Take a moment to pity the extortionists because apparently they aren't very good at business, according to a new research paper. Though undoubtedly cyber-crime's favorite scam and, according to the FBI, one that could have earned its purveyors $US1 billion (£800 million) last year, ransomers are still failing to get the greatest value out of their illicit efforts.
The Economic Analysis of Ransomware was a collaborative effort between researchers from the University of Kent's schools of computing and economics. The report not only undresses the economics of ransomware but even offers suggestions as to how it might be made more efficient.
As part of the European RAMSES (RAnsomware and banking Malware analySis for intErnet forenSic) project, the report aims to understand and predict the behaviour of ransomware users in the coming years. An early draft of the paper was sent to a number of European law enforcement agencies with the aim of providing insight into this often-overlooked area of cyber-crime.
Ransomware has made great technical strides on its way to the top of cyber-criminality. The same cannot be said of its business practices. Dr Edward Cartwright, one of the paper's authors and a reader in economics at the University of Kent, told SC Media UK: “The recent WannaCry [attack] is perfect illustration of this. Nobody can doubt that the attack caused a lot of disruption. In terms of economics, however, it looked pretty inept and surely did not raise anywhere near as much money as it could have done for the criminals.”
The popularity of specific cryptocurrencies, like bitcoin, serves as an example of this inefficiency. How then, the paper asks, is somebody without access to or knowledge of bitcoin supposed to pay a ransom, especially in a short period of time as some families demand.
The larger inefficiencies, however, lie in the actual uniformity of the ransoms, where criminals could be maximising their profits by tailoring the ransom to the victim.
The logic goes that a victim will only pay if they value the encrypted files enough to actually pay the sum, set by the ransomers. Different kinds of victims will value different kinds of data differently and will have different bank balances from which to draw. Yet price discrimination is still at an early stage within ransomware, with only primitive forms of it being applied in a sub-optimal way.
The discounts that ransomware users have introduced in recent years do not seem to be effective either. Many still think that the illusion of clemency might make the victim more sympathetic to paying. Ransomware families like Cryptomix even offer discounts of up to 67 percent [for what?].
But even those who offer the greatest bargains, don't seem to rise to the levels of Cerber, which offers none. Cartwright told SC, “Basic economic and game-theoretic reasoning is unambiguous – there should be no discounts. This allows the criminals to ultimately get a higher ransom. So, Cerber seems to be on the right track.” This offering, the paper predicts, will soon fade out.
Cyber-criminals are simply not getting bang for their buck. The report notes that they ”should have at their disposal a wealth of data regarding the willingness of victims to pay a ransom. With only a rudimentary analysis of this data, they could almost certainly obtain higher profits”.
“With strong incentives for the criminals to innovate,” the report adds, “they are surely going to do so.”
Malvertising, the report suggests, may offer a way of figuring out the perfect ransom for the victim as it allows ad targeting along certain demographics.
A more efficient ransomware market might even be a good thing for everybody, explained Cartwright: “While there is no denying it would be better to have a world without ransomware, a world with economically competent ransomware may be better than a world with bad ransomware.”
Ransomware users need their victims to know that if they pay, they will get all of their files back. The more reliable a service cyber-criminals run, the more pliable their victims and the more money they will make.