Slides from Tony Martin-Vegue's presentation at Security BSides, San Francisco: February 12, 2017.
"Should I Pay or Should I Go? Game Theory and Ransomware"
Ransomware infections are nasty and potentially devastating events that can cripple large companies and home computers alike. Ransomware comes in many varieties and works in different ways, but the basic scenario is the same: cybercriminals infect your computer with malicious software that blocks access to your system or important files until you pay the ransom. You have a finite amount of days to pay if you ever want to see your files again.
Should you pay? The answer is a little more nuanced than “never pay” or “always pay.” The decision is a complex scenario of incentives and payoffs that can be analyzed with game theory. Game theory is a branch of mathematics that models conflict and cooperation between parties and is used in many real-world scenarios, inside and outside the Information Security field, including machine learning, poker games, allocation of security resources, kidnappings and nuclear war.
This talk will use the familiar topic of ransomware to introduce participants to game theory concepts like rational decision-making, zero-sum games, incentives, utility and Nash Equilibrium – all important tools that can help solve security problems. By analyzing ransomware decision-making with a game theory mindset, participants will learn a new set of skills and a new way of incentive-driven thinking. Participants may be surprised to find that ransomware response isn’t black or white.
7. Why is this an
open problem?
What incentivizes
the players?
Should one ever
pay a ransom?
8.
9. “Game Theory can be defined
as the study of mathematical
models of conflict and
cooperation between intelligent
rational decision-makers.”
- Roger B. Myerson, Game Theory: Analysis of
Conflict
15. Decision Tree
Cyber criminal
Do not start
ransomware
campaign
Start ransomware
campaign
Victim
Restore from
backup
No backups
available
Use third party
decrypter
None available
Don't pay ransom
Negotiate/pay
ransom
Cyber Criminal
Release Data
Don't release
data
24. Resources
No More Ransom! Project
https://www.nomoreransom.org
Economics and Security (complied by Ross Anderson)
https://www.cl.cam.ac.uk/~rja14/econsec.html
Game Theory: Analysis of Conflict (book) by Roger Myerson
Theory of Games and Economic Behavior (book) by John von Neumann
Notas do Editor
Hi – welcome for coming I am very excited to be here.
I’m here to talk about game theory and ransomwre.
When you are dealing with ransomware – incident reponder, CISO, victim, etc, what’s really going on? I’m not talking about the strain of ransomware or bitcoing or phishing emails. I’m talking about
how your brain works when you are making tough, difficult decision. how do people interact with each other when they are in adversarial situtations
Here’s a picture of me. My parents, to this day, brag about how TV was the best babysitter when I was young. but little else has changed
I work for Lending Club – I manage the Information Security Risk team. Part of my job responsibilities –
Risk quantification of ransomware
Decision analysis; how to I privide information to leaders to make better decision about possible events?
I particurarly got interested in ransomware and game theory around the time hollywood presbyterian got hit in early 2016
I’m from LA, I know this hospital well. It’s big – they have over 400 beds, 500 doctors – it’s a major regional care care center. I’ve visitied sick family and friends there.
- Around feb 4 2016 – Someone in the hospital clicked on a word doc inside of a phishing email
- The word doc was malicious and used to infect the system with the Lockie strain of ransomware
IT dept believed it was spreading – some people couldn’t access the network, then more
Started shutting systems down proactively; other systems and servers were infected
Initial ransom was 3.6 million
System down for a week
Pen and paper
Re-route 911 patients
Pharmacy was offline
Oncology was offline
No lab work
They struggled for a week in this degraded state until they finally paid up
negotiated down to 17k
The question is, did they make the right decision
Should they have not paid, should they have sucked it up
The infosec community was very loud and vocal – must of us had this reaction
Duh –
Dummies, this is what happens to you when you don’t patch, don’t have backups, don’t use linux, whatever
I would have never paid
There’s something else at play here.
We’re clearly losing the war against ransomware
Law firms and others setting up bitcpin retainers
On the rise – kapersky labs, 2015 1 infection every 2 minutes, 2016, 1 every 40 seconds
Best advice we have for people is just, don’t pay. People are paying. Why?
To answer that question, we need to ask more questions.
Here are the questions I have
Should one ever paythe ransom?
Spoiler alert – I know the title of this speech is should I pay or should I go
Going to give you the answer to this question now instead of waiting until the end. The answer is…. It depends. Like everything else in info sec, there is no yes/no binary answer. It’s all shades of risk.
I am however going to show you some tools you can use to start thinking about this problem in a different way
What is game theory?
“Game Theory can be defined as the study of mathematical models of conflict and cooperation between intelligent rational decision-makers.”
Price war
Nuclear war – one tangible example
Optimal ways to play hide and seek
Information security, from where to deploy network defenses to taking down cyber criminal rings
I’ve done it in the past but I’ve made it a personal vow to never use the hoodie wearing keyboard guy symbolize a cyber criminal or hacker ever again. I’m using a raccoon from now on.
Let’s take a look at the choices. They are different – so this is an asymmetric game.
The criminal has two choices; they are the ones that choose to start the game.
Second, at the end of the game, they can choose to release data or not to release data. I haven’t been able to find any hard figures about the success rate of paying the ransom, but a few folks at one of the ISACs told me it’s about 80%. 80% of ransomware payments result in you getting your data back.
The victim has several choices when they are hit by ransomware.
Restore data from backup
Use or wait for a 3rd party decrypter kit
Negotiate or pay for ransom
Do nothing
Let’s take a look at these choices in a decision tree. Decision trees are another way, in addiiton to the payoff matrix, that we use to visualize decisions in games
Let’s take a look at these choices in a decision tree. Decision trees are another way, in addiiton to the payoff matrix, that we use to visualize decisions in games
How do we disrupt this?
Incentives
Why are kidnappings down?
Anti-virus
Let’s take a look at these choices in a decision tree. Decision trees are another way, in addiiton to the payoff matrix, that we use to visualize decisions in games
Can most people find or use decrypters?
How do we help this?
Incentives
tie back to the hospital
Let’s take a look at these choices in a decision tree. Decision trees are another way, in addiiton to the payoff matrix, that we use to visualize decisions in games
Law enforcements is involved on a macro level. Ransowmare is a crime, and the FBI and other LE investigate crimes and prosceute criminals. Given this as their main objective, they don’t really care about your data. I’m sure they do on some level, but what they really want to do is totally shot down the ransomware profit stream and dry up the money. How do you do that – encourage people and companies not to pay the ransom, which is exactly what most LE do. This is greater good
What about AV vendors? They want to disrupt ransomware and malware infections, but only as it aligns with the firm’s value proposition. What do I mean by that? There are many cases reported in news of big pharma doing things that put profit over people. The same has been alleged many times about AV firms.
Let’s take a look at these choices in a decision tree. Decision trees are another way, in addiiton to the payoff matrix, that we use to visualize decisions in games
Incident responders –multi-facted set to responses. It’s not just pay/don’t pay; there are things you can do. Partner with LE, some of the ISACS who can help with decrypters. DO NOT WAIT for nan event to know the names of agents in the fbi. Also prepare for the eventuality that you may have to pay.
Incident responders –multi-facted set to responses. It’s not just pay/don’t pay; there are things you can do. Partner with LE, some of the ISACS who can help with decrypters. DO NOT WAIT for nan event to know the names of agents in the fbi. Also prepare for the eventuality that you may have to pay.
We have a lot of thought leaders, don’t we?
Thought leaders: recognize that this is an open problem and that we need help. Ransomware is the scourge of information security, and if people are paying or if they are stuck, don’t know what to do, we’re failing. We need infosec 2.0. the vast majority if IT shops, will say patching is is the biggest thing they struggle with. This needs to change
Risk managers:
We need more rigerous analysis
Evidence based
Data driven
Encourage you to use economic models in your risk analysis insea
The era of linking your thunb iand putting itin the wind is over --
risk matrix is debunked nd we need
Go back to main point, “Ransomware response is a good example of how game theory can used to analyze decisions, payouts and competition between actors.”
Encourage the audience to use economic models to study security problems.
Side with resources/further reading