How does ransomware work? Understanding the economics

Operating ransomware is a business. Deciding whether to pay a ransom should be a business decision too.

ransomware at your service 4
Thinkstock

The WannaCry ransomware exploded onto the scene in mid-May, bringing computer systems in organizations as diverse as FedEX and the U.K.'s National Health Service to a grinding halt. There's no indication that its authors targeted these organizations specifically, and the malware will happily infect any vulnerable computer system that it comes across in order to hold the data stored on it to ransom.

In other words, WannaCry is an unscrupulous money-making tool, and its purpose is to make whoever is behind it rich. Operating a piece of ransomware like WannaCry is really just a business. An illegal business, but a business none the less.

The purpose of any business is to maximize profits, and to do that it is important to charge the right price. When it comes to ransomware, the amount demanded as a ransom is effectively the price. The dilemma for the criminal behind the ransomware is whether to set the ransom relatively low in the hope that a large number of victims will  pay up, or to set the ransom much higher to get a smaller number of big payments. Which pricing strategy yields higher revenues depends on what economists call the price elasticity of demand.

It turns out that the average ransom demanded is about $700, although in about 20 percent of cases the ransom may be as high as $1300, according to research carried out by security software vendor Trend Micro. "If you look at the demands they are relatively low — they are in the ballpark of what people can afford to pay," says Bharat Mistry, a Trend Micro cybersecurity consultant. That would suggest that ransomware criminals believe the price elasticity of demand is relatively high: a small increase in the ransom demanded will lead to a much greater fall in the people willing or able to pay it, resulting in less overall profit.

But the fact that there is such a variation between the average and the highest ransom demands  suggests that ransomware criminals are still testing the market to see what level of ransom produces the highest profit. It may even be that some criminals are carrying out A/B tests, sending out variants of the same ransomware that differ only in the ransom demanded in order to establish the optimum ransom to maximize profits.

It's not be proven that ransomware criminals are engaging in this type of behavior, but they are certainly using other established business practices to maximize profits. For example, Recorded Future, a threat intelligence company based in Massachusetts, recently discovered a piece of ransomware called Fatboy that alters the ransom demanded based on the geographic location of the victim's machine. It uses the Economist's Big Mac Index, which measures the purchasing power parity between two currencies, to try to ensure that the ransom is "affordable".

That means that the ransom demanded from a victim in a rich country like the U.S is higher that the ransom demanded from a victim in a less affluent country like Egypt. In economic terms this is a type of price discrimination similar to offering discounts to students: it aims to charge more to those who can afford to pay more, without pricing out those who can afford less.

Another business practice that many ransomware criminals use is to offer a hefty price discount — often 50 percent — if the victim pays up within three days.  There are many reasons why businesses of all types offer discounts to customers who are prepared to make a buying decision quickly, and to understand why ransomware criminals offer discounts it's necessary to consider the ransomware victim's perspective.

Should you pay the ransom?

Put bluntly, what should a business do if one or more of its computers is hit by ransomware? The advice of many law enforcement and government agencies is that companies should never pay the ransom, because this rewards criminals and encourages them to carry out more attacks. If no-one ever paid a ransom to unlock their data then the whole ransomware business would disappear.

That's the course of action that's in the long-term best interest of everyone, but while refusing to pay may be in the best interest of the business community as a whole, it is not necessarily in the best interest of a particular ransomware victim who may permanently lose access to vital data and go out of business.  Faced with a choice between refusing to pay a ransom in order to serve the best interest of the community and going out of business in the process, or paying a relatively modest ransom and staying in business, the obvious choice is to pay the ransom.

This fact has not been lost on most businesses: although 66 percent of companies say that they would not pay a ransom to criminals under any circumstances as a point of principle, it turns out that 65 percent of companies pay a ransom when they are hit by ransomware, according to Trend Micro's research.

Some law enforcement agencies appear to understand this too, according to Gary Sockrider, principal security technologist at Arbor Networks, another Massachusetts-based security software vendor. "The official position of law enforcement agencies is never to pay a ransom," he says. "But if you talk to ransomware victims they sometimes say explicitly that they were advised (by a law enforcement agency) to pay the ransom."

The reasons that companies offer for giving in to the criminals' demands are relatively simple, according to the Trend Micro survey.  They fear incurring fines (from regulators and other bodies) for losing data, they want to regain access to important data, and they feel that the ransoms are relatively low.

This shows that the decision to pay or not to pay a ransom is rarely made on a point of principle. The choice comes down to a rational business decision. When a company loses access to some of its data, this has cost implications: they may face fines, there may be costs involved in recreating that data, and they may even go out of business.

Now, it may be possible to regain access to that data by reimaging the affected systems and restoring data from backups (if backups are available.) This involves a cost, and further costs may be incurred due to loss of business during the time it takes to restore these systems, which can often be several days.

An alternative to restoring data — if that is even an option — is to pay the ransom, and if the cost of regaining access to the data by paying the ransom is less than the cost of regaining access through reimaging and restoring,  then it would seem to make good business sense to pay the ransom.

This may explain why ransomware authors offer discounts for prompt ransom payment: if a company can restore its data in a day or two then the cost may be relatively low. That means the ransom also needs to be low for the first few days to be a cheaper alternative. On the other hand,  this may just be a marketing tactic intended to incentivize victims to pay quickly without exploring alternatives more fully.

There are, however, complicating factors when deciding whether to pay the ransom based on the economics of recovery. For one thing, there's no guarantee that paying the ransom will result in the criminal handing over the encryption keys. He may just take the money and run.

But that outcome is unlikely because  it is in the interest of the criminal to hand over the encryption keys on receipt of a payment. That's because if word gets out the criminal behind a piece of ransomware is not "trustworthy" then ransom payments are likely to  grind to a halt.

That's the theory, and in practice it holds true the majority of the time: criminals hand over the encryption keys  as often as 70 percent  of the time, Sockrider, estimates. "I think a figure of 65 percent to 70 percent is credible," he says. "The majority of these criminals do unlock your data if you pay because they would break the ransomware business model if they didn't. These people do have to trade on their reputation, and if enough people don't get anything back in return for a ransom then why would anyone pay?"

So in economic terms, companies should factor the risk of not getting the encryption keys from the criminals into their cost calculations. (That's because paying $1000 to recover your data is a better deal than paying $1000 for a 65 percent to 70 percent chance of recovering your data.)

Another complicating factor is that it is possible that paying a ransom marks you out as a "ransom payer" who will be targeted again by the same or other criminals. It's not clear if this actually happens in practice, but it is worth bearing in mind that paying a ransom may have an additional uncertain future cost.

For most companies, then, deciding whether to pay the ransom demanded by criminals to decrypt data should be an economic one: will it cost less, all things considered, to pay the ransom or not to pay the ransom? Deciding not to pay on principle may sound admirable, but it may not in the best interests of the business or its shareholders.

New! Download the State of Cybercrime 2017 report