Pay the ransom or not? It’s complicated.
- By Susan Miller
- Jul 02, 2021
With ransomware attacks on the rise, many organizations are trying to decide if they can hold firm against attackers or will be forced to pay to decrypt their files. New research out of the University of Texas at Austin investigates how these decisions are made.
Defenders have two basic options: invest in systems that will reduce the chance of being exploited or refuse to pay the ransom, discouraging attackers from further disruption. Both options have incentive issues, the researchers wrote in their paper, “Coping with Digital Extortion: An Experimental Study on Benefit Appeals and Normative Appeals.”
Enhancing enterprise security can be expensive and refusing to pay can take business processes offline for an indefinite time – both disincentives for defenders. While organizations understand that paying ransoms encourages attackers to continue their exploits, negotiating with the attackers can whittle down the ransom demand, an incentive for the victim.
“When you’re trying to run a business, there is almost always a ransom that becomes similar to a break-even point,” Jingguo Wang, a professor of information systems and operations management at the university, told UTA News.
The researchers used behavioral game theory to study how human subjects analyzed strategic decisions around investing in cybersecurity or refusing to pay ransoms. They also explored how organizations can be nudged toward adopting strategies that decrease their exposure to digital extortion.
One potential solution to the ransomware problem at large is to strengthen social norms through community support of good behavior (investing in security solutions and refusing to pay ransoms). These normative appeals to what an organization ought to do and descriptions of what others are doing are effective at nudging the defenders into investing in security solutions and refusing to pay, the researchers said.
Further, when defenders refuse to pay the ransom, extortionists lower their demands considerably and the attack rate slightly. Investing in security defenses only slightly lowers the ransom demand and the rate of attack, they found.
The decision process is complicated by an organization’s competing priorities and the multiple mitigation strategies available. Interventions or appeals can drive defenders in the right direction, but they “may not have enough impacts to change investment rate and payment rate of a community significantly, particularly when attackers can influence the will of the defenders by lowering ransoms,” the researchers said in their paper.
“We must convince companies that just because the bad actors come down on the ransom, it doesn’t make it right to pay them -- and you’ll probably continue to have problems,” Wang said. “We need to encourage firms to do the right thing in security investing. Recognizing the long-term benefits of this approach could help other companies come to the right decision.”
Susan Miller is executive editor at GCN.
Over a career spent in tech media, Miller has worked in editorial, print production and online, starting on the copy desk at IDG’s ComputerWorld, moving to print production for Federal Computer Week and later helping launch websites and email newsletter delivery for FCW. After a turn at Virginia’s Center for Innovative Technology, where she worked to promote technology-based economic development, she rejoined what was to become 1105 Media in 2004, eventually managing content and production for all the company's government-focused websites. Miller shifted back to editorial in 2012, when she began working with GCN.
Miller has a BA and MA from West Chester University and did Ph.D. work in English at the University of Delaware.
Connect with Susan at [email protected] or @sjaymiller.