On my vacation to Namibia earlier this year, I caught up on podcasts during the long stretches of driving (albeit in breathtaking scenery). One episode in particular jolted my mental juices – the EconTalk episode featuring Dr. Anja Shortland discussing her book Kidnap. The fascinating chat between Dr. Shortland and host Russ Roberts delved into the incentive mechanisms between kidnappers who demand ransom and insurers, and the economic paradigm that results.
Naturally, there are implications for ransomware, the digital counterpart to physical ransom. In particular, I believe the role cyber insurance should play deserves closer examination, but there are other spicy takes that fomented as I listened to and digested the podcast episode. This post will explore my thoughts on how the economics of physical ransom translate to digital ransom, and how we as an industry might want to reconceive our current approaches to considering and dealing with ransomware – and the criminals who run ransomware campaigns.
The Shadow of the Future
First, let us set the stage with a discussion of the “shadow of the future” and how it applies to the ransom market. The “shadow of the future” is a game theoretic concept that explains how people will behave differently if they believe they will need to interact with their current counterparty again (“repeated games” in game theory lingo). This belief encourages cooperation between counterparties, as they will play much nicer in the hope of receiving better treatment in future interactions.1 Thus, the future lingers like a “shadow” over current interactions.
In the kidnapping for ransom world, criminals cast a shadow of the future. If they desire to kidnap again, they want to “behave” in the immediate interaction to help them in their future business. If kidnappers demonstrate they will honor their demands upon receipt of a ransom, then future victims will be more likely to pay ransoms, believing that promises are more likely to be kept. This, Dr. Shortland surmises, is why 97.5% of kidnapping cases “go right” – which is better than the success rate of many legitimate transactions.
An example Dr. Shortland gives is that Somali pirates, upon receiving ransom for multimillion-dollar sea vessels, are repeatedly seen to leave the vessels and not re-hijack them again. The exchange of hijacked sea vessels for cash consistently goes right for all parties involved – even in a situation that is rife with mistrust and conflict. The Somali pirates are now trustable in a twisted way, as owners of sea vessels know that they will indeed have their ships returned reliably if they pay the ransom. As Dr. Shortland points out, this shadow of the future applies to kidnapping gangs within cities as well, through the power of local gossip.
How does the shadow of the future apply to ransomware? It certainly should apply, as few attackers run ransomware campaigns against only one target, thus creating the opportunity for future interactions with victims. Victims, at least in theory, would be more likely to pay ransoms to criminal groups who were known to reliably decrypt data, especially those who do so without any data loss.
Unfortunately, the data on ransomware and success rates (on both sides) is limited, particularly when getting as granular as specific ransomware types. At first blush, the statistic from the first quarter of 2019 that 96%2 of ransomware payments were successful seems to match the high success rate of kidnapping cases. However, that just represents the number of victims who received a decryption tool. The recovery rate in the same survey ranges from 80% to 100%, depending on the ransomware type. Other surveys suggest the data recovery rate is as low as 66%3 to 75%4.
These statistics suggest a far more inefficient market for ransomware than exists for physical ransom. Additional supporting evidence of this inefficiency arises from the mismatch of ransomware campaigns with the most reliable data recovery and campaigns with the highest ransom demanded. Ryuk requests $286,557 on average5, despite their approximately 80% data recovery rate, due to targeting larger enterprises. Grand Crab, in contrast, demands just under $8,000 but offers an approximately 100% data recovery rate. This seems like a far cry from a “nice equilibrium” as exists in the physical sphere.
Encouraging Better Attackers
This kind of illegal activity is an inevitability – neither physical nor digital ransom can be fully prevented. Therefore, we must optimize given the constraints of this reality. Just like you want to encourage kidnappers that do not kill their victims, we want to encourage attackers that do not lose ransomed data.
With this grounding aspiration in mind, let me offer you my ghost pepper-level take. There is some level of attacker activity that represents a healthy equilibrium, and defining that equilibrium (perhaps “only teams that can discover and weaponize 0day”) is healthier than trying to stop attacker activity. That is, if we can eliminate the script kiddies and #basicbitch6 attackers who lack the operational resources to ensure data fidelity when conducting digital ransom, organizations will be better off – even if they are still hit by sophisticated attackers who will receive payments but reliably facilitate data recovery.
As Dr. Shortland cited, the presence of armed guards in the Niger delta creates a “nice equilibrium,” because it, in essence, raises the cost of attack. Disorganized, resource-constrained street gangs cannot pursue physical ransom as one of their normal activities when they must contend with armed guards. Only more sophisticated criminal organizations will possess the means to pursue physical ransom – and they are vastly more likely to adhere to the aforementioned shadow of the future, leading them to behave professionally and responsibly.
The Role of Cyber Insurance
How can we encourage this kind of equilibrium? If we look to the physical ransom domain, insurance companies play a critical role. Kidnap insurance creates stability in the market, reducing the friction between “buyers” (the victim’s representatives) and “sellers” (the kidnappers). Of course, it would be remiss of me not to acknowledge the dark side of insurance – the creation of macro-level moral hazard. Kidnap insurance’s very existence allows kidnapping to be an especially profitable ongoing activity. However, the safer ends – based on current evidence – seem to suitably justify the means.
The insurers’ goal, in the kidnapping market, is to eliminate stupid or irrational kidnappers from the market – those who make errors in process or judgment, such as cutting off fingers to hasten payment of ransom. Likewise, cyber insurance’s goal should be the same, to eliminate the skidiots7 who could accidentally brick systems or delete data and to encourage more sophisticated attackers who are true to their promises and conduct their operations reliably and professionally.
One can envision a world in which a cyber insurance company negotiates a flat rate to receive the decryptor, then sending a bonus if all data is recovered. Such a scheme would incentivize attackers to maximize victim data recovery upon receipt of payment. This, of course, relies on the “shadow of the future” – but it is in the best interests of the victims, cyber insurance firms, and attackers to develop the trust that full payments will be received and data will be fully recovered.
You may be thinking to yourself, “This feels really icky – aren’t the attackers winning here?” Attackers will continue to be a reality, as, likely, will ransomware. By accepting reality, we can depart from the unrealistic goal of “eliminate all ransomware attacks” to “maximize reliability of data recovery in ransomware attacks.” Part of maximizing reliability is encouraging better attackers, which is done by raising the cost of attack.
Naturally, there are caveats. Both physical and digital ransom are examples of markets in which imperfect information is actually advantageous to the “good” side, as insurance companies benefit from information being withheld from criminals. Accordingly, insurance companies should withhold the extent to which individuals are insured to prevent victims from divulging how much money the attackers could receive. The attackers will logically ask for the maximum ransom payment based on their expectations – so it is better to minimize their expectations as much as possible.
As Dr. Shortland advises, the goal is to “manage the size of the towel the [attackers] think they’re squeezing.” We – ideally, through insurance companies – must convince the attacker that they have reaped everything they could from their attack. Therein lies the beautiful pragmatism of this strategy: we focus on the elements we can control (perceptions) rather than the elements we cannot (motivations, resources, etc.). Yes, implementing proper backup and recovery solutions is within defenders’ control, too, but as we can see from the seemingly weekly headlines about ransomware incidents, we need a sane Plan B.
In general, there is much information security can learn from domains which have a rich history of experimenting with solutions to similar problems. Physical ransom, in which a rather efficient market between attackers, victims, and insurance companies exists, is a pertinent exemplar for how infosec can more efficiently deal with ransomware.
While it may feel uncomfortable to accept a healthy level of malicious activity, at a certain point, we must become pragmatic rather than wallowing in sententious idealism. We can never fully prevent attacks, and that goes for ransomware as well. But we do have a chance to encourage more intelligent attackers – who operate professionally, incentivized by ongoing business interests – so that the ultimate impact of ransomware is less deleterious than what transpires under the claws of disorganized, incompetent attackers.
This may not be the safer world we imagined, but, as Machiavelli advised centuries ago, “Prudence consists in knowing how to distinguish the character of troubles, and for choice to take the lesser evil.”8 We owe it to those who depend on our expertise to think more boldly in how we can build a sustainable equilibrium in a world – digital and otherwise – that will always be troubled by aggressors.
This, as with many things in economics and game theory, does not always hold true, depending on the context. In the realm of international relations, where the shadow of the future is commonly studied, some researchers suggest the shadow can actually harm cooperation. ↩︎
Both Ryuk and Grand Crab’s monetary amounts are taken from the Coveware report in footnote 2. ↩︎
I still have yet to find a word or term that so immediately evokes the blend of insipidness, mediocrity, and formulaicity that “basic bitch” conveys. ↩︎