An interesting look at Ransomware by Éireann Leverett | Co-founder, Concinnity Risks, and Co-author: ‘Solving Cyber Risk’
Ransom and Extortion is an approach to making money through hacking. Other hackers find subtler and more interesting ways to make money like Fin5, or Magecart. Personally, I think hacking for money is gauche, which is why I prefer to do it out of curiosity and for my own understanding.
Extortion has been around since long before hacking or the US dollar. People will try to blame the victim for lack of security or a failure to backup, but this is ridiculous too. We shouldn’t accuse those targeted by abuse for deserving it. These criminal enterprises really are out to make money without regard to the impact on human life. Now getting to the intersection of ransomware and insurance, it is clear that negotiating is now a full blown industry. Clearly the ransoms get paid because the losses are assumed to be larger, but how big can the ransoms get?
What makes a ransom large? Most people assume it is the virus itself; how destructive it is, how widely it spreads, how well constructed. Let’s try a thought experiment though: what would happen if you were an elite cyber criminal and deployed ransomware in Cuba. The ransom can’t be more than anyone earns, and while there might be some variance within those earnings, it’s likely to be a pretty flat distribution. If your ransomware were to sample from a normally distributed range of incomes, you would certainly see more variance. Ideally though, you’d want to deploy your ransomware on companies with heavy tailed distributions of wealth. In other words, in a society like ours, where the distribution of wealth can be characterised by powerlaws, one really big score might be more than all the little ones combined!
Now we believe that ransoms alone are heavy tailed, and while there’s more research to be done to confirm distributions, the averages of ransoms fluctuate wildly. So in a nutshell, ransoms ALONE have heavy tails, and if you’re a bigger organisation, you’ll get asked for a bigger ransom. Just because you don’t know who they are doesn’t mean they don’t read your accounts. After all, they already hacked you, you can’t be sure you’ve got any secrets left.
One thing we can be sure of is that the losses are usually bigger than the ransoms. Otherwise it would be mathematically irrational to pay them! The real problem is figuring out the risk and return on investment before you get hit with the ransomware.