LAWRENCE — Around $1 billion gets paid by victims of ransomware attacks each year. But is payment the right strategy?
“In the short run, paying the ransom is often the easiest way out. Yet by paying the ransom, you are encouraging hackers to come back, not just for you but for everyone else,” said Debabrata Dey, the Davis Area Director of Analytics, Information, and Operations and the Ronald G. Harper Professor of Artificial Intelligence and Information Systems at the University of Kansas.
His new paper, titled “‘Extortionality’ in Ransomware Attacks: A Microeconomic Study of Extortion and Externality,” examines when organizations accede to ransom demands and, in doing so, incentivize attackers to launch more attacks, elevating the chance of a future breach not just for themselves but for others. The paper also weighs whether policymakers should get involved, either through punitive measures to prevent payment or tax/subsidies to compensate payment.
The study appears in Information Systems Research.
Dey and co-writer Atanu Lahiri of the University of Texas at Dallas created a model to illustrate the effect of how firms may react to ransom demands and provide a framework for comparing different policy interventions and strategies. The researchers additionally introduced the term “extortionality,” which they define as “extortion due to externality.”
“If you look at the economy — and specifically at the cyber economy — ransomware attacks are more important at an organizational level than at an individual level. Hackers are more interested in organizations because they can get a lot more money for every success,” Dey said.
Thus, the impact of externalities is also magnified.
“Externalities are like pollution, for example. If I have a paper factory, and I am polluting the effluent stream that then pollutes a river, that’s an externality. Because through my action, I’m imposing a cost on the society. I’m imposing a cost on the fishermen down the stream without having to pay for it,” he said.
In the case of ransomware (defined as malicious software designed to block access to a computer system until a sum of money is paid), the externality is tied to payment. If a company pays, it encourages other hackers who may be emboldened to attack more companies. Or worse, hackers may attack a critical institution such as a power plant. If ransom is not paid, the electricity of a city goes dark, thus creating chaos in society itself.
So if Dey were a CEO of a corporation that was the target of ransomware, how would he use this research to develop a strategy to combat it?
“I would first do a full-fledged analysis of the company’s situation: How bad is the attack, what resources are getting compromised, what services are going to be hampered and for how long, how many people are going to be touched through this process, how many users, how many consumers? Those are all considerations the CEO must figure out,” he said.
But equally important is for an organization to prepare ways to avoid such a breach. Dey cites two types of avoidance mechanisms: protective and backup. Protective involves investing in technology as well as in education of users. Oftentimes, a breach occurs because an employee gets a phishing email and unknowingly clicks on it.
“Backup and recovery systems are also very important because irrespective of what you do, there will be situations where you get breached. You can be 100% cautious, but there is no fail-safe system,” he said.
“If your backup and recovery system is good, then as a CEO, you’ll say, ‘OK, let’s do a quick analysis of the damage that we are going to go through, what kind of recovery we can have, how long will it take for us to come back to the original state?’ And if that cost is not very large, then you might decide not to pay the ransom.”
Dey first became interested in this topic almost a decade ago when a massive ransomware attack breached computers in over 100 countries worldwide.
“I have a relative who’s a doctor in a hospital in India, and we were talking about how their hospital reacted to the breach. That’s when my interest really started growing. Then suddenly, you see all these ransomware attacks in the U.S. The DCH Health System based in Alabama was breached, and three DCH hospitals were impacted. Then a meat processing farm. Then a gas pipeline. There have been so many of them,” he said.
A KU faculty member since 2022, Dey specializes in artificial intelligence and information systems. He has also recently focused on issues related to public policy. His most recent article, titled “Polarization or Bias: Take Your Click on Social Media,” appeared in the Journal of the Association for Information Systems.
“At the end of the day, what is the most practical solution to dealing with ransomware?” Dey asked. “The solution is investing toward these events not happening. Because once it happens, it could be a long day or a long week or even a long month.”