Game Theory of Data-selling Ransomware

Authors

  • Zhen Li Department of Economics and Management, Albion College, USA
  • Qi Liao Department of Computer Science, Central Michigan University, USA https://orcid.org/0000-0001-5520-157X

DOI:

https://doi.org/10.13052/jcsm2245-1439.1013

Keywords:

Cybersecurity, ransomware, ransomware 1.0, ransomware 1.5, ransomware 2.0, game theory, data selling, data threat, reputation, economics, revenue model, profit optimization

Abstract

We are experiencing the worst years of ransomware attacks with continuing news reports on high-profile ransomware attacks on organizations such as hospitals, schools, government agencies and private businesses. Recently a few ransomware attackers have gone beyond simply encrypting files and waiting for ransom. They threaten to release the data if the victims refuse their ransom request. In this paper, we propose a hypothetical new revenue model for the ransomware, i.e., selling the stolen data rather than publishing the data for free. Through a game-theoretical analysis between attackers and victims, we contribute a novel model to understand the critical decision variables for the proposed data-selling ransomware (which we refer as "ransomware 2.0") that sells data as well as demands ransom. We compare the role of reputation and the profitability of the data-selling ransomware with traditional ransomware ("ransomware 1.0") that demands ransom only and the data-threat ransomware ("ransomware 1.5") that demands ransom with the threat of releasing data for no compliance. Both theoretical modeling and simulation studies suggest that in general both ransomware 2.0 and 1.5 are more profitable than ransomware 1.0, while ransomware 2.0 is always more profitable than ransomware 1.5. Notably, common defensive measures that may work to eliminate the financial incentives of ransomware 1.0 may not work on ransomware 2.0, in particular the data backup practice and the never-pay-ransom strategy. Our findings also suggest that the uncertainties created by this new revenue model may affect attackers' reputation and users' willingness-to-pay, therefore, ransomware 2.0 may not always increase the profitability of attackers. Another finding of the study suggests that reputation maximization is critical in ransomware 1.0 and 1.5, but not in ransomware 2.0, where attackers could manipulate reputation for profit maximization.

Downloads

Download data is not yet available.

Author Biographies

Zhen Li, Department of Economics and Management, Albion College, USA

Zhen Li is currently an E. Maynard Aris Endowed Professor of Economics in the Department of Economics and Management at Albion College. She received her Master’s Degree and Ph.D. in Economics from Princeton University under the direction of Dr. Michael Woodford. She graduated with her Bachelor’s Degree in International Economics from Peking University. Dr. Li conducted research on applied macroeconomics and international finance, in particular on international financial integrity and related policy issues. Dr. Li’s recent research interests include inter-disciplinary research study on economics and game theory of computer networks and information security.

Qi Liao, Department of Computer Science, Central Michigan University, USA

Qi Liao is currently a Professor of Computer Science at Central Michigan University (CMU). He received his M.S. and Ph.D. in Computer Science and Engineering (CSE) from the University of Notre Dame, and a B.S. and departmental distinction in Computer Science (minor in Mathematics) from Hartwick College, New York. Dr. Liao’s research interests include computer security, machine learning, visual analytics, and economics/game theory at the intersection of network usage and cybersecurity. He received best paper awards at USENIX LISA, IEEE ICCCBDA, Emerald Literati Awards for Excellence for Information and Computer Security, IEEE VAST Challenge Award, winner of National Security Innovation Competition, Center for Research Computing Award for Computational Sciences and Visualization, and CMU College of Science & Engineering Award for Outstanding Research. Dr. Liao was a visiting research scientist at IBM Research, Argonne National Lab, and ASEE Fellow at U.S. Air Force Research Lab.

References

Ftcode ransomware returns with credential-stealing capabilities. Cyware, January 22 2020.

Ransomware operators turn evil for late reposnders and non-paying victims. Cyware, January 23 2020.

The state of maryland to criminalize ransomware possession. Cyware, January 21 2020.

Bander Ali Saleh Al-rimy, Mohd Aizaini Maarof, and Syed Zainudeen Mohd Shaid. Ransomware threat success factors, taxonomy, and countermeasures: A survey and research directions. Computer & Security, 74:144–166, May 2018.

Najla Aldaraani and Zeenat Begum. Understanding the impact of ransomware: A survey on its evolution, mitigation and prevention techniques. In Proceedings of the 21st Saudi Computer Society National Computer Conference (NCC), pages 1–5, Riyadh, Saudi Arabia, April 25–26 2018.

Azad Ali. Ransomware: A research and a personal case study of dealing with this nasty malware. Issues in Informing Science and Information Technology, 14:87–99, 2017.

Mihail Anghel and Andrei Racautanu. A note on different types of ransomware attacks. IACR Cryptology ePrint Archive, page 605, 2019.

Pranshu Bajpai, Aditya K. Sood, and Richard Enbody. A key-management-based taxonomy for ransomware. In Proceedings of APWG Symposium on Electronic Crime Research, pages 1–12, San Diego, CA, May 15–17 2018.

Nicholas Caporusso, Singhtararaksme Chea, and Raied Abukhaled. A game-theoretical model of ransomware. In Proceedings of the International Conference on Applied Human Factors and Ergonomics, pages 69–78, Orlando, FL, July 27–31 2018.

Anna Cartwright and Edward Cartwright. Ransomware and reputation. Games, MDPI, Open Access Journal, 10(2):1–14, June 2019.

Edward J. Cartwright, Julio Hernandez-Castro, and Anna Cartwright. To pay or not: game theoretic models of ransomware. Journal of Cybersecurity, 5:1–12, 2019.

CyberEdge. Cyberthreat defense report. 2020.

Saqib Hakak, Wazir Zada Khan, Muhammad Imran, Kim-Kwang Raymond Choo, and Muhammad Shoaib. Have you been a victim of COVID-19-related cyber incidents? survey, taxonomy, and mitigation strategies. IEEE Access, 8:124134–124144, 2020.

Julio Hernandez-Castro, Edward Cartwright, and Anna Stepanova. Economic analysis of ransomware. SSRN Electronic Journal, March 2017.

Mamoona Humayun, NZ Jhanjhi, Ahmed Alsayat, and Vasaki Ponnusamy. Internet of things and ransomware: Evolution, mitigation and prevention. Egyptian Informatics Journal, May 28 2020.

Amin Kharraz, William Robertson, Davide Balzarotti, Leyla Bilge, and Engin Kirda. Cutting the gordian knot: A look under the hood of ransomware attacks. In Proceedings of the 12th International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment, pages 3–24, July 2015.

Amin Kharraz, William Robertson, Davide Balzarotti, Leyla Bilge, and Engin Kirda. Cutting the Gordian knot: A look under the hood of ransomware attacks. In Proceedings of the International Conference on Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA 2015), pages 3–24, 2015.

Aron Laszka, Sadegh Farhang, and Jens Grossklags. On the economics of ransomware. In Proceedings of the 8th Conference on Decision and Game Theory for Security (GameSec 2017), pages 397–417, 2017.

Zhen Li and Qi Liao. Ransomware 2.0: To sell, or not to sell. a game-theoretical model of data-selling ransomware. In Proceedings of the 15th International Conference on Availability, Reliability and Security (ARES) – 9th ACM International Workshop on Cyber Crime (IWCC), number 59, pages 1–9, Dublin, Ireland, August 25–28 2020.

Lee Mathews. Another ransomware campaign threatens to expose victims’ data. Forbes, January 23 2020.

Danny Palmer. Ransomware warning: Now attacks are stealing data as well as encrypting it. ZDNet, July 14 2020.

Masarah Paquet-Clouston, Bernhard Haslhofer, and Benoit Dupont. Ransomware payments in the bitcoin ecosystem. In Proceedings of the 17th Annual Workshop on the Economics of Information Security (WEIS), page 10, Innsbruck, Austria, June 2018.

Todd Sandler and Daniel G. Arce M. Terrorism & game theory. Simulation & Gaming, 34(3):319–337, 2003.

Juan A. Herrera Silva, Lorena Barona, Leonardo Valdivieso, and Myriam Alvarez. A survey on situational awareness of ransomware attacks—detection and prevention parameters. Remote Sensing, 11:1168, May 2019.

Camelia Simoiu, Christopher Gates, Joseph Bonneau, and Sharad Goel. “I was told to buy a software or lose my computer. I ignored it”: A study of ransomware. In Proceedings of the Fifteenth Symposium on Usable Privacy and Security (SOUPS 2019), pages 155–174, Santa Clara, CA, August 2019.

Adam Young and Moti Yung. Cryptovirology: extortion-based security threats and countermeasures. In Proceedings of IEEE Symposium on Security and Privacy, pages 129–140, Oakland, CA, May 6-8 1996.

Alex Zarifis and Xusen Cheng. The impact of extended global ransomware attacks on trust: How the attacker’s competence and institutional trust influence the decision to pay. In Proceedings of the Americas Conference on Information Systems (AMCIS 2018), New Orleans, USA, August 2018.

Downloads

Published

2021-03-22

How to Cite

1.
Li Z, Liao Q. Game Theory of Data-selling Ransomware. JCSANDM [Internet]. 2021 Mar. 22 [cited 2024 Nov. 21];10(1):65-96. Available from: https://journals.riverpublishers.com/index.php/JCSANDM/article/view/5933

Issue

Section

ARES 2020 Workshops