Economics of Ransomware: Risk Interdependence and Large-Scale Attacks

References

• Abrams L (2016) Ultracrypter not providing decryption keys after payment. Launches help desk. Bleeping Computer News (June 16), https://www.bleepingcomputer.com/news/security/ultracrypter-not-providing-decryption-keys-after-payment-launches-help-desk/.Google Scholar
• Abrams L (2020) FBI says $140+ million paid to ransomware, offers defense tips. Bleeping Computer News (February 27), https://www.bleepingcomputer.com/news/security/fbi-says-140-million-paid-to-ransomware-offers-defense-tips/.Google Scholar
• Arntz P (2021) Ryuk ransomware develops worm-like capability. Malwarebytes Labs blog (March 2), https://blog.malwarebytes.com/malwarebytes-news/2021/03/ryuk-ransomware-develops-worm-like-capability/.Google Scholar
• Arora A, Telang R, Xu H (2008) Optimal policy for software vulnerability disclosure. Management Sci. 54(4):642–656.Link, Google Scholar
• August T, Tunca TI (2006) Network software security and user incentives. Management Sci. 52(11):1703–1720.Link, Google Scholar
• August T, Tunca TI (2008) Let the pirates patch? An economic analysis of software security patch restrictions. Inform. Systems Res. 19(1):48–70.Link, Google Scholar
• August T, Tunca TI (2011) Who should be responsible for software security? A comparative analysis of liability policies in network environments. Management Sci. 57(5):934–959.Link, Google Scholar
• August T, August R, Shin H (2014) Designing user incentives for cybersecurity. Comm. ACM 57(11):43–46.Crossref, Google Scholar
• August T, Dao D, Kim K (2019) Market segmentation and software security: Pricing patching rights. Management Sci. 65(10):4451–4949.Google Scholar
• Barak I (2020) Cybereason’s newest honeypot shows how multistage ransomware attacks should have critical infrastructure providers on high alert. Cybereason (June 11), https://www.cybereason.com/blog/cybereason-honeypot-multistage-ransomware.Google Scholar
• Barkly (2017) Ransomware statistics. Accessed June 29, 2018, https://blog.barkly.com/ransomware-statistics-2017.Google Scholar
• Bartock M, Cichonski J, Souppaya M, Smith M, Witte G, Scarfone K (2016). Guide for cybersecurity event recovery. Special publication 800-184, National Institute of Standards and Technology (NIST), Washington, DC.Google Scholar
• Böhme R, Schwartz G (2010). Modeling cyber-insurance: Toward a unifying framework. Workshop Econom. Inform. Security.Google Scholar
• Brandt PT, Sandler T (2009) Hostage taking: Understanding terrorism event dynamics. J. Policy Model. 31(5):758–778.Crossref, Google Scholar
• Brandt PT, George J, Sandler T (2016) Why concessions should not be made to terrorist kidnappers. Eur. J. Political Econom. 44:41–52.Crossref, Google Scholar
• Cabuhat J, Casayuran M, Melgarejo A (2017) Locky ransomware pushed alongside fakeglobe in upgraded spam campaigns. Trend Micro (September 18), https://blog.trendmicro.com/trendlabs-security-intelligence/locky-ransomware-pushed-alongside-fakeglobe-upgraded-spam-campaigns/.Google Scholar
• Cartwright A, Cartwright E (2019) Ransomware and reputation. Games 10(2):26.Crossref, Google Scholar
• Cartwright A, Cartwright E, Xue L (2019a) Investing in prevention or paying for recovery: Attitudes to cyber risk. Alpcan T, Vorobeychik Y, Baras JS, Dán G, eds. Decision and Game Theory for Security (Springer, Cham, Switzerland), 135–151.Google Scholar
• Cartwright E, Hernandez Castro J, Cartwright A (2019b) To pay or not: Game theoretic models of ransomware. J. Cybersecurity 5(1):tyz009.Crossref, Google Scholar
• Cavusoglu H, Raghunathan S (2007) Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge. IEEE Trans. Software Engrg. 33(3):171–185.Crossref, Google Scholar
• Cavusoglu H, Cavusoglu H, Zhang J (2008) Security patch management: Share the burden or share the damage? Management Sci. 54(4):657–670.Link, Google Scholar
• Cezar A, Cavusoglu H, Raghunathan S (2017) Sourcing information security operations: The role of risk interdependency and competitive externality in outsourcing decisions. Production Oper. Management 26(5):860–879.Crossref, Google Scholar
• Chappell B, Neuman S (2017) U.S. says North Korea ’directly responsible’ for WannaCry ransomware attack. Accessed February 13, 2019, https://www.npr.org/sections/thetwo-way/2017/12/19/571854614/u-s-says-north-korea-directly-responsible-for-wannacry-ransomware-attack.Google Scholar
• Chen P-Y, Kataria G, Krishnan R (2011) Correlated failures, diversification, and information security risk management. Management Inform. Systems Quart. 35(2):397–422.Crossref, Google Scholar
• Chen J, Touati C, Zhu Q (2017) A dynamic game analysis and design of infrastructure network protection and recovery. SIGMETRICS Performance Evaluation Rev. 45(2):128.Crossref, Google Scholar
• Choi JP, Fershtman C, Gandal N (2010) Network security: Vulnerabilities and disclosure policy. J. Industry Econom. 58(4):868–894.Crossref, Google Scholar
• Chuang T (2016) Inside the profitable underworld of ransomware. Accessed August 6, 2019, https://www.govtech.com/security/Inside-the-Profitable-Underworld-of-Ransomware.html.Google Scholar
• Chuang T (2018) Pay us bitcoin or never see your files again: Inside the highly profitable underworld of ransomware. Denver Post. https://www.denverpost.com/2018/03/04/computer-ransomware/.Google Scholar
• Cooper C (2018) Wannacry: Lessons learned 1 year later. Symantec (May 15), https://www.symantec.com/blogs/feature-stories/wannacry-lessons-learned-1-year-later.Google Scholar
• Cybersecurity Insiders (2017) 2017 ransomware report. Accessed June 29, 2108, https://www.cybersecurity-insiders.com/portfolio/2017-ransomware-report/.Google Scholar
• Dey D, Kim A, Lahiri A (2019) Online piracy and the “longer arm” of enforcement. Management Sci. 65(3):1173–1190.Link, Google Scholar
• Dey D, Lahiri A, Zhang G (2012) Hacker behavior, network effects, and the security software market. J. Management Inform. Systems 29(2):77–108.Crossref, Google Scholar
• Dey D, Lahiri A, Zhang G (2014) Quality competition and market segmentation in the security software market. Management Inform. Systems Quart. 38(2):589–606.Crossref, Google Scholar
• Dey D, Lahiri A, Zhang G (2015) Optimal policies for security patch management. J. Comput. 27(3):462–477.Abstract, Google Scholar
• Disparte D (2018) A new report suggests there is honor among cyber thieves. Forbes (October 16), https://www.forbes.com/sites/dantedisparte/2018/10/16/a-new-report-suggests-there-is-honor-among-cyber-thieves/#145754c31841.Google Scholar
• Emsisoft Malware Laboratory (2021) The cost of ransomware in 2021: A country-by-country analysis. Accessed June 29, 2018, https://blog.emsisoft.com/en/38426/the-cost-of-ransomware-in-2021-a-country-by-country-analysis/.Google Scholar
• F-Secure (2016) Evaluating the customer journey of crypto-ransomware. F-Secure Report. Accessed June 29, 2018, https://fsecureconsumer.files.wordpress.com/2016/07/customer_journey_of_crypto-ransomware_f-secure.pdf.Google Scholar
• FBI (2016) Incidents of ransomware on the rise: Protect yourself and your organization. FBI News (April 29), https://www.fbi.gov/news/stories/incidents-of-ransomware-on-the-rise.Google Scholar
• Fleishman G (2016) Two ways to stop ransomware in its tracks. MIT Technology Review (July 29), https://www.technologyreview.com/s/601943/two-ways-to-stop-ransomware-in-its-tracks/.Google Scholar
• Frenkel S, Scott M, Mozur P (2017). Mystery of motive for a ransomware attack: Money, mayhem or a message? New York Times (June 28), https://www.nytimes.com/2017/06/28/business/ramsonware-hackers-cybersecurity-petya-impact.html.Google Scholar
• Gaibulloev K, Sandler T (2009) Hostage taking: Determinants of terrorist logistical and negotiation success. J. Peace Res. 46(6):739–756.Crossref, Google Scholar
• Gal-Or E, Ghose A (2005) The economic incentives for sharing security information. Inform. Systems Res. 16(2):186–208.Link, Google Scholar
• Gates D (2018) Boeing hit by Wannacry virus, but says attack caused little damage. Seattle Times (March 28), https://www.seattletimes.com/business/boeing-aerospace/boeing-hit-by-wannacry-virus-fears-it-could-cripple-some-jet-production/.Google Scholar
• Gatlan S (2019) Hacked sharepoint sites used to bypass secure email gateways. Bleeping Computer News (September 3), https://www.bleepingcomputer.com/news/security/hacked-sharepoint-sites-used-to-bypass-secure-email-gateways/.Google Scholar
• Gendre A (2019a) 4 Ways Hackers Use Phishing to Launch Ransomware Attacks. Vade Secure (September 12), https://www.vadesecure.com/en/3-ways-hackers-use-phishing-to-launch-ransomware-attacks/.Google Scholar
• Gendre A (2019b) Office 365 phishing attacks: How hackers get access to your business. Vade Secure (March 21), https://www.vadesecure.com/en/office-365-phishing-attacks-how-hackers-get-access-to-your-business/.Google Scholar
• Goddin D (2019) Zero-day attackers deliver a double dose of ransomware-no clicking required. Accessed June 8, 2020, https://arstechnica.com/information-technology/2019/04/zeroday-attackers-deliver-a-double-dose-of-ransomware-no-clicking-required/.Google Scholar
• Goodin D (2019) New ransomware infections are the worst drive-by attacks in recent memory. Ars Technica (June 27), https://arstechnica.com/information-technology/2019/06/new-ransomware-infections-are-the-worst-drive-by-attacks-in-recent-memory/.Google Scholar
• Greenberg A (2018) The untold story of NotPetya, the most devastating cyberattack in history. Accessed February 13, 2019, https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/.Google Scholar
• Grossklags J, Christin N, Chuang J (2008). Secure or insure? A game-theoretic analysis of information security games. Proc. 17th Internat. Conf. on World Wide Web (ACM, New York), 209–218.Google Scholar
• Guida R (2018) Phishpoint: New sharepoint phishing scam affects an estimated 10% of office 365 users. Avanan (August 18), https://www.avanan.com/blog/sharepoint-phishing-scam.Google Scholar
• Gupta A, Zhdanov D (2012) Growth and sustainability of managed security services networks: An economic perspective. Management Inform. Systems Quart. 36(4):1109–1130.Crossref, Google Scholar
• Huang DY, Aliapoulios MM, Li VG, Invernizzi L, Bursztein E, McRoberts K, Levin J, et al. (2018) Tracking ransomware end-to-end. Proc. IEEE Sympos. Security and Privacy (IEEE, New York), 618–631.Google Scholar
• Hui K-L, Hui W, Yue WT (2012) Information security outsourcing with system interdependency and mandatory security requirement. J. Management Inform. Systems 29(3):117–156.Crossref, Google Scholar
• CFERF (2014) Financial executives, cyber security & business continuity. Canadian Financial Executives Research Foundation. Accessed February 25, 2022, https://www.feicanada.org/enews/file/CFERF%20studies/2013-2014/IBM%20Cyber%20Security%20final3%202014.pdf.Google Scholar
• Ioannidis C, Pym D, Williams J (2012) Information security trade-offs and optimal patching policies. Eur. J. Oper. Res. 216(2):434–444.Crossref, Google Scholar
• Johnson B, Böhme R, Grossklags J (2011) Security games with market insurance. Baras JS, Katz J, Altman E, eds. Decision and Game Theory for Security (Springer, Berlin), 117–130.Crossref, Google Scholar
• Johnson B, Grossklags J, Christin N, Chuang J (2010). Uncertainty in interdependent security games. Proc. Internat. Conf. on Decision and Game Theory for Security (Springer, Berlin), 234–244.Google Scholar
• Kannan K, Telang R (2005) Market for software vulnerabilities? Think again. Management Sci. 51(5):726–740.Link, Google Scholar
• Kannan K, Rahman MS, Tawarmalani M (2016) Economic and policy implications of restricted patch distribution. Management Sci. 62(11):3161–3182.Link, Google Scholar
• Kaspersky (2016) Kaspersky security bulletin 2016. Accessed June 29, 2018, https://securelist.com/kaspersky-security-bulletin-2016-story-of-the-year/76757/.Google Scholar
• Keshet Y (2020) EternalBlue: The lethal nation-state exploit tool gone wild. Cynet (January 2), https://www.cynet.com/blog/eternalblue-the-lethal-nation-state-exploit-tool-gone-wild/.Google Scholar
• Khalili J (2020) Some Windows 10 updates will soon be force installed, whether you like it or not. Tech Radar (December 10), https://www.techradar.com/news/some-windows-10-updates-will-soon-be-force-installed-whether-you-like-it-or-not/.Google Scholar
• Kim BC, Chen P-Y, Mukhopadhyay T (2011) The effect of liability and patch release on software security: The monopoly case. Production Oper. Management 20(4):603–617.Crossref, Google Scholar
• Kim A, Lahiri A, Dey D (2018) The “invisible hand” of piracy: An economic analysis of the information-goods supply chain. MIS Quart. 42(4).Google Scholar
• Krebs on Security (2019) Ransomware gangs now outing victim businesses that don’t pay up. Accessed June 11, 2020, https://krebsonsecurity.com/2019/12/ransomware-gangs-now-outing-victim-businesses-that-dont-pay-up/comment-page-1/.Google Scholar
• Kremez V, Carter B (2021) Crime laundering primer: Inside Ryuk crime (crypto) ledger & Risky Asian crypto traders. Joint Advanced Intelligenve and HYAS report, Jan 7. Accessed May 20, 2021, https://www.advanced-intel.com/post/crime-laundering-primer-inside-ryuk-crime-crypto-ledger-risky-asian-crypto-traders.Google Scholar
• Kunreuther H, Heal G (2003) Interdependent security. J. Risk Uncertainty 26(2/3):231–249.Crossref, Google Scholar
• Lahiri A (2012) Revisiting the incentive to tolerate illegal distribution of software products. Decision Support Systems 53(2):357–367.Crossref, Google Scholar
• Lapan H, Sandler T (1988) To bargain or not to bargain: That is the question. Amer. Econom. Rev. 78(2):16–21.Google Scholar
• Laszka A, Farhang S, Grossklags J (2017) On the economics of ransomware. Proc. Internat. Conf. on Decision and Game Theory for Security (Springer, Berlin), 397–417.Google Scholar
• Lelarge M (2009) Economics of malware: Epidemic risks model, network externalities and incentives. Proc. 47th Annual Allerton Conf. on Comm., Control, and Comput. (IEEE, New York), 1353–1360.Google Scholar
• Li Z, Liao Q (2020). Ransomware 2.0: To sell, or not to sell a game-theoretical model of data-selling ransomware. Proc. 15th Internat. Conf. on Availability, Reliability and Security (ACM, New York), 1–9.Google Scholar
• Marsh S (2018) US joins UK in blaming Russia for NotPetya cyber-attack. Accessed February 13, 2019, https://www.theguardian.com/technology/2018/feb/15/uk-blames-russia-notpetya-cyber-attack-ukraine.Google Scholar
• Microsoft (2017) Wannacrypt ransomware worm targets out-of-date systems. Microsoft Defender Research (May 12), https://cloudblogs.microsoft.com/microsoftsecure/2017/05/12/wannacrypt-ransomware-worm-targets-out-of-date-systems/.Google Scholar
• Microsoft (2021) What is the value of security? Accessed June 11, 2021, https://www.microsoft.com/en-us/microsoft-365/enterprise/security-value-calculator/.Google Scholar
• Mitra S, Ransbotham S (2015) Information disclosure and the diffusion of information security attacks. Inform. Systems Res. 26(3):565–584.Link, Google Scholar
• Morgan S (2019) Global ransomware damage costs predicted to reach $20 billion (USD) by 2021. Cybersecurity Ventures (October 21), https://cybersecurityventures.com/global-ransomware-damage-costs-predicted-to-reach-20-billion-usd-by-2021/.Google Scholar
• Newman J (2015) Windows 10 will force automatic updates for all Home users. PCWorld. Accessed July 15, 2015, https://www.pcworld.com/article/428629/windows-10-will-force-automatic-updates-for-all-home-users.html.Google Scholar
• Ng A (2017) ‘Doomsday’ worm uses seven NSA exploits (WannaCry used two). Accessed June 3, 2020, https://www.cnet.com/news/doomsday-worm-eternalrocks-seven-nsa-exploits-wannacry-ransomware/.Google Scholar
• No More Ransomware Project (2017) About the project. Prevention advice. Accessed June 28, 2018, https://www.nomoreransom.org/en/prevention-advice.html.Google Scholar
• Palmer D (2017) This giant ransomware campaign just sent millions of malware-spreading emails. Accessed June 8, 2020, https://www.zdnet.com/article/this-giant-ransomware-campaign-just-sent-millions-of-malware-spreading-emails/.Google Scholar
• Palmer D (2020) Ransomware attacks are causing more downtime than ever before. Accessed June 30, 2020, https://www.zdnet.com/article/ransomware-attacks-are-causing-more-downtime-than-ever-before/.Google Scholar
• Ransbotham S, Mitra S, Ramsey J (2012) Are markets for vulnerabilities effective? Management Inform. Systems Quart. 36(1):43–64.Crossref, Google Scholar
• Sanders J (2019) How WannaCry is still launching 3,500 successful attacks per hour. Tech Republic (May 29), https://www.techrepublic.com/article/how-wannacry-is-still-launching-3500-successful-attacks-per-hour/.Google Scholar
• Savage K, Coogan P, Lau H (2015) Symantec security response: The evolution of ransomware. Accessed February 13, 2019, http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-evolution-of-ransomware.pdf.Google Scholar
• Selten R (1988) Models of strategic rationality. Theory and Decision Library C (Springer, Berlin), 77–93.Crossref, Google Scholar
• Siwicki B (2016) Ransomware attackers collect ransom from Kansas hospital, don’t unlock all the data, then demand more money. Healthcare IT News (May 23), https://www.healthcareitnews.com/news/kansas-hospital-hit-ransomware-pays-then-attackers-demand-second-ransom.Google Scholar
• Splinters J (2019) Sodinokibi ransomware spread by misusing oracle weblogic server flaw. Accessed June 8, 2020, https://www.2-spyware.com/sodinokibi-ransomware-spread-by-misusing-oracle-weblogic-server-flaw.Google Scholar
• Sussman B (2020) Ransomware: When companies pay hackers, do they get their data back? Accessed June 8, 2020, https://www.secureworldexpo.com/industry-news/ransomware-when-companies-pay-hackers-do-they-get-their-data-back.Google Scholar
• Symantec (2016) Special report: Ransomware and businesses 2016. Symantec Internet Security Threat Report. Accessed June 28, 2018, https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ISTR2016_Ransomware_and_Businesses.pdf.Google Scholar
• Thomas T, Stoddard D (2012) Network Security First-Step, 2nd ed. (Cisco Press).Google Scholar
• Trend Micro Research (2019) 2019 midyear security roundup: Evasive threats, pervasive effects. Trend Micro (August 27), https://documents.trendmicro.com/assets/rpt/rpt-evasive-threats-pervasive-effects.pdf.Google Scholar
• U.S. Department of Health and Human Services (2016) Ransomware and HIPAA. HHS fact sheet. Accessed June 28, 2018, https://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf.Google Scholar
• U.S. Department of Justice (2017) How to protect your networks from ransomware. U.S. Department of Justice technical guidance document. Accessed June 28, 2018, https://www.justice.gov/criminal-ccips/file/872771/download.Google Scholar
• WebTitan (2019) How much money did WannaCry make? Accessed June 8, 2020, https://www.webtitan.com/blog/how-much-money-did-wannacry-make/.Google Scholar
• Wilson MA (2000) Toward a model of terrorist behavior in hostage-taking incidents. J. Conflict Resolution 44(4):403–424.Crossref, Google Scholar
• Yang L, Li P, Yang X, Xiang Y, Jiang F, Zhou W (2019) Effective quarantine and recovery scheme against advanced persistent threat. IEEE Trans. Systems Man Cybernetic Systems 51(10):5977–5991.Google Scholar
• Young A, Yung M (1996). Cryptovirology: Extortion-based security threats and countermeasures. Proc. IEEE Sympos. on Security and Privacy (IEEE, New York), 129–140.Google Scholar
• Zhao X, Xue L, Whinston AB (2013) Managing interdependent information security risks: Cyberinsurance, managed security services, and risk pooling arrangements. J. Management Inform. Systems 30(1):123–152.Crossref, Google Scholar