The city of Dallas has been under a ransomware attack for about five weeks now.
The hacker group known as Royal took responsibility for knocking out city websites, the municipal court and the police department’s dispatch system.
As these attacks become more and more common, how should businesses or municipalities respond if targeted?
KERA’s Bekah Morr spoke with Dr. Kay Yut Chen, professor of information systems and operations management at the University of Texas at Arlington.
His research uses behavioral game theory — the study of how people make decisions based on social and other factors — to look at the tactics used by hackers and the best ways to avoid a ransomware attack in the first place.
“You can think of it as a business,” Chen says. “So from a business perspective, what happened is that they spent effort, they spent time.”
“From that perspective, who are the agents or roles involved? You have the defenders and you have the attacker,” he adds. “And so essentially, you can use the thinking of game theory to look at that interaction, look at that incentive, look at that behavior.”
The below interview has been edited for length and clarity.
What did you find between the different players in this, whether it was a government, municipality, business — how did the players typically react?
Chen: We found a fascinating kind of like web of interaction or interrelationship. So one thing we found that is really interesting that is not often thought about, is the fact that the amount of ransom is a negotiation. It’s fairly cheap to hack into your computer system, and they usually target systems that have a large amount of value like a hospital or a large government agency. And if you don’t operate for a day, you know, millions and millions are lost. So usually that means there’s a lot of room for negotiation.
Now, you can basically tell the defender, you can tell the business and say, “this is wrong — do not negotiate with the bad guys, don’t pay them.” In fact, even add a penalty and say if you pay them, you know, I will put this penalty on you. So we tested all of these things in the lab — basically what we found is that there is a reaction to that.
But interestingly, the reaction is not directly from the business, but actually is from the attacker. The attacker, knowing this is going to happen, will essentially say, “OK, I understand. I’ll make it worth your while. I can reduce the amount of the ransom I’m going to ask.”
Basically, the hackers kind of create an incentive for whoever they’re attacking to want to pay this ransom, even if it is a little bit lower than their original asking price?
Chen: That’s right. Because you think about it, at the end of the day, they want to get paid and they have a large profit margin because the cost of doing this is relatively low. And because of that, the room of negotiation is large.
Now, there’s actually theoretically one way to get rid of them completely, which is if everybody decides they’re absolutely not going to pay. Then they will just go away and do something else. But that is not realistic at all because they have this room for negotiation. I mean, think about it: I’m losing billions of dollars of business every single day and he asked me really for $100,000. It’s very, very hard to toe the line.
So even though there’s no hard and fast solution to this, what in your opinion, after conducting this research, is the best way for a business or a municipality to respond to a ransomware attack?
Chen: One is to invest into your cybersecurity. The more you invest in it, it becomes harder for them to get through. If it is very, very hard to get through then they pick an easier target.
The second part, which is much, much harder: Is there a way to band together and refuse to pay? Again, we talked about incentive already. People would really have a huge incentive to get through this because they are thinking about their business in the next week of, “how much money am I losing?” They’re not thinking about a long time to making the whole problem worse.
And then the third thing is the enforcement perspective. So again, the basic idea is: can we make the cost of doing business really high for the attacker?
Got a tip? Email Rebekah Morr at email@example.com. You can follow her on Twitter @bekah_morr.
KERA News is made possible through the generosity of our members. If you find this reporting valuable, consider making a tax-deductible gift today. Thank you.