Transcript
There is an hypocrisy at the heart of the cybersecurity industry today.
On one hand, everybody you ask will always give the same advice: never pay ransomware hackers. The FBI explicitly advises companies against paying, and cybersecurity professionals advocate the same line. It’s possible that you’ve heard this sentiment shared at some point right here on this podcast.
But what about when push comes to shove, and there’s no better solution available?
On May 7th, 2021, the Colonial Pipeline system supplying oil and jet fuel to the American southeast was penetrated by a ransomware group called DarkSide. To contain the damage, the entire system was shut down. Many of you American listeners might have experienced the fallout firsthand: in cities and small towns alike, gas station lines piled up dozens of cars deep, even in areas not directly serviced by Colonial, simply because everybody was so worried about running out of fuel.
With panic spreading across the coast, it was the FBI — the same FBI that tells you not to pay ransomware attackers — which negotiated a payment of 4.4 million dollars worth of Bitcoin to DarkSide, within mere hours of the breach. DarkSide provided a restoration tool in exchange and, five days later, pipeline operations resumed.
So what does this tell us about paying ransoms? Should Colonial Pipeline have refused to pay, and remained offline, affecting a third of all Americans? What about you or your company? Should you listen to what the experts say, or follow what they occasionally do?
It’s complicated, but we can model this problem.
Game Theory
Kay-Yut Chen is an experimental economist. Last year, together with two colleagues from the University of Texas at Arlington, he published a paper examining the psychology involved in ransomware attacks, through the lens of game theory.
“[Chen] So game theory is a mathematical theory to look at essentially adversarial interaction, adversarial situations. It is essentially an analysis of what you can do, what I can do, what I can – how I can impact you and how you can impact me.”
Game theory can be applied to any kind of negotiation — in business, politics, or kidnapping in equal part. It provides a framework for analyzing not just how a given party — say, a company — may act in a given scenario, but how they will act knowing that their adversary — say, a cyberattacker — may react one way or another.
Dr. Jingguo Wang, the second author of the report:
“[Wang] So in our case essentially, both the hackers and the defenders, they are individual decision makers. They’re expecting each other’s actions and then takes an extra step.”
What would happen if we took a game-theoretical approach to ransomware?
Let’s imagine a simple scenario — a cyberattacker, and a victim — and consider what their options are.
“[Chen] So in the most simplest way of thinking about the economics of it, it’s just a cost benefit analysis so that the cost is the ransom. The benefit is to get back my business. That has a value on it. [. . .] Every day you lose X million of dollars. You can net present value of that and compare that to if I pay this amount today.”
In the year before their cyberattack, Colonial Pipeline earned a revenue of around 1.3 billion dollars. Their ransom payment was 4.4 million dollars, about 0.33% of 1.3 billion.
“[Chen] So any business school 101 or economics 101 will say if the value that you gain back is higher than the cost of paying the ransom, you do it.”
“[Wang] but as a human and at the same time we may be influenced the other factors. That is to say we want to do good things. We want to look at all the people around us and to see how they are doing and we may also need to factor in let us say what the punishment or what the regulatory requirement that may be forcing us to do.”
At the end of the day, nearly everything about the Colonial Pipeline attack suggested the company should have ceded to DarkSide. Even putting its monetary losses aside, there were legal considerations, and immense costs to the country as a whole which, in the boardroom, must have felt overwhelmingly more important than any mere principle or emotions involved in not wanting to pay criminals.
Even in more ordinary circumstances, though, companies face this same kind of pressure. Like, you might really, really hate the idea of paying cybercriminals, but…
“[Chen] They know that. They want a business model and so they will make it easy for you to pay back.”
Let’s look at it from their perspective.
“[Chen] So imagine that you are attacking us for ransom. There’s only one thing in your mind: is he going to pay it? So you’re basically balancing two things. If I ask for too much money, you may not pay it. If I ask for too little money – I ask for a dollar – you pay it right away but I only got a dollar. [. . .] By the way, this is again using the economics of marketing example. No difference than any pricing decisions that a computer manufacturer is deciding how much he will charge for a computer: charge more, you make more per machine but you have fewer people that will buy it and you will charge less. More people buy it but you get a little bit fewer dollars per machine.”
The best, most advanced ransomware groups perform market research — looking up how much their targets have in their coffers in advance of attacking them. That way, they can ask for very healthy ransoms — like 4.4 million dollars — while knowing that, for the victim, it’s relatively little.
“[Chen] the incentive to actually pay them becomes very, very high because the amount they were asked for couldn’t be much lower than the value that we’ve lost. It is in the self-interest of the company to pay.”
Knowing about their target is also highly useful in negotiations. Often, victims falsely claim that they can’t afford to pay, only for their attackers to cite their balance sheets back to them, as evidence to the contrary.
Not all hackers have the resources or patience to research their victims, or the nature of their operation precludes doing so. For example, some groups use a “spray and pray” approach, infecting as many targets as possible — with generic phishing emails, for example, or by exploiting known vulnerabilities in unpatched, internet-facing servers — then send ransomware to them all, in the hopes that as many as possible will pay. In these cases, the attackers set a standard ransom demand that may fall well short or beyond what any given target might otherwise pay, but tries to optimize profits when considering the whole pool of targets in aggregate.
If we want to get detailed about it, there are a number of other factors that play into the final price that makes the ransom note.
“[Wang] So actually another point that is – it’s a relative cost for them to carry out the attacks. “
For example, an “opportunity cost”: the potential forgone profit from a missed opportunity. Then there are costs to building or buying malware, carrying out infections and negotiations, and paying “staff.” Like any company, these costs need to be baked into the ransom.
In general, though, we have our setup: an attacker and a victim, and a cost that makes it worthwhile for them both to transact. An “equilibrium.”
Humans Are Inconsistent
Nate Nelson, my writer and co-producer:
“[Nate] So we have the ideal theoretical game setup and then you guys have also studied what people actually do. So can you explain to me how we irrational human beings mess up this picture and the difference between what you think in a perfect game theory scenario both parties should do and what actually happens?”
“[Chen] The first thing you notice with humans is humans are not consistent. They have all these other additional things that are going through their mind.”
One component that complicates a ransomware game reaching equilibrium is stubbornness — or, shall we say, moral righteousness.
Consider, as an abstract example, a cyberattacker steals $100 worth of data from you, and demands a $99 ransom. Or even 95, 90, or 80. In a vacuum, you’re losing less by ceding to their demand. But we all know there’s no way you take that deal.
“[Chen] So there is this sense of kind of human fairness. What is appropriate? [. . .] However, imagine that – I mean he could split it 60-40 or 70-30. Whether you pay it or not, it depends a bit on your mood and exactly what you feel at the particular point. So we actually see a lot of noise into these issues.”
In other words, the likelihood that you pay a ransom of $X for Y data depends not just on you and the data in question, but whom you decide to consult about it, and even the kind of day you’re having. Maybe you’ve hardly slept and so you’re on edge. Maybe you just had a big meal and you’re a little more relaxed, and that tips your decision making a little in one direction. You won’t even realize these subtle influences, but they’re there.
There are robust studies, for example, demonstrating that judges are more lenient after lunchtime. And studies that businesspeople are more receptive to paying larger numbers if they’ve been conditioned with an even larger number very recently beforehand.
“[Chen] it becomes a case by case basis. Now you can do statistics on it, so on average what happened and so on and so forth. But we see a distribution and people sometimes do, sometimes pay and sometimes not pay and so on and so forth.”
So there’s no saying what the exact right ratio is for determining whether a ransom is worth paying or not. But attackers have the advantage here, as they possess a number of tools for tipping the scales in their favor.
For example, there’s double extortion — threatening not just to withhold stolen data, but also publish it online, if their demands are not met. Double extortion rapidly gained popularity during the COVID pandemic, and hasn’t reversed since.
“[Chen] locking up your data is a reversible action. I lock up your data. I give you the key. You reverse it. You lose a few data of business, but other than that, that doesn’t harm your basic business. This action, this double extortion to release your data into the wild will – the company will take a hit in terms of the reputation. There might be consequences from the customer like a lawsuit. There may be consequences from the government. So – and once it has happened, you cannot take it back.”
Imagine a healthcare company, or a finance or government organization, and all of the personal data they maintain. The threat of losing that to the dark web may be even more significant than whatever the cost would’ve been for losing and having to replace it.
Ransomware As A Business
Attackers also have more subtle tactics than this, to help convince victims to pay up.
One strange trend that began to emerge at the turn of the decade was that cybercriminals stopped acting like cybercriminals traditionally did. Instead, they presented themselves as businesses: taking on a very professional tone in their emails and text conversations, with fewer childish threats and far more references to “cooperation” and “deals.”
It wasn’t just an act, either — they really did operate more like businesses, with management structures, clean websites, payment portals, customer service representatives, and more.
“[Chen] I mean the thing about it, it is a business, right? They create a problem. They create a problem but they actually are selling a solution and so everything that you think about business, efficiency, c an you get the customer to pay? It’s a little bit perverse but all those ideas are applied. You want to minimize cost, maximize revenue. You want economy of scale.”
The reason they started presenting more like businesses, though, was to solve a specific problem.
Whenever agencies or experts advise companies not to pay ransomware attackers, they always cite the same fact: that paying them doesn’t necessarily guarantee you’ll actually get your data back. Indeed, in many cases, attackers don’t even have a remediation tool for unlocking the data they’ve locked up.
As you can imagine, if the defender pay the money and they still cannot get back the product, get back the data, the system then just like a customer buying a bad product and then bad quality, then nobody is going to trust them in a certain way to continue to pay.
Experts could cite this as a good reason why companies shouldn’t pay their attackers, back when it was true. And victims could look at this as a reason to only pay very small ransoms — anything more would be too much of a risk.
So over time, more and more attackers consciously stuck to their promises — over and over again holding up their part of the deal, and speaking to their victims not as victims to be frightened, but business partners to be dealt with.
So yes, it seems this is quite important for them to maintain a good reputation.
Nowadays, if you’re hacked by one of the brand name ransomware groups — LockBit, for example, or Cl0p — you can most likely expect them to hold up their end of the bargain. That encourages victims to pay, and pay more, because the risk is lower and the likelihood of being able to quickly resume normal business operation is higher.
The picture isn’t quite that simple with lesser-known actors, and with companies that have fewer resources to invest in their cybersecurity.
According to a March survey by Barracuda Networks, 38% of companies that paid their ransoms were attacked for a second time. Some companies that keep paying get hit over and over, as one might expect when dealing with cyber grifters. Anyone who knows this will be less likely to pay their ransom, and even if they do pay, pay less, as doing so may effectively reduce the demands that an attacker might return with in any follow-on attacks.
All of these considerations — all these advantages the attackers have, to exfiltrate and publish data, or come back for seconds or thirds — start to add up, and make the decision making process far more difficult for the victim in our game theory scenario than we’d previously thought, when we said it was just a matter of the ransom versus value of the data lost. This is why it’s so important for companies to try to stack the odds in their favor, even before the game starts. For example…
Cyberinsurance
Let’s add a third wrinkle onto the situation. So ransomware situation, possibility for data exfiltration. Now the victim has cyber insurance.
Cyber insurance seems like it would be a great solution to the problem of ransomware, covering companies for when the worst happens. But Kay-Yut and Jingguo’s next published paper — not released yet, as of the publication of this podcast — will explore the more nuanced ways in which insurance affects the parties to our game.
insurance could be in a possible – still could be a possible risk mitigation tool for the organization regarding ransomware attack but it is not a perfect solution.
“[Chen] The conventional wisdom is that this is like your house insurance, your car insurance. Something bad happened, you suffer a loss and the insurance companies will cover that. [. . .] having said that, from the attacker perspective, it’s actually a completely different story. Again I will contrast that with let’s say that you have a house insurance that you are insured against fire and other natural disasters. Now natural disaster doesn’t have a mind of their own and doesn’t know that you have insurance. It will just hit with some chance and you are basically protected yourself from random chances of a natural disaster. The key difference is that attackers, they have a mind of their own and they can have information. They can react to your insurance.”
A company with cyber insurance will care a lot less about having to pay even a big ransom, and the attacker in our game knows this.
“[Chen] it’s basically like well, you have insurance. Your insurance covers up to a million bucks. You are not going to pay the million bucks. They are.”
Whether a company has cyber insurance or not — and whether that cyber insurance covers ransomware attacks or not — will not necessarily be public information. But companies of a certain size will be more likely to have more robust insurance coverage, and so attackers can play those odds.
Furthermore, as ransomware attacks rise in general, more companies will want insurance to cover it. So more ransomware means more ransomware coverage, thereby, in theory, enabling higher ransom demands.
“[Wang] So that is also a tough situation that nowadays the insurance companies, facing as you may read a lot of news that some insurance companies think that we – do not want to provide coverage on the ransomware attack or they impose a very strict requirement in terms of what to be covered, what not to be covered, relating other ways cyber-attack.”
The Tragedy Of The Commons
We’ve explored thus far how each party to a ransomware attack might behave, under theoretical circumstances. But we haven’t yet addressed the fundamental, root flaw giving power to the attacker player in our game, and crippling the victim player.
“[Chen] Actually there’s an age old term for the situation applied not only to ransomware but similar situation called “tragedy of the commons.”
Imagine a town or a city that wants to build a park.
“[Chen] So if everybody chipped in the 5 bucks, 10 bucks or whatever, that you get a park and everybody can enjoy it. [. . .] However from a private perspective, you don’t want to pay for the park, right? You want somebody else to pay for the park. If everybody else will pay for the park, my little few dollars, my $5, $10, doesn’t really matter that much. Now the standard argument is that if everybody thinks like that, then you have no park. Well, unfortunately, it’s human nature sometimes to look after our own interest.”
The tragedy of the commons has implications for matters so minor as whether you return your shopping cart after leaving the grocery store, and so monumental as whether humanity can ever one day stop climate change.
It is the classic game theory problem. I want to drive instead of taking the train to work, but everybody driving around the world is contributing to the buildup of CO2 in the atmosphere. If I stop driving, it won’t really make a difference at all to the whole planet, but if everybody does, it will, but I can’t make everybody do that.
“[Chen] it’s extremely a hard situation and most of the time, it’s almost impossible to get everybody to either pitch in or band together.”
As we’ve established, sophisticated attackers will set ransoms low enough that it is in the best interest of a victim to pay. By paying, though, the victim is not only encouraging the attacker to attack another victim, but actively funding their efforts to do so. Anyone in Colonial Pipeline’s position would’ve paid the DarkSide group, but those 4.4 million dollars — specifically, the 2.1 million they retained even after U.S. officials managed to seize the rest — could’ve been reinvested in hiring more hackers, building better tools, and carrying out more attacks.
It’s hard to imagine any solution to a tragedy of the commons problem, where the “commons” is the whole world. It’s why every year, when countries get together to discuss climate change, they leave making vague “promises” and hardly any progress.
But we, as a society, have solved tragedy of the commons scenarios before.
“[Chen] in modern society, we do have ways to do some versions of it. We do have parks in the city and a lot of it is done by taxation.”
Like governments taxing citizens to build parks, some experts are exploring how the government, law enforcement, and victims themselves can help solve the ransomware of the commons.
Let’s start with victims. If everybody refused to pay ransoms, ransomware would end tomorrow. But, as we’ve established, it’s not as simple as that. What anyone can do, however, is learn about ransomware, and invest as much as possible in preventing it from ever happening to you.
“[Chen] Make it not worth the while of the attacker to attack. [. . .] Make your security system more robust, so it costs them more to hack into it.”
By investing in effective cybersecurity solutions, implementing robust systems for data backups, and educating employees about cyber hygiene best practices, a company is not only protecting itself, it’s also reducing the pool of potential targets for attackers. If enough companies do this, attackers won’t have enough viable victims to feed their business model. A win-win.
“[Wang] On the other aspect, surely I applaud the FBI’s action nowadays. They’re taking down the ransomware groups. They’re taking down their ecosystems. That would be the most direct way to fight with ransomware attacks.”
U.S. law enforcement has already played a significant role in taking down previously thriving ransomware groups like Conti and Hive.
“[Chen] Find them and prosecute them. That’s a cost of going to jail. [. . .] I think that probably is a direction that we should be thinking is it’s really about how to make it not profitable, how to make them not profitable so they will not do this business anymore.”
A Ban On Paying Ransome?
Governments can also make a difference with policy.
The state government may be introduced or the federal government maybe need to introduce or provide some resources to help those entities or organizations to boost up their security management, security practices. They can set up their own models. They set up benchmarks and minimum standards and things like such – at least the increase in the cost for the hackers to getting to the system.
Every October, for three years in a row now, the U.S. government has convened representatives from around the world on the matter of how to combat ransomware. And just earlier this year — not even for the first time — it considered implementing an outright ban on paying ransoms, with waivers only for critical service providers.
In theory a ban could, on its own, solve the tragedy of the commons problem. As the U.S. national security advisor Anne Neuberger stated in a May presentation, quote: “Fundamentally, money drives ransomware and for an individual entity it may be that they make a decision to pay, but for the larger problem of ransomware that is the wrong decision.” End quote. If you prevent it on the individual level, it fixes the problem on a global level.
But months earlier at a tech conference, Neuberger also explained how, quote, “it is so hard and so much more work needs to be done to improve the security of tech, to improve the cybersecurity of systems, that we’d essentially be pressing victims to make their payments go undercover.” End quote. Cybersecurity already has a reporting problem — forcing companies to put the greater good first might only make it worse.
And even if there were a ban, it might require more than just one law in one country. We saw a microcosm of this in 2022, when the state of North Carolina banned all government agencies from paying ransomware actors, but attacks didn’t slow down. To the threat actors it was nothing — hardly even worth their effort to take one state off its radar.
According to a 2022 report from Sophos, more than half of state and local governments across 31 countries were attacked with ransomware in the year 2021 alone. And a report from the AI threat intel group CloudSEK XVigil indicated that ransomware attacks against governments rose 95% in the second half of 2022, from those already record high levels.
To really solve this problem will require cooperation between all of these countries, at the same time. A kind of international ransomware embargo. Which is why, in advance of its third ransomware summit, the National Security Council called on other governments around the world to publicly commit to never paying cyber ransoms again.
It remains to be seen now whether, after whatever the next Colonial Pipeline attack may be, they’ll have the backbone to stick to that promise. Or if like the players in our theoretical game, they’ll simply settle on another, more acceptable equilibrium.
