R}_+} \sum _j \left| G_j\right| \cdot V_j(a_1, a_2) \cdot r \cdot 1_{\left\{ r \le \frac{L_j}{\hat{b}_j}\right\} } . \end{aligned}$$

(16)

Clearly, the optimum is attained at either \(\frac{L_1}{\hat{b}_1}\) or \(\frac{L_2}{\hat{b}_2}\). Since we assumed that \(\frac{L_1}{\hat{b}_1} \le \frac{L_2}{\hat{b}_2}\), we have that \(r = \frac{L_1}{\hat{b}_1}\) is a best response if and only if

$$\begin{aligned} \left( \left| G_1\right| V_1(a_1, a_2) + \left| G_2\right| V_2(a_1, a_2)\right) \frac{L_1}{\hat{b}_1} \ge \left| G_2\right| V_2(a_1, a_2) \frac{L_2}{\hat{b}_2} \end{aligned}$$

(17)

$$\begin{aligned} \left| G_1\right| V_1(a_1, a_2) \frac{L_1}{\hat{b}_1} \ge \left| G_2\right| V_2(a_1, a_2) \left( \frac{L_2}{\hat{b}_2} - \frac{L_1}{\hat{b}_1} \right) . \end{aligned}$$

(18)

Further, an analogous condition holds for \(r = \frac{L_2}{\hat{b}_2}\) being a best response, which concludes our proof.    \(\square \)

1.4 A.4 Proof of Lemma 5

Recall that the attacker’s expected payoff is

$$\begin{aligned} {{\mathrm{E}}}\left[ \mathcal {U}_A\right] = \left( \sum _j \sum _{i \in G_j} V_j(a_1, a_2)\cdot p_i \cdot r \right) - C_A \cdot (a_1 + a_2) - C_D \cdot 1_{\left\{ a_1> 0 \text { or } a_2 > 0\right\} } . \end{aligned}$$

(19)

Consider that \(a_1 + a_2 = a_{\text {sum}}\) and r are given, and \(a_{\text {sum}} > 0\). Under these conditions, the attacker’s best strategy is

$$\begin{aligned} a_1^* \in&\mathop {{{\mathrm{argmax}}}}\limits _{a_1 \ge 0} \left( \sum _j \sum _{i \in G_j} V_j(a_1, a_2)\cdot p_i^*(r) \cdot r \right) - C_A \cdot (a_1 + a_2) - C_D \end{aligned}$$

(20)

$$\begin{aligned}&= \mathop {{{\mathrm{argmax}}}}\limits _{a_1 \ge 0} \frac{a_1}{D + a_{\text {sum}}} |G_1| \cdot 1_{\left\{ r \le \frac{L_1}{\hat{b}_1}\right\} } + \frac{a_{\text {sum}} - a_1}{D + a_{\text {sum}}} |G_2| \cdot 1_{\left\{ r \le \frac{L_2}{\hat{b}_2}\right\} }, \end{aligned}$$

(21)

giving the non-negative payoff. The best strategy can be calculated readily.    \(\square \)

1.5 A.5 Proof of Proposition 1

Lemma 5 shows the attacker’s best-response attack effort for fixed effort level, i.e., \(a_{sum}\). In this Lemma, for example, \(a_1^*=0\) and \(a_2^*=a_{sum}\) is the attacker’s best-response effort if \(|G_1| \cdot 1_{\left\{ r \le \frac{L_1}{\hat{b}_1}\right\} } < |G_2| \cdot 1_{\left\{ r \le \frac{L_2}{\hat{b}_2}\right\} }\) and the resulting attacker’s payoff is non-negative. According to Lemma 4, the attacker’s best-response ransom demand is either \(\frac{L_1}{\hat{b}_1}\) or \(\frac{L_2}{\hat{b}_2}\) and without loss of generality, we have assumed that \(\frac{L_1}{\hat{b}_1} \le \frac{L_2}{\hat{b}_2}\).

For this case, the attacker’s payoff is equal to:

$$\begin{aligned} {{\mathrm{E}}}\left[ \mathcal {U}_A\right] = \frac{a_{sum}}{D+a_{sum}} |G_2| \cdot r \cdot 1_{\left\{ r \le \frac{L_2}{\hat{b}_2}\right\} } - C_A \cdot a_{sum} - C_D. \end{aligned}$$

(22)

If the above equation is negative, i.e.,

$$\begin{aligned} r < \frac{ \left( D + a_{sum}\right) \left( C_A \cdot a_{sum} + C_D\right) }{a_{sum} \cdot |G_2| \cdot 1_{\left\{ r \le \frac{L_2}{\hat{b}_2}\right\} }}, \end{aligned}$$

the attacker’s best-response effort is \(a_1^* = a_2^*=0\). To satisfy the above condition, we replace r with \(\frac{L_2}{\hat{b}_2}\), which gives

$$\begin{aligned} \frac{L_2 \cdot a_{sum} \cdot |G_2| \cdot 1_{\left\{ r \le \frac{L_2}{\hat{b}_2}\right\} }}{L_2\left( D + a_{sum}\right) \left( C_A \cdot a_{sum} + C_D\right) } < \hat{b}^*_2. \end{aligned}$$

Further, the defender’s best-response backup strategy when there is no attack, i.e., \(a_1^*=a_2^*=0\) is calculated based on Lemma 2. By inserting the value of \(\hat{b}^*_2\) from Lemma 2, we can readily have the following:

$$\begin{aligned} \frac{L_2 \cdot a_{sum} \cdot |G_2| \cdot 1_{\left\{ r \le \frac{L_2}{\hat{b}_2}\right\} }}{L_2\left( D + a_{sum}\right) \left( C_A \cdot a_{sum} + C_D\right) } < \sqrt{\beta \frac{F_2}{C_B}}. \end{aligned}$$

Another condition can be calculated similarly.    \(\square \)