Ransomware is a growing threat to individuals and enterprises alike, constituting a major factor in cyber insurance and in the security planning of every organization. Although the game theoretic lens often frames the game as a competition between equals -- a profit maximizing attacker and a loss minimizing defender -- the reality of many situations is that ransomware organizations are not playing a non-cooperative game, they are playing a lottery. The wanton behavior of attackers creates a situation where many victims are hit more than once by ransomware operators, sometimes even by the same group. If defenders wish to combat malware, they must then seek to remove the incentives of it. In this work, we construct an expected value model based on data from actual ransomware attacks and identify three variables: the value of payments, the cost of an attack, and the probability of payment. Using this model, we consider the potential to manipulate these variables to reduce the profit motive associated with ransomware attack. Based on the model, we present mitigations to encourage an environment that is hostile to ransomware operators. In particular, we find that off-site backups and government incentives for their adoption are the most fruitful avenue for combating ransomware.
翻译:Ransomware对个人和企业的威胁日益增大,成为网络保险和每个组织安全规划的一个主要因素。虽然游戏理论镜头往往将游戏设定为平等者之间的竞争 -- -- 赢利最大化攻击者和损失最小化捍卫者 -- -- 但许多情况下的现实是,赎金软件组织没有玩不合作游戏,而是在玩彩票。攻击者的肆意行为造成了这样一种局面,即许多受害者受到赎金软件操作者不止一次的打击,有时甚至是同一团体的打击。如果维权者想要打击恶意软件,那么他们必须设法消除恶意软件的诱因。在这项工作中,我们根据实际赎金软件袭击的数据构建了预期的价值模型,并确定了三个变量:付款价值、袭击成本和支付概率。我们利用这一模型考虑操纵这些变量以降低与赎金软件袭击相关的利润动机的可能性。根据模型,我们提出缓解措施,以鼓励一个对赎金软件操作者怀有敌意的环境。我们特别发现,场外备份和政府的奖励措施是打击赎金软件的最有成果的途径。