Slides from Tony Martin-Vegue's presentation at NBTcon, San Francisco: December 03, 2016.
"Ransomware & Game Theory: To Pay, or Not to Pay?"
Abstract:
What do the San Francisco Giants, Cryptolocker and nuclear war all have in common? They all involve conflicts in which incentives, payouts and winning strategies can be analyzed with game theory. Game theory is a branch of mathematics that models conflict and cooperation between parties and is used in many real-world decision making scenarios, inside and outside the Information Security field. Game theory is particularly useful in analyzing the extortionist / victim dynamic present in ransomware infection scenarios.
Ransomware comes in many varieties and works in different ways, but the basic setting is the same: cybercriminals infect a computer with malicious software that blocks access to the system or important files until the ransom is paid.
The conventional wisdom in information security regarding ransomware is to never pay. But, why? The answer is a little more nuanced than “never pay” or “always pay.” The decision is a complex scenario of incentives and payoffs. Who stands to gain when ransomware is paid? Who gains when it is not paid?
This talk will use the familiar topic of ransomware to introduce participants to game theory concepts like rational decision-making, zero-sum games, incentives, utility and Nash Equilibrium – all important tools that can help solve security problems. By analyzing ransomware decision-making with a game theory mindset, participants will learn a new set of skills and a new way of incentive-driven thinking.
3. About me
Tony Martin-Vegue
• Manager, Information Security Risk at
SF-based Financial Institution
• CISSP, CISM, GCIH
• BS, Business Economics, University of
San Francisco
• 20 years in IT
• Focus: Risk management, the
economics of information security
4. Key Takeaways
• Learn about Game Theory
• Decision analysis
• Payoff matrix and decision tree
• Cooperation / competition between
actors
• Learn about Ransomware
• Options you have when infected
• Examine payouts, incentives
• What happens when you pay the
ransom?
7. Game Theory
101
“Game Theory can be defined
as the study of mathematical
models of conflict and
cooperation between
intelligent rational decision-
makers.”
- Roger B. Myerson, Game Theory: Analysis of
Conflict
8. Game Theory
101
• Study of cooperative and non-cooperative game
since early 1700’s
• Emerged as a unique field via John von
Neumann
• “Theory of Games and Economic Behavior”
published in 1944
15. Players & Their ChoicesCyberCriminal
• Start/don't start
ransomware campaign
• Release data/don't
release data
Victim
• Restore data from
backup
• Use or wait for a 3rd
party decrypter kit
• Negotiate or pay for
ransom
• Do nothing
16. Decision Tree
Cyber criminal
Do not start
ransomware
campaign
Start ransomware
campaign
Victim
Restore from
backup
No backups
available
Use third party
decrypter
None available
Don't pay ransom
Negotiate/pay
ransom
Cyber Criminal
Release Data
Don't release
data
17. IncentivesCyberCriminal
• (Almost) always purely profit
driven
• Provide good customer
service (good
reputation=more victims)
Victim
• Want their data back /
primary objective
• Time is a factor (e.g. can’t
wait forever for a decrypter
kit)
• Ransom needs to be
reasonably priced
• SOMETIMES: greater good
23. How Can I Use This?
• Game theory and decision analysis can be used to analyze complex
adversary/defender events
• In turn, you will have more data to communicate complex concepts to
executives
• Try to think about risk in term of economics decisions instead of
red/yellow/green
Hi – welcome for coming I am very excited to be here
Ransomware and Game Theory: to pay or not to pay
Curious, how many of you would never ever pay a ransom?
What do the SF Giants, nuclear war and Cryptolocker all have in common?
It seems like the answer would be “nothing” but all three can be studied with a branch of economics called game theory.
In the case of warfare and baseball, game theory is regularly used to examine potential outcomes, decisions and strategy
today we’re going to learn about game theory and use it to analyze the decisions we make when dealing with ransomware incidents
First, a little about me.
I’ve been in IT for about 20 years and in security for 10. I’ve worked for start-ups, large banks, small fi’s, health care, global retailers and done a bit of consulting. I’ve been a primary incident responder in almost all of those roles and have had the opportunity to see lots of cyber extortion – not just ransomware like Cryptolocker, but some pretty nasty extortions.
As part of my job as an information security risk manager, I analyze these types of attacks from a economics perspective. Often, before an attack or during an attack, I crunch numbers and provide decision makers with projected dollar amounts – how much decision A will cost, versus decision B. I’m going to show you all how to analyze ransomware infections from an economics perspective
My goal if that you will come away from this presentation with a better understanding of both ransomware and how economics can be used to solve informtion security problems
Here are the Key takeaways you will gain from attending this presentation.
First, you will about Game Theory - what is it, how it works and why do we use it
We’re going to look at some tools we use to analyze decisions – the payoff matrix and decision tree
We’ll also look at cooperatoin and competition between actors. As we’re going through this, think about this with your incident handling hat on. There may be competiting incentives you haven’t thought about
Another key takeway is learning about Ransomware. This isn’t a technical presentation at all – I assume most, if not all of you can teach me a thing or two about how ransnware works from a technical perspective. We’re going to talk about this subject from an economics and decision perspective.
Trhe last key takeaway here is what happens when you actually pay. When you pay, you’re harming everyone else. In economics, ths is called a negative externalty.
Ransomware is malicious software designed to lock a user out of a system or render data files unreadable until a ransom is paid.
This is a high level overview of how ransomeare works. This particular example is Cryptolocker.
The cyber criminal infects the victim computer with malware. This happens in a variety of ways, such as drive by download, stealth download, social engineering, malware infected ads and phishing. The victim clicks on a link and there it is – the computer is infected with ransomware.
At this point the ransomware starts encrypting every file on your drive with common extensions, like DOC, XLS, PPT, jpegs, etc. If the victim uses dropbox or network storage, those can also be infected, making restoration very difficult. Most home users don’t have offline backups.
The victim is then given instructions to pay the ransom in order to restore the files.
This is a sample ransom note from Cryptolocker
What is game theory?
“Game Theory can be defined as the study of mathematical models of conflict and cooperation between intelligent rational decision-makers.”
Famous economist roger myerson
Thinks are economists started studying how people compete and cooperate with each other and laid the groundwork for game theory in the early 1700’s
It didn’t emerge into it’s own unique field until the 20th century with John von Neumann. He wrote several landmark papers and finally published the book “Theory of Games and Economic Behavior” in 1944
So I know that was really abstract and some of you might be struggling to understand how game theory applies in your everyday life.
So let's take a really common example of a very simple game that all of us play on an almost daily basis.
Here are two people walking down the street toward each other. They’re going to hit if one person doesn't swerve to the left or to the right.
Let's analyze this with game theory
So the first thing we're going to do is analyze the choices that each player has.
We have player 1 and player 2. both players have the same set of choices.
they can walk straight or swerve out of the way to avoid a collision
This is a payoff matrix. It’s a tool used in game theory to help us understand choices and payouts.
An assumption here – when you’re walking down the street, one doesn’t want to move if they don’t have to. We consider that the best response. It’s best to go straight. The worst is collide. And somewhere in the middle is to swerve
Each decision is given a number, that represents payouts. Payouts can be positive or negative
Here both players decide to go straight, causing a collision. This is the worst outcome and both players can improve their response
Next we have both swerving.
Not too bad of an outcome -- We assign each value at a -1. Both players had to move, so it’s not the best response, this is why they get a negative number, even though they didn’t collide
Both players can potentially improve their response
Last we have two games. In each, one player swerves and the other goes straight.
For the winning players, this is the best response. They didn’t have to move.
Quick sidebad -- This is an example of Nash Equilibrium. It’s describes a condition in which the players cannot improve their outcome, assiming the other players doesn’t change their strategy.
How does this apply to ransomware?
I’ve done it in the past but I’ve made it a personal vow to never use the hoodie wearing keyboard guy symbolize a cyber criminal or hacker ever again. I’m using a raccoon from now on.
Let’s take a look at the choices. They are different – so this is an asymmetric game.
The criminal has two choices; they are the ones that choose to start the game.
Second, at the end of the game, they can choose to release data or not to release data. I haven’t been able to find any hard figures about the success rate of paying the ransom, but a few folks at one of the ISACs told me it’s about 80%. 80% of ransomware payments result in you getting your data back.
The victim has several choices when they are hit by ransomware.
Restore data from backup
Use or wait for a 3rd party decrypter kit
Negotiate or pay for ransom
Do nothing
Let’s take a look at these choices in a decision tree. Decision trees are another way, in addiiton to the payoff matrix, that we use to visualize decisions in games
There are two more players in this game that aren’t direct actors, but have incentives and payouts every time the game is played.
Wev’e talked about incentives that the criminal and the victims have.
Law enforcements is involved on a macro level. Ransowmare is a crime, and the FBI and other LE investigate crimes and prosceute criminals. Given this as their main objective, they don’t really care about your data. I’m sure they do on some level, but what they really want to do is totally shot down the ransomware profit stream and dry up the money. How do you do that – encourage people and companies not to pay the ransom, which is exactly what most LE do. This is greater good
What about AV vendors? They want to disrupt ransomware and malware infections, but only as it aligns with the firm’s value proposition. What do I mean by that? There are many cases reported in news of big pharma doing things that put profit over people. The same has been alleged many times about AV firms.
Go back to the sidewalk game – two players, but now imagine additional actors – law enforcement, av vendors, regulators, all with their own agenda, telling you want to do and trying to influence your decision
It still goes back to the original question – do you pay?
If you don’t have backups or they are encrypted too and you are totally out of options, paying the ransom may get your data back. I’m never one to say “never pay”. I also don’t say always pay. I think it situational all all depends on what is at stake.
If you pay, your are enrinching criminals, enboldening them, and creating more victimes.
If you don’t pay – and you have no other options and you’re looking at losing data and even putting peoples lives at risk --
Like what happened with Hollywood Presbertarian in feb. The ransom was originally 3,6 million, but they nogotiated it dwn to 17k, when all other attempts to restore services failed. Paients lives were literally at risk – people were at risk of dying because the systems were down for so long.
This is why, as an info sec professional, I don’t tell people never pay. I say it depends
Would you feel confortable with telling any of these firms to never negotiate?
Don’t fool yourself into thinking though that paying is harmless. Paying a ransom created what economists call a negative externality.
A negative externality is when a third party suffers from an economics transaction.
A great example is air pollution. The factory makes goods, sells them and makes money. However, the people that live around the factory suffer from the pollution.
When you pay, you create a negative externality on that you are strenghtening and enringing these gangs, motivating them to continute to victimze other people long after you pay them. If no one paid them, this whole problem would cease to exist. And this is why LE, security folks, AV vendors all tell people to never ever pay. They are appealing to the greater good
Star Trek Quote – needs of the many outweighthe needs of the few, or the one
I have;g taught you hame theory in 25 minutes. Disclaimer. I’m trying to whet your appetite for economics and information security.
Go back to main point, “Ransomware response is a good example of how game theory can used to analyze decisions, payouts and competition between actors.”
Encourage the audience to use economic models to study security problems.
Side with resources/further reading
Go back to main point, “Ransomware response is a good example of how game theory can used to analyze decisions, payouts and competition between actors.”
Encourage the audience to use economic models to study security problems.
Side with resources/further reading