Winning the Ransomware Lottery: A Game-Theoretic Model for Mitigating Ransomware Attacks

TL;DR

This paper introduces a game-theoretic model of ransomware attacks as a lottery, analyzing how manipulating attack variables like payment value and backup incentives can reduce attacker profits.

Contribution

It develops an expected value model based on real attack data and proposes mitigation strategies such as off-site backups and government incentives.

Findings

Off-site backups significantly reduce ransomware profitability.

Manipulating payment and attack costs can disincentivize attackers.

Government incentives enhance backup adoption and attack deterrence.

Abstract

Ransomware is a growing threat to individuals and enterprises alike, constituting a major factor in cyber insurance and in the security planning of every organization. Although the game theoretic lens often frames the game as a competition between equals -- a profit maximizing attacker and a loss minimizing defender -- the reality of many situations is that ransomware organizations are not playing a non-cooperative game, they are playing a lottery. The wanton behavior of attackers creates a situation where many victims are hit more than once by ransomware operators, sometimes even by the same group. If defenders wish to combat malware, they must then seek to remove the incentives of it. In this work, we construct an expected value model based on data from actual ransomware attacks and identify three variables: the value of payments, the cost of an attack, and the probability of payment. Using this model, we consider the potential to manipulate these variables to reduce the profit motive associated with ransomware attack. Based on the model, we present mitigations to encourage an environment that is hostile to ransomware operators. In particular, we find that off-site backups and government incentives for their adoption are the most fruitful avenue for combating ransomware.