Game Theory of Data-selling Ransomware
Zhen Li and Qi Liao2,*
1Department of Economics and Management, Albion College, USA
2Department of Computer Science, Central Michigan University, USA
E-mail: zli@albion.edu; liao1q@cmich.edu
*Corresponding Author
Received 23 November 2020; Accepted 01 December 2020; Publication 10 March 2021
We are experiencing the worst years of ransomware attacks with continuing news reports on high-profile ransomware attacks on organizations such as hospitals, schools, government agencies and private businesses. Recently a few ransomware attackers have gone beyond simply encrypting files and waiting for ransom. They threaten to release the data if the victims refuse their ransom request. In this paper, we propose a hypothetical new revenue model for the ransomware, i.e., selling the stolen data rather than publishing the data for free. Through a game-theoretical analysis between attackers and victims, we contribute a novel model to understand the critical decision variables for the proposed data-selling ransomware (which we refer as “ransomware 2.0”) that sells data as well as demands ransom. We compare the role of reputation and the profitability of the data-selling ransomware with traditional ransomware (“ransomware 1.0”) that demands ransom only and the data-threat ransomware (“ransomware 1.5”) that demands ransom with the threat of releasing data for no compliance. Both theoretical modeling and simulation studies suggest that in general both ransomware 2.0 and 1.5 are more profitable than ransomware 1.0, while ransomware 2.0 is always more profitable than ransomware 1.5. Notably, common defensive measures that may work to eliminate the financial incentives of ransomware 1.0 may not work on ransomware 2.0, in particular the data backup practice and the never-pay-ransom strategy. Our findings also suggest that the uncertainties created by this new revenue model may affect attackers’ reputation and users’ willingness-to-pay, therefore, ransomware 2.0 may not always increase the profitability of attackers. Another finding of the study suggests that reputation maximization is critical in ransomware 1.0 and 1.5, but not in ransomware 2.0, where attackers could manipulate reputation for profit maximization.
Keywords: Cybersecurity, ransomware, ransomware 1.0, ransomware 1.5, ransomware 2.0, game theory, data selling, data threat, reputation, economics, revenue model, profit optimization.
Ransomware as a class of malware has lately appeared as a major cybersecurity threat. The malware affects victims’ computers and disables access to system and data files through encryptions, and demands ransom payment for the return of computer functionality and data. Ransomware is believed to be highly lucrative [25]. In 2019, the U.S. was hit by an unprecedented ransomware attacks that impacted at least 113 state and municipal governments and agencies, 764 health care providers, and 89 universities, and 1233 schools. The potential cost of these attacks was estimated at $7.5 billion [3]. In CyberSecurity annual reports, ransomware is listed as one of the top three cyberthreat concerns four years in a row (2017–2020) [12].
There are thousands of different ransomware strains in existence, varying in design and sophistication [8]. The first ransomware attack dates back to 1989 that spread via floppy disks and involved sending money to a post office to pay the ransom [6]. The concept of file-encryption ransomware became known as so called “cryptovirology” in a 1996 IEEE Security & Privacy paper [26]. However, such practice remains relatively uncommon until the mid 2000s [16]. Since then, ransomware has been automated and professionalized. The traditional ransomware relies on encrypting information on the victims’ computer to demand ransom payment. Recently, a new version of ransomware was found that is armed with browser and email password-stealing features. While it does encrypt data, it uses a variety of methods to steal credentials in each of the targeted applications [1]. Ransomware attackers have threatened to publicly release stolen data if the victims chose not to respond to their ransom demands [2, 20].
In this paper, we propose a new revenue model for ransomware, i.e., selling the stolen data in addition to demanding ransom. We refer to it as ransomware 2.0 for data-selling ransomware as opposed to ransomware 1.0 for traditional ransomware (demanding ransom only) or ransomware 1.5 for data-threat ransomware (threatening to publish data if ransom is not paid). It is imperative to understand what changes ransomware 2.0 may bring to the ransomware business model. To that end, we conduct game-theoretical modeling of ransomware 1.0, 1.5 and 2.0 in order to study the strategic decision-making by victims/users and the profit-driven ransomware attackers. The attacker has both the stolen data and locked files in order to gain profit, either from ransom payments by victims or from selling data to potential buyers, or both. The best response by the victims is studied with the assumption that decryption is not guaranteed as there have been reports of victims paying the ransom but not receiving the decryption key [1]. It is even more uncertain whether the attacker will keep the stolen data confidential. We explore the role of reputation for ransomware, in particular, we derive the profit of ransomware 2.0 in three cases: the attacker has no reputation, perfect reputation, and imperfect reputation; and compare the profitability of all variants of ransomwares (1.0, 1.5 and 2.0).
Our model and simulation studies suggest ransomware 2.0 is definitely more profitable than ransomware 1.5, and ransomware 2.0 in general is more damaging and can make cybercrimes even more lucrative as selling potentially valuable data generates an additional revenue source to the attackers. For both ransomware 2.0 and 1.5, the threat of data leakage increases the victims’ willingness-to-pay and hence generates more ransom revenue than ransomware 1.0 if the data threat does not negatively affect the value of the locked files to the victims. However, if the market value of the stolen data is limited, and/or if the uncertainty of data leakage reduces the value of the locked files to the victims, then ransomware 2.0 and 1.5 may actually be worse for the attackers. Reputation maximization leads to profit maximization in both ransomware 1.0 and 1.5, for instance, to maximize ransom revenue in ransomware 1.5, the attacker shall always leak the data if ransom is not paid and not to leak the data if ransom is paid. However, having a perfect reputation in ransomware 2.0 is not necessarily profit maximizing. The attacker needs to play strategically.
The contribution of this work lies in the novel game-theoretical ransomware 2.0 model with data selling as additional revenue source. Contrary to common belief, our findings suggest that ransomware 2.0 and 1.5 may not always be more profitable than ransomware 1.0 due to the rising uncertainties. Not trying to be reputable may actually bring more profit in ransom business is another counterintuitive finding of our study. This paper is among the first attempts to explore the effects of numerous important factors on the profitability of the new data-selling ransomware. The game-theoretical analysis may provide insights in designing defensive measures against ever evolving malware and ransomware business.
The rest of the paper is organized as follows. Section 2 reviews related literature. Section 3 conducts the game-theoretical analysis of ransomware 2.0. It starts from the fundamental assumptions to specify the game scenarios. It then develops the model in steps to analyze the potential impacts of the data-selling ransomware in three cases of varying reputation of the attacker. It also applies the game theoretical framework to study the best strategies of the data-threat ransomware 1.5. Based on the modeling analysis, Section 4 conducts simulation study that illustrates the profitability of ransomware 2.0 in different cases and relative to ransomware 1.0 and ransomware 1.5. Section 5 concludes our work.
Ransomware has recently taken center stage as one of the most prevalent cybercrimes. Various reports demonstrate the enormous burden placed on individuals and institutions [25]. Recent attacks on famous organizations were discussed with respect to monetary loss involved in those attacks [5]. As cybercriminals are constantly on the lookout for new attack vectors, the recent COVID-19 pandemic is no exception. Healthcare systems and financial systems are being attacked with ransomware through COVID-related content [13].
Given the significant growth and damaging effects of ransomware attacks, it is important to develop a prevention and protection mechanism. Researchers have conducted surveys on ransomware taxonomy and countermeasures [4] and evolution of ransomware [24], and its life cycle and relation with the Situational Awareness (SA) concept. It also provides a classification of ransomware articles based on detection and prevention approaches. The evolution, prevention and mitigation of ransomware in the context of Internet of things (IoT) was also surveyed [15]. Like any malware, technical mechanisms to defend against ransomware attacks are on the front line. For example, file system activities may be monitored for I/O requests and Master File Table may be protected to detect zero-day ransomware attacks [17].
In addition to technical approaches, there has been recent research that uses economics and game theory to study ransomware behavior. Economic analysis of ransomware [14] reveals the relationship between the valuation distribution among the population and the optimal ransom demand. The study examines the impact of different price discrimination strategies which can help in estimating an optimal ransom value. Since ransom payments are often in the form of Bitcoins, data collected from Bitcoin transactions at public blockchain estimate the market for ransomware payments has a minimum worth of USD 12,768,536 (22,967.54 BTC) from 2013 to mid-2017 [22].
Game-theoretical model of the ransomware ecosystem [18] was first developed with emphasis on the decision of companies to invest in backup technologies and which degree backup investments can serve as a deterrent for ongoing attacks. Using game theory to model the strategic playing by ransomware criminals and victims, researchers can understand potential prevention measures and further investigate similar types of cybercrime [9].
Study of role of reputation suggests that it is optimal for the criminal to build a good reputation and always return the files [10]. How victims form beliefs influences the victims’ intention to pay the ransom. A trust model shows that the trust in the attacker and reasonable ransomware demands positively influences the victims’ intention to pay the ransom [27].
While kidnapping and blackmail is typically in a terrorist context [23], ransomware may be modeled as kidnapping. The kidnapping aspect of ransomware was acknowledged at a practical level and the models of hostage were extended to study the role of irrational aggression and crime deterrence [11]. The game theoretic literature on kidnapping and blackmail gives insight on the optimal ransom that criminals should charge and the role of deterrence through preventative measures.
In line with the economics and game theoretic research on ransomware, we extend our earlier work [19] with a new game model for data-threat ransomware (1.5) and additional simulation study to compare its profitability with both tractional ransomware (1.0) and data-selling ransomware (2.0). We build the first game-theoretical ransomware model with data selling as an additional revenue source, with which we study the potentially new type of ransomware that utilizes the stolen data as either a threat for victims to pay ransom or an asset for attackers to manipulate. The findings of this study may give insights to help the development of defensive measures against the ransomware of the future. Notably, common advice of nearly all ransomware literature is a mitigation such as backup technologies [18]. While sufficient data backup has the potential to deter traditional ransomware, it has little effect on the new proposed ransomware models which also release or sell the stolen data.
In this section, we first lay out the backgrounds and assumptions to specify the ransomware attacks that will be analyzed. We then develop the game theoretic models in three cases of varying reputation of the attacker. We compare the profit of the data-selling ransomware (2.0) with that of traditional ransomware (1.0) in each case.
While ransomware may be classified into Scareware, Lock-Screen, and Encrypting, the most common form of ransomware is file encryption ransomware [6]. We consider an potential add-on to this type of ransomware that not only files are encrypted but the whole or a subset of data are also transferred to a cloud storage controlled by the attacker. The victims face dual threats: the threat of losing access to files and the threat of leaking data. Hereinafter, we use the phrase “returning files” or “unlocking files” to refer to the situation where the attacker delivers decryption keys to remove restrictions to a victim’s computing resources and files. We use the phrase “selling data” to refer to the situation where the attacker sells the stolen information to a third party. Figure 1 illustrates this data-selling ransomware.
The attacker has numerous ways to release the data: to release the data to public for free, to sell the data for revenue, or to keep the data confidential (do nothing). We assume the attacker is money driven so that the attacker will sell the data if doing so is more profitable. As seen from past ransomware attacks, we assume there is no negotiation or bargaining opportunity. Once hit, the victims face two options: pay the ransom demand or do not pay. If the attacker does not return the files, then all encrypted files are going to be lost for good.
There is a cost of returning files and/or selling them. The cost of returning files may include the cost of delivering the decryption key to the victims and the cost of guiding the victims on how to recover files and dealing with queries about files that fail to recover. The cost of selling data includes the search for potential buyers, delivering channels, and other costs of data-related transactions. In addition, the current underground ransomware practice involving cryptocurrencies via distributed blockchain technologies suggests that the probability of facing punishment for a ransomware attack is very low across legal jurisdictions.
The ransomware game is a sequential, multi-stage game involving the attacker and the victims. The timeline of the game is as follows. Stage 1: The attacker launches a successful ransomware attack on victims. This is the starting point of the game. The infected machines lose access to files and get confidential data stolen. The attacker demands a ransom payment , which the victims take as given. Stage 2: After observing , the victims decide whether to pay the ransom or not to pay it. This stage is the victims’ decision-making on the ransom payment. Stage 3: Upon observing the victims’ decision on ransom payment, the attacker chooses whether to return files to the victims. Stage 4: The attacker determines what to do with the stolen data, to sell it or do nothing. Both stages 3 and 4 are the attacker’s follow-up decision-making.
Let be the victim’s choice of paying ransom in Stage 2.
(1) |
Let be the attacker’s choice of returning files in Stage 3.
(2) |
Let be the attacker’s choice of selling data in Stage 4.
(3) |
Consider a representative victim . The payoff (profit) the attacker expects to receive from victim is
(4) |
where is the cost of returning files to the victims. is the data transaction cost. is the market value of the data stolen from victim . We define as the data profit of the attacker where
(5) |
The payoff (utility) of victim is
(6) |
where is the value of the locked files to the victims. is the loss to the victims if the stolen data is sold.
The key difference between the data-selling ransomware and traditional ransomware is the existence of the stolen data. Numerous questions arise. Will ransomware be more profitable with the new feature? Will the victims change their willingness-to-pay the ransom? Will the attacker keep the stolen data confidential? If the victims do not expect the attacker to keep the data safe, why should they pay the ransom? To address these questions, we need to compare the data-selling ransomware to traditional ransomware and show the difference between game outcomes and payoffs.
and are the decision variables in traditional ransomware game. The game of traditional ransomware has four possible outcomes. The payoff matrix of traditional ransomware is as in Table 1. Since the strategy variables (, and ) are binary, the game of data-selling ransomware has eight possible outcomes. The attacker’s and victim ’s payoffs to different outcomes are in Table 2. The goals of both the attacker and the victims are to maximize their expected payoffs, which depend on the game outcomes.
Table 1 The payoffs to different outcomes in the traditional ransomware game
Outcome | Attacker () | Victim () | |
Table 2 The payoffs to different outcomes in the data-selling ransomware game
Outcome | Attacker () | Victim () | ||
0 | ||||
0 | ||||
In the ransomware game, the victims are in a disadvantageous position. As Tables 1 and 2 show, the best possible outcome for the victims is to receive a zero payoff. This would be the case if the attacker returned files for free, and would not sell the stolen data. In all the other cases, the victims suffer a negative payoff.
As a baseline case, we model a one-shot game with no need for the attacker to build reputation. The attacker’s decision-making in Stages 3 and 4 are independent. Let’s derive the game outcome using backward deduction from the last stage of the game, i.e., Stage 4.
Proposition 1: In the baseline model, the attacker sets if and if .
The attacker sells the stolen data whenever the market price of the data exceeds the transaction cost. The attacker receives a net gain of from the victims whose data values more than the transaction cost in the market. The attacker receives a payoff of from the victims whose data values less than the transaction cost. Now we examine the subgame that begins at Stage 3. The reduced payoff is as in Table 1.
Proposition 2: In the baseline model, the attacker sets .
We can see from Table 1 that not returning files to the victims is always the dominant strategy for the attacker regardless of ransom payment. When reputation is irrelevant, the attacker has no incentive to return files.
The victims’ ransom payment decision in Stage 2 critically depends on the victims’ belief that the attacker will honor the ransom payment. In the baseline model, taking the money and run is the dominant strategy of the attacker. Expecting the attacker to default, the victims will choose not to pay the ransom in Stage 2.
Proposition 3: In the baseline model, the victims set .
Combining Propositions 1 to 3, the baseline model between the attacker and one victim has two possible outcomes: if , and if .
The total profit of the attacker to receive from all victims in the baseline model is
(7) |
Victim ’s utility is if and if .
For traditional ransomware, the game outcome of a one-shot model is {}, The attacker’s profit is and victim ’s payoff is . If the attacker’s reputation is irrelevant, the data-selling ransomware is more profitable than traditional ransomware. The two strains of ransomware were only equivalent if none of the stolen data were marketable enough, which is not likely to occur.
Therefore, even if the ransom payment is zero, the attacker may still receive financial benefits as long as the market value of the stolen data exceeds the cost of selling data. This is arguably the biggest advantage of the data-selling ransomware (2.0) compared to traditional ransomware (1.0). Thus some defensive measures that may work to eliminate the financial incentives of ransomware 1.0 may not work on ransomware 2.0, in particular the data backup practice and the never-pay-ransom strategy.
Data backup has been widely considered the most effective strategy to mitigate the loss of ransomware [6, 7]. Having a comprehensive data backup process may effectively protect the victims from the threat of traditional ransomware. The victims could simply ignore the ransom note and have a fresh start with the backed-up files. Data backup, however, will not work as effectively against the data-selling ransomware. The victims are exposed to the risk of data leakage. Even if the files are fully backed up, the attacker may gain from selling the valuable data. Data backup will not eliminate the financial incentives of the data-selling ransomware.
Similarly, the never-pay-ransom strategy that may work for traditional ransomware since if no one pays, ransomware will become unprofitable. Therefore, a practical strategy for the victims of traditional ransomware is always to say no to the attacker. However, the never-pay-ransom strategy would not work for the data-selling ransomware because attackers can almost always gain from selling data. The never-pay-ransom strategy does not remove financial incentives of the new ransomware.
In both cases of data backup and never-pay-ransom, the profit of traditional ransomware is zero with no ransom payment, but the profit of the data-selling ransomware can be positive. Nevertheless, it does not imply the data-selling ransomware is always more profitable than traditional ransomware. The equilibrium outcome of the baseline model is not optimal for neither the attacker nor the victims. If there were trust, the victims could benefit from paying the ransom for any . The attacker could benefit from returning files and keeping data confidential for any . Since the value of files to the victims is highly likely to exceed the attacker’s cost of returning files, there exists a range of ransom that can be mutually beneficial. The attacker would be better off receiving a ransom higher than the cost of returning files. The victims would be better off to pay a ransom in exchange for the files that value more than the ransom. However, this “win-win” (when compared to the baseline equilibrium outcome) situation requires cooperation of the two parties and the victims to trust the attacker. The attacker cannot ignore reputation if ransomware is to be a sustainable business model.
Reputation matters when the outcome of the game between the attacker and one victim affects the choice of other or future victims. It can be in the attacker’s interest to build up a reputation because any short-term gain from taking the money and run may be offset by the unwillingness of other victims to pay any ransom.
Proposition 4: In the perfect reputation model, the attacker sets and if ransom is paid; the attacker sets and if ransom is not paid and .
To illustrate the role of reputation, suppose the attacker had endowed reputation who would honor the agreement with the victims with no need to be self-enforcing. The strategy the attacker shall follow, in response to the victims’ choice, would be straightforward: to return files and keep the stolen data confidential if the ransom is paid; or to delete the files and sell the data if the ransom is not paid.
Proposition 5: In the perfect reputation model, victim sets if and if .
When the victims trust the attacker, the victims’ willingness-to-pay the ransomware is . By paying the ransom, the victims avoid the file loss and the data loss.
Suppose there are victims who set . The profit of the attacker is
(8) |
For traditional ransomware in the case of perfect reputation, the victims’ willingness-to-pay the ransom is capped by and the profit of the attacker is . Recall the victims’ willingness-to-pay the ransom is in the baseline case with no trust. Building reputation can be rewarding to the attacker by increasing the victims’ willingness-to-pay the ransom.
The attacker of the data-selling ransomware receives the same profit from the victims who choose to pay the ransom. For the victims who choose not to pay the ransom, the attacker’s profit increases for the data-selling ransomware, compared to profit of traditional ransomware. Compared to traditional ransomware, the data-selling ransomware is more profitable.
In summary, if the attacker has perfect reputation, the data-selling ransomware is more profitable than traditional ransomware. However, it is difficult for the attacker to build perfect reputation in the underground economy. In reality, although many victims who do not pay the ransom may end up losing their files, victims who do pay may not necessarily retrieve their files. Recent evidence suggests that in 2019 about victims who pay the ransom recovered their files [12]. Next we extend the model to a competitive setting, and examine how the data-selling feature of ransomware may add extra uncertainty to an already risky environment.
The victims’ willingness-to-pay ransom depends on the attacker’s reputation. The victims estimate the credibility of the attacker based on the past records of the attacker regarding delivering decryption keys and keeping the stolen data safe, e.g., crawling personal and social networks, forums, search engines, media reports, etc. Suppose past records of the attacker indicate that the attacker has percentage of the chance to return files with ransom payment and percentage of the chance to keep the stolen data confidential with ransom payment.
A representative victim’s expected utility in the risky environment is
(9) |
From Equation (9), the victim receives a payoff of if not paying ransom (, , ). The victim’s expected utility is if paying (). Apparently, the victims will choose to pay the ransom if doing so generates a higher expected payoff, i.e., if . That leads to Proposition 6.
Proposition 6. In the competitive game, the victims will choose to pay ransom if .
Proposition 6 specifies the victims’ willingness-to-pay in the imperfect reputation case. There are two parts of the victims’ willingness-to-pay, the expected value of the locked files and the expected value of the stolen data. The no-reputation case and the perfect-reputation case are two special cases of the general expression: for the former and for the latter. The reputation of the attacker increases the victims’ willingness-to-pay.
The attacker’s profit with one victim is
(10) |
From Equation (10), the attacker will receive a profit of from a victim if ransom not paid, and a profit of if ransom paid.
Suppose victims choose to pay the ransom, the expected profit of the attacker among all victims is
(11) |
Proposition 7. In the competitive game, the attacker sets if and otherwise.
is the upper-bound on the potential increase in ransom demand with data threat. If the expected ransom gain is no higher than the profit of selling data, the attacker chooses to sell data. Suppose the condition holds true for out of victims, the attacker has the likelihood of to keep the stolen data confidential for a random victim.
In the baseline model, it is optimal for the attacker not to return files. In the cooperative game, the attacker should always return the files with ransom payment. When the game is competitive with imperfect reputation, it may not be optimal to always return files with ransom payment or never to return.
Proposition 8. In the competitive game, the attacker shall return files with ransom payment if .
Comparing the profit of ransomware in the cooperative game and the competitive game, as in Equations (8) and (11), it is ambiguous which is more profitable. The attacker faces dual tradeoffs. The first is common to ransomware: the tradeoff between building reputation and gaining from default. The second is unique to the data-selling ransomware: the tradeoff between ransom demand and the revenue from selling data.
For example, suppose the number of victims who are willing to pay the ransom is the same in the two games, i.e., the two ’s in Equations (8) and (11) take the same value. The ransom demand is in the perfect reputation game and in the competitive game. Then
(12) |
In the competitive game with imperfect reputation, the attacker may gain from the saved cost of returning files () and selling the stolen data (). The sacrifice is a potential loss in ransom (). The data-selling component of ransomware adds uncertainty to the competitive game. It not only strengthens the existing tradeoff, it also adds a new layer of tradeoff to the game, applicable to both the attacker and the victims.
In this section, we study the best strategy of the attacker when the sensitive data is used merely as threats rather than revenue-generating sources (i.e., ransomware 1.5) and compare the revenue model with ransomware 1.0 and 2.0. In this context, we redefine the parameter as the attacker’s choice of releasing the data rather than selling the data in Stage 4.
(13) |
Similar to the data-selling ransomware game, the victims have one control variable regarding ransom payment, i.e., . From the attacker’s perspective, the attacker responds to the victims’ ransom payment choice by deciding in the parameters and . The attacker still has two control variables, but rather than considering whether to sell the data, the attacker decides on whether to release the data.
We solve the model using backward deduction by studying the best response of the attacker in Stage 4 regarding releasing data.
The attacker’s profit with a representative victim in this case (denoted as ) is
(14) |
Comparing Equation (14) with Equation (10), the attacker’s profit from the victim depends on the victim’s ransom payment choice and the attacker’s response of returning files. Since the attacker does not sell the data for money, there is no additional income from data selling. Given the cost of returning files and the attacker’s choice of returning files, the attacker’s profit depends on the victim’s choice of ransom payment.
Apparently the choice of releasing the data for free rather than selling the data for profit affects the profitability of the ransomware to the attacker. For the victims though, it makes no difference whether the attacker releases the data for free or for money. As long as the sensitive data is leaked, the victims suffer the same loss of data leakage. The victims’ willingness to pay the ransom stays at where in the context of releasing data for free, represents the percentage of the chance the attacker does not release the data. The victims’ choice of ransom payment is the same as in the general competitive ransomware game, as stated in Proposition 6.
The expected data-threat ransomware profit is the added-up net ransom income from the victims choosing to pay the ransom:
(15) |
where is the number of victims for whom .
The victims’ willingness to pay is increasing in . Without loss of generality, we assume there is no cost of releasing data for the attacker. In other words, the attacker does not lose or gain financially from releasing the data per se. The benefit of the data leakage threat is to increase the victims’ willingness to pay. As the attacker receives revenue only from the ransom payment, it is optimal for the attacker to maximize the victims’ willingness to pay by playing truthfully regarding data release, i.e., the attacker sets when the victims choose to pay the ransom and vice versa. This leads to the following proposition.
Proposition 9. In data-threat ransomware 1.5, the attacker plays truthfully regarding releasing the data, i.e., the attacker sets if the ransom is paid and if the ransom is not paid.
At , the maximized profit of the data-threat ransomware is
(16) |
where is the maximum number of victims choosing , for whom .
In summary, ignoring the possibility of monetizing the stolen data removes one layer of uncertainty of the ransomware game. For the attackers, data-threat ransomware is always worse than data-selling ransomware. On the other hand, to make the data leakage threat effective, the attacker must build reputation about data leakage. This is consistent with the reality with rising cases that the victims’ data are leaked when they deny the ransom request [21]. The never-pay-ransom and data backup strategies also may not work on data-threat ransomware as the victims would suffer an additional loss of data leakage. Even if the victims have full data backup, they may have the willingness to pay the ransom, given the ransom request is no higher than the expected loss of data leakage.
In this section, we compare the profit of the data-selling ransomware to traditional ransomware and data-threat ransomware with simulation experiments in three cases discussed in Section 3: the baseline game model with no reputation, the cooperative game model with perfect reputation, and a general competitive game model with imperfect reputation.
The profit formulas of traditional ransomware and the data-selling ransomware in the three cases are in Table 3 where is the number of victims choosing to pay the ransom. It varies from case to case. Note the profit formula of the data-threat ransomware is the same as traditional ransomware because the two types of ransomware both gain from only ransom payments.
Table 3 The comparison of profit between the traditional ransomware and the data-selling ransomware
various cases of reputation | traditional ransomware | data-selling ransomware |
Suppose there are victims, and the ransom demand is . The victims’ valuation of the locked files () and the stolen data () are randomly generated in the range from to . Without loss of generality, we set the cost of returning files at , the cost of selling data at , and .
We first study the data-threat ransomware case where the stolen data is merely used to force ransom payment instead of selling for money. Figure 2 illustrates how the ransomware profit changes with the attacker’s probability of leaking data with ransom payment at various probability of returning files. As can be seen, regardless of the attacker’s decision about returning files, the ransomware profit is maximized at , i.e., always keeping the data confidential, and decreases as decreases. The result is consistent with the theoretical prediction in Section 3.6. In addition, always unlocking/returning the data to the victim once the ransom is paid () performs consistently better than and , both of whose profits drop to zero once the probability of data leakage becomes high. However, profit of the case flattens but never reaches zero even with very high data leakage rate.
As the attacker’s revenue comes only from ransom payment, the optimal strategy of the attacker is to play truthfully with data leakage to maximize the victims’ willingness to pay with the maximum possible data leakage threat. In other words, the effective data leakage threat depends on the credibility of the threat. It is profit maximizing for the attacker to build reputation about data leakage, not only to increase the willingness to pay of current victims, but also to form the expectations of future victims. All in all, the attacker of the data-threat ransomware faces no tradeoff between ransom income and data selling income when the attacker’s option is between releasing the data for free or keeping the data confidential. Although the data-threat ransomware game is less uncertain than the data-selling ransomware game, it is certainly not as profitable.
Figure 3 compares the profit of the data-threat ransomware with the data-selling ransomware at various data leakage rates given the probability of returning files at . Whereas the attacker has perfect reputation, the traditional ransomware profit is 675, as illustrated by the horizontal line. As the figure shows, while both are more profitable than traditional ransomware, the data-selling ransomware is always more profitable than the data-threat ransomware. The results suggest that regardless of the probability of returning data, the data-selling ransomware is more profitable than the data-threat ransomware while the latter is more profitable than traditional ransomware.
At the specified parameters and randomly generated values of and , the profit of the data-selling ransomware in the case of no reputation () is (earned from selling data), compared to for traditional ransomware. In the case of perfect reputation (), a victim chooses to pay the ransom if for traditional ransomware. The simulation results show that victims choose to pay, generating a profit of at per-victim profit of . For the data-selling ransomware, a victim chooses to pay the ransom if . The simulation results show that victims choose to pay, generating a ransom profit of . Meanwhile, the attacker receives an additional profit of from selling the data of the victims who do not pay the ransom, bringing the profit of the data-selling ransomware to a total of .
Therefore, the data-selling ransomware is more profitable than traditional ransomware in both the no-reputation case and the perfect-reputation case. The increase in profit comes from the increased number of victims paying the ransom and the additional revenue from selling the stolen data.
In the imperfect-reputation case, the victims’ willingness-to-pay is capped at . Given the victims’ valuation of the locked files and the stolen data, the attacker’s choices of returning files () and selling data () determine the number of victims choosing to pay the ransom. The attacker faces a tradeoff between ransom income and data income when setting and . If the attacker sets higher probabilities of returning files and keeping the data safe, the attacker will gain from increased ransom payments but lose from forgone data income.
Table 4 Profitability of the data-selling ransomware at a probability of returning files
Prob. of selling data | n | Ransom Profit | Data Profit | Ransomware Profit |
0 | 21 | 997.5 | 47 | 1,044.5 |
0.1 | 21 | 997.5 | 144.1 | 1,141.6 |
0.2 | 20 | 950 | 274 | 1,224 |
0.3 | 20 | 950 | 367 | 1,317 |
0.4 | 17 | 807.5 | 542.2 | 1,349.7 |
0.5 | 14 | 665 | 659 | 1,324 |
0.6 | 11 | 522.5 | 802.4 | 1,324.9 |
0.7 | 7 | 332.5 | 922.3 | 1,254.8 |
0.8 | 3 | 142.5 | 1,000.8 | 1,143.3 |
0.9 | 0 | 0 | 1,018 | 1,018 |
1 | 0 | 0 | 1,018 | 1,018 |
We first study how the probability of selling data affects the ransomware profit at various probability of returning files. The simulation results suggest the tradeoff that the attacker faces when setting and , as in Figure 4. There are five data series in the figure. The two flat lines are the data-selling ransomware profit in the no-reputation and perfect-reputation cases for reference. The other three curves illustrate how the data-selling ransomware profit changes when the probability of selling the stolen data changes, given a certain probability of returning files ().
Because of the tradeoff between ransom revenue and data revenue, none of the three curves is monotonic. Increasing the probability of selling data is not necessarily profit increasing because it decreases the victims’ willingness-to-pay the ransom. Since a lower also decreases the victims’ willingness-to-pay, the profit-maximizing probability of selling data appears to be at a low or moderate level when is smaller. When is big, a higher probability of selling data tends to be more profitable because a high helps maintain the victims’ willingness-to-pay the ransom while the attacker gains additionally from selling data.
Table 4 shows an example of the profitability of data-selling ransomware at . The table lists the number of victims choosing to pay the ransom (), profit from ransom payment, profit from selling data, and total profit of the data-selling ransomware when the probability of selling data () increases from to . As the probability of selling data increases, the number of victims choosing to pay the ransom decreases, thus decreasing the ransom profit while increasing the data profit of the attacker. The last column is the total profit ransom and data generate to the attacker, as illustrated in Figure 4.
Now we study the effects of the file-returning probability on ransomware profit at various data-selling probabilities, as shown in Figure 5. The two flat lines are the data-selling ransomware profit in the no-reputation and perfect-reputation cases for reference. The other three curves illustrate how the data-selling ransomware profit changes when the probability of returning files changes, given a certain probability of selling data ().
The results confirm the tradeoff the attacker faces when setting and . Increasing the probability of returning files increases the victims’ willingness-to-pay the ransom, generating more ransom income, potentially causing a loss in data profit. The probability of selling data for the victims who do not pay the ransom is , but the probability of selling data for the victims who pay the ransom is . As more victims pay the ransom, the data profit decreases but not by as much. Although there are fluctuations, overall the data-selling ransomware is more profitable when the attacker increases the probability of returning files, at a given probability of selling data.
Based on the above results, we summarize that data-selling ransomware is always more profitable than traditional ransomware in both no-reputation and perfect-reputation models. For traditional ransomware, it is profit maximizing to build perfect reputation by always returning the data files. Building perfect reputation is not necessarily profit maximizing for the data-selling ransomware because the attacker faces a tradeoff between gaining from ransom and gaining from selling data. The relative profit of ransomware in the imperfect-reputation case is nondeterministic, as shown in Figures 4 and 5. It implies that the optimal strategy of the attacker is a mixed strategy with certain combinations of and , in accordance with the victims’ valuation of locked files and stolen data.
From game-theoretical point of view, the ransom demand can also be a strategic choice by the attacker. This simulation studies how ransom demand affects the profit of traditional and the data-selling ransomware, at various levels of data leakage threat.
Figure 6 illustrates that profits of both tractional (bottom curve) and data-selling ransomware (top three curves) at various data-selling rates change with various choices of ransom demand. The results suggest the profit-maximizing ransom demand for both traditional and data-selling ransomware is around the mean of estimated ransom of all victims. The data-selling ransomware performs better than traditional ransomware for all ransom demands.
Since the values of and are randomly generated between and , the profit-maximizing ransom demand of traditional ransomware is (the average of all the victims’ willingness-to-pay), generating a profit of . To generalize, if the victims’ willingness-to-pay is evenly distributed between and , then the profit-maximizing ransom request is the simple mean of the victims’ willingness-to-pay, i.e., . For the data-selling ransomware, the range of plausible ransom demand is between and at , the profit-maximizing ransom demand for the data-selling ransomware is at .
In an ideal world with perfect information, where the attacker studies each victim personally, the attacker would receive the maximum possible profit by demanding each victim a ransom that is equal to their individual willingness-to-pay. Nevertheless, price differentiation is often not feasible for the attackers, especially when the attacker faces a large number of unknown victims. In such cases, the attacker may have to ask an equal ransom on all victims. The optimal ransom would be equal to the average willingness-to-pay of all the victims, or equivalent, the willingness-to-pay of an average victim.
The attacker uses the best guess to figure out the victims’ average willingness-to-pay. The attacker may select a representative victim to estimate the victim’s willingness-to-pay, or uses a weighted average. For instance, if the attacker believes a fraction of victims are willing to pay , a fraction of victims are willingness-to-pay , and the remaining victims are willing to pay , then the optimal ransom would be .
Under the threat of data leakage as in data-selling and data-threat ransomware, victims may or may not value the locked files as much as in traditional ransomware. This may inversely affect the victims’ willingness-to-pay. For example, a leaked customer database becomes less valuable to the victims since that means mandatory resetting passwords for all customers or closing accounts. The decreasing victims’ willingness-to-pay has a potential to negatively affect the relative profit of the data-selling and data-threat ransomware.
When factoring in the plausible negative effect of data threat on the value of locked files, the leftover value of the files is a fraction of the data-threat-free value of the files, where . A representative victim’s expected utility is
(17) |
From Equation (17), the victim receives a payoff of if not paying ransom (, and ). The victim’s expected utility is if paying (). The victims will choose to pay if doing so generates a higher expected payoff, i.e., if .
We study how affects the profit of the data-selling ransomware with the same randomly generated values of and as above. During simulation, and are drawn from the same range between and . Let ransom demand be and . The profit of the data-selling ransomware remains at in the no-reputation case, regardless of as the attacker profits only from selling the stolen data. In the perfect-reputation case, the victims’ willingness-to-pay is . We let to vary from to to calculate the profit of the data-selling ransomware.
Figure 7 shows the results. The flat line is the profit of traditional ransomware in the perfect-reputation case for reference. The other three curves are the profit of the data-selling ransomware at various probabilities of selling data. The general trend of profitability of the data-selling ransomware is decreasing as the victims’ valuation of their data decreases. At any given , not selling data is the least profitable because the attacker would not be able to compensate as much the lost ransom income from selling the stolen data. While not selling data performs the worst, selling at a higher rate does not necessarily mean more profits than selling at a lower rate.
Also shown in Figure 7, the data-selling ransomware stays more profitable than traditional ransomware since even if selling data completely wipes off victims’ valuation on the locked files, the attacker can still profit no less from the stolen data.
In this simulation, we keep , , and set the average market value at of the average victims’ expected value on their locked data. In an analogy of housing market, a house’s market value may be $200,000 but the owner’s expected value may be $400,000 due to affection.
Figure 8 shows the data-selling ransomware profit exhibits a similar trend of decreasing profit as victims’ expected valuation decreases as in Figure 7. However, not selling data generally performs better than the other two curves. Another interesting result is that in this case data-selling ransomware is not always more profitable than traditional ransomware (the middle flat line). The above result suggests that using the stolen data as additional threat to force the victims to cooperate may back fire when the potential data-selling profit is limited. If the data is not valuable enough and the data leakage threat reduces the victims’ valuation of their locked files, the data-selling ransomware is less profitable than traditional ransomware.
In this paper we studied a new type of ransomware that gains potential profit by selling stolen data in addition to ransom demand. The game-theoretical models we built analyze the best strategies of both the attacker and the victims in various cases, i.e., baseline game with no reputation, cooperative game with perfect reputation, and the general competitive game with imperfect reputation. The reputation-building strategy of the attacker (i.e., always unlocking the data and keeping it confidential when the ransom is paid) reduces the uncertainty of the data-threat ransomware, therefore, making the data-threat ransomware less profitable than the data-selling ransomware. The modeling analysis and simulation studies suggest that the data-selling ransomware is more financially rewarding than traditional ransomware in most cases. However, the realization of the potential financial gains largely depends on the marketability of the stolen data and whether and how the threat of data leakage affects the victims’ willingness-to-pay ransom. In this sense, the data-selling ransomware is more risky to both the attacker and the victims. Having established reputation is mutually beneficial to both the attacker and the victims, but having perfect reputation is not necessarily profit-maximizing for the attacker of the data-selling ransomware. The finding suggests that the attacker may play strategically with combinations of unlocking and selling data, and manipulate the perception of the victims to gain profit.
[1] Ftcode ransomware returns with credential-stealing capabilities. Cyware, January 22 2020.
[2] Ransomware operators turn evil for late reposnders and non-paying victims. Cyware, January 23 2020.
[3] The state of maryland to criminalize ransomware possession. Cyware, January 21 2020.
[4] Bander Ali Saleh Al-rimy, Mohd Aizaini Maarof, and Syed Zainudeen Mohd Shaid. Ransomware threat success factors, taxonomy, and countermeasures: A survey and research directions. Computer & Security, 74:144–166, May 2018.
[5] Najla Aldaraani and Zeenat Begum. Understanding the impact of ransomware: A survey on its evolution, mitigation and prevention techniques. In Proceedings of the 21st Saudi Computer Society National Computer Conference (NCC), pages 1–5, Riyadh, Saudi Arabia, April 25–26 2018.
[6] Azad Ali. Ransomware: A research and a personal case study of dealing with this nasty malware. Issues in Informing Science and Information Technology, 14:87–99, 2017.
[7] Mihail Anghel and Andrei Racautanu. A note on different types of ransomware attacks. IACR Cryptology ePrint Archive, page 605, 2019.
[8] Pranshu Bajpai, Aditya K. Sood, and Richard Enbody. A key-management-based taxonomy for ransomware. In Proceedings of APWG Symposium on Electronic Crime Research, pages 1–12, San Diego, CA, May 15–17 2018.
[9] Nicholas Caporusso, Singhtararaksme Chea, and Raied Abukhaled. A game-theoretical model of ransomware. In Proceedings of the International Conference on Applied Human Factors and Ergonomics, pages 69–78, Orlando, FL, July 27–31 2018.
[10] Anna Cartwright and Edward Cartwright. Ransomware and reputation. Games, MDPI, Open Access Journal, 10(2):1–14, June 2019.
[11] Edward J. Cartwright, Julio Hernandez-Castro, and Anna Cartwright. To pay or not: game theoretic models of ransomware. Journal of Cybersecurity, 5:1–12, 2019.
[12] CyberEdge. Cyberthreat defense report. 2020.
[13] Saqib Hakak, Wazir Zada Khan, Muhammad Imran, Kim-Kwang Raymond Choo, and Muhammad Shoaib. Have you been a victim of COVID-19-related cyber incidents? survey, taxonomy, and mitigation strategies. IEEE Access, 8:124134–124144, 2020.
[14] Julio Hernandez-Castro, Edward Cartwright, and Anna Stepanova. Economic analysis of ransomware. SSRN Electronic Journal, March 2017.
[15] Mamoona Humayun, NZ Jhanjhi, Ahmed Alsayat, and Vasaki Ponnusamy. Internet of things and ransomware: Evolution, mitigation and prevention. Egyptian Informatics Journal, May 28 2020.
[16] Amin Kharraz, William Robertson, Davide Balzarotti, Leyla Bilge, and Engin Kirda. Cutting the gordian knot: A look under the hood of ransomware attacks. In Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 3–24, July 2015.
[17] Amin Kharraz, William Robertson, Davide Balzarotti, Leyla Bilge, and Engin Kirda. Cutting the Gordian knot: A look under the hood of ransomware attacks. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2015), pages 3–24, 2015.
[18] Aron Laszka, Sadegh Farhang, and Jens Grossklags. On the economics of ransomware. In Proceedings of the 8th Conference on Decision and Game Theory for Security (GameSec 2017), pages 397–417, 2017.
[19] Zhen Li and Qi Liao. Ransomware 2.0: To sell, or not to sell. a game-theoretical model of data-selling ransomware. In Proceedings of the 15th International Conference on Availability, Reliability and Security (ARES) – 9th ACM International Workshop on Cyber Crime (IWCC), number 59, pages 1–9, Dublin, Ireland, August 25–28 2020.
[20] Lee Mathews. Another ransomware campaign threatens to expose victims’ data. Forbes, January 23 2020.
[21] Danny Palmer. Ransomware warning: Now attacks are stealing data as well as encrypting it. ZDNet, July 14 2020.
[22] Masarah Paquet-Clouston, Bernhard Haslhofer, and Benoit Dupont. Ransomware payments in the bitcoin ecosystem. In Proceedings of the 17th Annual Workshop on the Economics of Information Security (WEIS), page 10, Innsbruck, Austria, June 2018.
[23] Todd Sandler and Daniel G. Arce M. Terrorism & game theory. Simulation & Gaming, 34(3):319–337, 2003.
[24] Juan A. Herrera Silva, Lorena Barona, Leonardo Valdivieso, and Myriam Alvarez. A survey on situational awareness of ransomware attacks—detection and prevention parameters. Remote Sensing, 11:1168, May 2019.
[25] Camelia Simoiu, Christopher Gates, Joseph Bonneau, and Sharad Goel. “I was told to buy a software or lose my computer. I ignored it”: A study of ransomware. In Proceedings of the Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), pages 155–174, Santa Clara, CA, August 2019.
[26] Adam Young and Moti Yung. Cryptovirology: extortion-based security threats and countermeasures. In Proceedings of IEEE Symposium on Security and Privacy, pages 129–140, Oakland, CA, May 6-8 1996.
[27] Alex Zarifis and Xusen Cheng. The impact of extended global ransomware attacks on trust: How the attacker’s competence and institutional trust influence the decision to pay. In Proceedings of the Americas Conference on Information Systems (AMCIS 2018), New Orleans, USA, August 2018.
Zhen Li is currently an E. Maynard Aris Endowed Professor of Economics in the Department of Economics and Management at Albion College. She received her Master’s Degree and Ph.D. in Economics from Princeton University under the direction of Dr. Michael Woodford. She graduated with her Bachelor’s Degree in International Economics from Peking University. Dr. Li conducted research on applied macroeconomics and international finance, in particular on international financial integrity and related policy issues. Dr. Li’s recent research interests include inter-disciplinary research study on economics and game theory of computer networks and information security.
Qi Liao is currently a Professor of Computer Science at Central Michigan University (CMU). He received his M.S. and Ph.D. in Computer Science and Engineering (CSE) from the University of Notre Dame, and a B.S. and departmental distinction in Computer Science (minor in Mathematics) from Hartwick College, New York. Dr. Liao’s research interests include computer security, machine learning, visual analytics, and economics/game theory at the intersection of network usage and cybersecurity. He received best paper awards at USENIX LISA, IEEE ICCCBDA, Emerald Literati Awards for Excellence for Information and Computer Security, IEEE VAST Challenge Award, winner of National Security Innovation Competition, Center for Research Computing Award for Computational Sciences and Visualization, and CMU College of Science & Engineering Award for Outstanding Research. Dr. Liao was a visiting research scientist at IBM Research, Argonne National Lab, and ASEE Fellow at U.S. Air Force Research Lab.
Journal of Cyber Security and Mobility, Vol. 10_1, 65–96.
doi: 10.13052/jcsm2245-1439.1013
© 2021 River Publishers
3 Game Theoretic Analysis of Data-selling Ransomware
3.1 Background and Assumptions
3.2 Timeline and Payoff Matrix
3.3 The Baseline Case: Non-repeated Game with No Trust
3.4 Role of Reputation: A Cooperative Game with Perfect Reputation
3.5 A General Competitive Ransomware Game with Imperfect Reputation
4.2 The Case of Data-threat Ransomware
4.3 Profits in the No-reputation and Perfect-reputation Cases
4.4 Profits in the Imperfect-reputation Case
4.4.1 How selling data affects ransomware profit
4.4.2 How returning files affects ransomware profit
4.5 Profits with Choices of Ransom Demand
4.6 Effects of the Changing Value of Locked Files on Ransomware Profit
4.6.1 Case 1: average market value matches average victims’ expected value
4.6.2 Case 2: average market value is less than average victims’ expected value