April 16, 2024

Research Spotlight: The impact of widespread ransomware campaigns, a growing threat in today's digital landscape

Assistant Professor Duy Dao, Ph.D., discusses how ransomware creates interesting economic dynamics
Ransomware

It is not difficult to imagine a world where computers or software can be easily infected by ransomware, a kind of malware that restricts access to your files or system until you pay a ransom. For everyday consumers, these threats often come from clicking links in phishing emails, clicking on links to fake websites (spoofed to look like the website you were searching for), downloading unverified software, and using weak/re-used passwords without two-factor authentication. 

Traditionally, when software is risky to use (i.e., easy to hack), companies lower their prices to attract customers that are not averse to the risk. But in today’s world, where ransomware can spread across connected unprotected systems, customers are made up of two different groups: those that protect themselves from cyberattacks with patching systems and malware protection software, and those that don’t. Those who don’t protect themselves are not only at risk of getting hit with ransomware, but they also risk spreading malware to others they are connected to. 

Further, some of the major ransomware strains have ‘worm’ capabilities—ransomware that can spread from an infected system to other connected unprotected systems without the victims or attackers doing anything. This happened with the SamSam ransomware attack on US hospitals between 2017 – 2018, spreading across unpatched servers between connected hospitals, as well as the Wanna Cry ransomware attack in 2017. Within half a day, WannaCry spread across the world and ultimately infected over 300,000 computers in just a few days.

Here is where it gets interesting for our research: the market for the software can grow as the threat of ransomware gets worse. Specifically, as attackers charge more in ransom, software companies can make more money while raising prices. 

Analyzing the Impact

Capturing how the risk of a ransomware attack can influence both the software vendor's pricing strategy and consumer purchasing decisions reflects the unique aspects of ransomware attacks. Factors like ransom payment options and how the ease of launching large-scale attacks affect the software market, consumer behavior, and overall social welfare, provide a more nuanced understanding of the economic forces at play in the world of ransomware. 

In this research setting, some of the unprotected customers are willing to pay ransom and others are not. However, as the ransom increases customers previously willing to pay ransom no longer will pay, and instead they switch to protecting their system due to the increased threat. As result, the risk of cyberattack is reduced for everyone, which in turn allows the software vendor to increase prices while the market expands. Those who don’t protect themselves by patching a known vulnerability that ransomware exploits allow themselves to potentially be spreaders of malware to others they are connected to who are also unprotected.  

Assistant Professor, Duy Dao, Ph.D.

Assistant Professor, Duy Dao, Ph.D., Haskayne School of Business

Reducing Consumer Risk

There are many ways in which consumers that are unprotected can limit risk of ransomware, such as downloading software directly from a developer's/company’s website and downloading from online stores like app stores. But unfortunately, even then, a consumer searching for new apps with some desired functionality should be mindful that developers with malicious intent can figure out ways to bypass app store filters.

Some cybercriminals also use search engine optimization to make promote fake websites as a legitimate website, impersonating trusted entities like banks or popular services. To reduce the risk of clicking on a fake website, it is better for consumers to bookmark sites than to manually type in links or searching for websites they go to regularly.

Another risk is re-using passwords across accounts, doing this can leave consumers vulnerable to attackers. When a person uses the same password across all accounts, they are at risk of having someone being able to access their emails, online storage service (Dropbox, Google Drive, etc.), or even their computer remotely. 

Changes in Practice & Policy 

Policymakers can mitigate attacks through security policies that increase barriers to entry and operating costs for attackers, increase the risk of being caught, reduce the ability for attacks to spread quickly and increase consumers’ willingness to protect themselves. However, striking a balance in policy is important as overly restrictive regulations could stifle innovation for smaller companies who cannot comply.

Responsibility can be balanced with stricter software security standards that make it harder for hackers to develop and deploy successful ransomware attacks and by forcing companies to prioritize security features, making it harder for hackers to exploit vulnerabilities thereby creating a more secure digital environment for everyone. 

Stronger policies can also establish consequences for companies that fail to protect user data. This could include fines or legal repercussions, incentivizing companies to invest in better security measures and take data breaches seriously. 

In terms of enforcement, regulations could require more collaborative (for example, https://www.cnn.com/2021/10/04/politics/ransomware-arrests-ukraine/index.html) and timely reporting to law enforcement when breaches occur, allowing for faster identification, disruption of ransomware operations, and the reduction of the spread of malware as the attack occurs, as well as mandated communication to consumers in the case of a data breach, empowering consumers to take steps to protect themselves. 

Assistant Professor, Duy Dao, Ph.D., is recently tenured faculty in Business Technology Management at the Haskayne School of Business. He is currently working on research examining how policies that increase entry costs for attackers might backfire. 

This news feature discusses research from Terrence August, Duy Dao, Marius Florin Niculescu (2022) Economics of Ransomware: Risk Interdependence and Large-Scale Attacks. Management Science 68(12):8979-9002. https://doi.org/10.1287/mnsc.2022.4300

Find more information about iRC research and activities here.