Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

How does ransomware work? Understanding the economics

Paul Rubens | July 28, 2017
Operating ransomware is a business. Deciding whether to pay a ransom should be a business decision too.

That means that the ransom demanded from a victim in a rich country like the U.S is higher that the ransom demanded from a victim in a less affluent country like Egypt. In economic terms this is a type of price discrimination similar to offering discounts to students: it aims to charge more to those who can afford to pay more, without pricing out those who can afford less.

Another business practice that many ransomware criminals use is to offer a hefty price discount — often 50 percent — if the victim pays up within three days.  There are many reasons why businesses of all types offer discounts to customers who are prepared to make a buying decision quickly, and to understand why ransomware criminals offer discounts it's necessary to consider the ransomware victim's perspective.


Should you pay the ransom?

Put bluntly, what should a business do if one or more of its computers is hit by ransomware? The advice of many law enforcement and government agencies is that companies should never pay the ransom, because this rewards criminals and encourages them to carry out more attacks. If no-one ever paid a ransom to unlock their data then the whole ransomware business would disappear.

That's the course of action that's in the long-term best interest of everyone, but while refusing to pay may be in the best interest of the business community as a whole, it is not necessarily in the best interest of a particular ransomware victim who may permanently lose access to vital data and go out of business.  Faced with a choice between refusing to pay a ransom in order to serve the best interest of the community and going out of business in the process, or paying a relatively modest ransom and staying in business, the obvious choice is to pay the ransom.

This fact has not been lost on most businesses: although 66 percent of companies say that they would not pay a ransom to criminals under any circumstances as a point of principle, it turns out that 65 percent of companies pay a ransom when they are hit by ransomware, according to Trend Micro's research.

Some law enforcement agencies appear to understand this too, according to Gary Sockrider, principal security technologist at Arbor Networks, another Massachusetts-based security software vendor. "The official position of law enforcement agencies is never to pay a ransom," he says. "But if you talk to ransomware victims they sometimes say explicitly that they were advised (by a law enforcement agency) to pay the ransom."

The reasons that companies offer for giving in to the criminals' demands are relatively simple, according to the Trend Micro survey.  They fear incurring fines (from regulators and other bodies) for losing data, they want to regain access to important data, and they feel that the ransoms are relatively low.


Previous Page  1  2  3  4  Next Page 

Sign up for CIO Asia eNewsletters.