Game Theoretic Analysis of Ransomware: A Preliminary Study

Rudra Prasad Baksi and Shambhu Upadhyaya

Department of Computer Science & Engineering, University at Buffalo, SUNY, Buffalo, NY, U.S.A.

Keywords:

Cryptography, Computer Security, Cyber-security, Game Theory, Ransomware.

Abstract:

Ransomware attacks have been frequent and wreaking havoc of the kind never seen before. This paper presents

an analysis of a basic type of ransomware. When faced with a ransomware attack, the victim needs to address

a question whether to pay or not to pay the ransom. In this regard, we develop a game-theoretic model to

analyze the attack landscape and to determine under what conditions the defender is in a position of advantage

to successfully neutralize the attack. In this preliminary analysis, we develop strategies which would help the

victim to make an informed decision. We put forward two parameters that help the defender make an informed

decision in the face of an attack. We perform a sensitivity analysis to show how the variation of the parameters

affect the outcomes of the attacker and the defender and thereby affecting the equilibrium strategies. We then

discuss how the outcome of the model can help defenders to come up with an effective defense mechanism

against similar future attacks.

1 INTRODUCTION

Ransomware are a type of malware which encrypt

critical data of a system and hold them for a ransom.

If the ransom is paid, then the data is released, else it

is made inaccessible to the victim. There are primar-

ily three types of ransomware, the locker, the crypto,

and the hybrid (Zakaria et al., 2017). The locker locks

the entire system and denies the user any access to it.

On the other hand, crypto encrypts only critical data

found on the system. It targets speciﬁc ﬁles and/or

folders. The hybrid variant of the malware possesses

capabilities of the other two types of ransomware.

More recent variants of ransomware come with addi-

tional features like campaign abort strategy or a con-

tingency plan of attack upon being discovered prior

to the launch of attack. They qualify as advanced per-

sistent threats (APT) (Baksi and Upadhyaya, 2018).

In this paper, we limit ourselves to non-APT type

ransomware so as to obtain some preliminary results

which can later be extended to cover more sophisti-

cated malware and/or APT type ransomware.

Ransomware attacks have been wreaking havoc in

the industry and/or government organizations. It is

a nuisance which not only hampers daily working of

the government and/or industry but also makes it dif-

ﬁcult for common people to carry out their normal

activities. Ransomware attacks may cause healthcare

facilities, schools, public transport organizations, po-

lice stations, gas stations, IoT infrastructure of many

organizations, and many more institutions to suspend

their daily services (Milosevic et al., 2016). In April

2017, Erie County Medical Center (ECMC) came un-

der ransomware attack by a ransomware named Sam-

Sam. ECMC refused to pay the ransom of $30,000 in

crypto currencies and ended up spending around $10

Million in system restoration. But they were covered

by cyber insurance (Davis, 2017) (Goud, 2017). In

March 2018, the city of Atlanta came under the Sam-

Sam attack. The ofﬁcials refused to pay the ransom

of $51,000 in crypto currencies and ended up spend-

ing somewhere between $2.6 Million to $17 Million

in restoration of the systems with years of police

data lost (Deere, 2018) (Newman, 2018). Colonial

Pipeline came under attack by a ransomware called

DarkSide and they paid a ransom of $4.4 Million

(75 bitcoins) (BBC, 2021). This ransomware attack

caused fuel shortages in many areas including cities

and airports. It caused loss of business and disruption

of public life and fuel prices went up. These are some

of the examples of ransomware attacks the country

has faced recently. Many attacks go unreported for

some reason or the other. But the threat is real and

so is the damage suffered from the attacks. The af-

fected agencies and institutions would like to make a

quick decision in order to restore services so that pub-

lic life can return to normalcy. In doing so, they need

to make not only a quick decision but it should also

242

Baksi, R. and Upadhyaya, S.

Game Theoretic Analysis of Ransomware: A Preliminary Study.

DOI: 10.5220/0011006600003120

In Proceedings of the 8th International Conference on Information Systems Security and Privacy (ICISSP 2022), pages 242-251

ISBN: 978-989-758-553-1; ISSN: 2184-4356

be strategic. Our paper dives into the area of this deci-

sion making. The research presented here would help

a victim to make an informed decision when faced

with such an attack.

We use game theory to analyze a form of ran-

somware which we call a basic ransomware in the rest

of this paper. We design a two player sequential game.

One of the players is the attacker whereas the other is

the victim and/or defender. Through the analysis we

determine optimal strategies for both the attacker and

the defender. Then we present equilibrium solutions

for different conditions. We also perform a sensitivity

analysis to examine how the decisions of both players

are being affected when the values of the decision pa-

rameters change. The major contribution of this paper

is the presenting of a parameter to quantify the impor-

tance of the value of resources under attack and the

introduction of a new parameter to better understand

the reputation of the attacker. We, thus make the im-

portance of the resources under siege and the reputa-

tion of the attacker as quantiﬁable metrics and a part

of the decision making process. The paper is orga-

nized as follows. In Section 2, we discuss some back-

ground information and related work in this area. In

Section 3, we present our game theory based analysis

of the basic ransomware. We then analyze the results

in Section 4 and investigate the sensitivity of the val-

ues of the parameters while making an informed de-

cision and put forward a prescriptive solution of pre-

paredness and mitigation of the ransomware attack.

Finally, we conclude the paper in Section 5 and ex-

plore the possibilities of future research in tackling

more sophisticated ransomware attacks.

2 BACKGROUND AND RELATED

WORK

Zakaria et al. (Zakaria et al., 2017) investigated the

rise in spread of ransomware, and laid down the main

areas for research on ransomware starting with the de-

tection using indicators of compromise (IoC), signa-

tures of the malware and analysis of network trafﬁc.

Then depending upon the type of attack mounted by

the malware, the ransomware is classiﬁed into one of

the three categories, locker, crypto, and hybrid. This

is followed by two other areas of research identiﬁed

by the authors, which are recovery from the attack and

prevention from future attack. In our paper, we inves-

tigate the strategies of the attacker as well as the de-

fender, and examine “recovery from attack” and “pre-

vention of future attacks” mentioned in (Zakaria et al.,

2017).

Baksi and Upadhyaya (Baksi and Upadhyaya,

2017) used a hardware-based defense architecture

by leveraging the capabilities of the trusted platform

module (TPM) as a defense against APTs. Cekar et

al. (C¸ eker et al., 2016) used deception to counter

denial of service (DoS) attacks. They also used a

game-theoretic model based on the signaling game

with perfect Bayesian equilibrium (PBE) to investi-

gate the implications of deception to counter the at-

tacks. Deception as a potential defense tool has been

used to lure attackers to high interaction honeypots in

(Pauna, 2012) and thereby designing an effective mal-

ware detection system. The author proposed an adap-

tive honeypot system based on game-theoretic con-

cepts to entice the attackers, leading to the detection

of the rootkit malware by the defender. Baksi and

Upadhyaya (Baksi and Upadhyaya, 2020) used a Hid-

den Markov Model (HMM) based approach to iden-

tify intrusion by a ransomware. The HMM based IDS

ransomware but works well against basic ransomware

as well. Yet, the question is, once a defender has

detected an intrusion by a ransomware, what should

be the next plan-of-action. The research reported in

Baksi and Upadhyaya (Baksi and Upadhyaya, 2017),

Cekar et al. (C¸ eker et al., 2016), and Baksi and Upad-

hyaya (Baksi and Upadhyaya, 2020) are aimed at an

APT type malware threat and have deception as a de-

fense strategy. In our paper, we use basic ransomware

as the threat model, and put forward a scheme which

would help a defender make an informed decision

when faced with an attack, especially when the de-

fenders do not have a deception based defense system

against such attacks.

Game theory opens up new avenues for malware

analysis. It has been used to analyze the strategies of

the malware and the victims and study the attack land-

scape. Khouzani et al. (Khouzani et al., 2011) used

a zero-sum dynamic game-theoretic model as a solu-

tion to malware attack. They analyzed the structural

properties of saddle-point strategies, which are simple

threshold-based policies, and showed the possibility

of a robust dynamic defense system against malware

attacks. They have investigated the network defense

landscape of mobile wireless networks. The strategies

investigated on the part of the defender were reception

and patching rates. The strategy of the attacker that

was investigated was the annihilation rate of infected

nodes. Through the formulation of a dynamic game

it was proved that threshold-based policies form an

effective robust solution to malware attacks. Spyri-

dopoulos et al. (Spyridopoulos et al., 2013) investi-

gated a game-theoretic approach for the cost-beneﬁt

analysis of malware proliferation, and modeled it on

Game Theoretic Analysis of Ransomware: A Preliminary Study

243

the lines of epidemic spread models, namely, SIR and

SIS models. They applied their models on the Code-

Red worm. The idea was to develop a cost-beneﬁt

game-theoretic model to apply malware proliferation

strategies including “patching” of infected nodes in a

network, “removal” of infected nodes in the network,

and/or the combination of both. They used “FLIPIT”

game as the basis for the development of their model.

In our paper, we use game theory to analyze a ba-

sic form of ransomware attack through a sequential

game. We put forward two new parameters to help the

defender make an appropriate decision when faced

with an attack.

Cartwright et al. (Cartwright et al., 2019) came up

with a game-theoretic model to analyze generic ran-

somware attacks. They used the kidnapping game as

the basis for the model (Gintis, 2009) (Selten, 1977)

(Selten, 1988). The malware was modeled as the kid-

napper whereas the database of the victim was mod-

eled as the hostage. The goal of the paper is to help

the defender to make an informed decision regard-

ing the payment of the ransom, when attacked by a

ransomware. But the limitation is that the game is

applicable to ransomware attacks wherein the attack-

ers are bound by the same law of the land as the de-

fender. The authors assume that if the attackers are

apprehended, then ransom payment as well as the en-

crypted resources could be extracted from them. In

our research, we consider that the attackers could be

anywhere in the world while staging the attack. In this

scenario, it becomes really difﬁcult to apprehend the

attackers both in terms of legal and logistical fronts.

But, this makes the ransomware more generic in na-

ture and takes care of a vast majority of the attacks

which are staged from foreign land. We use game

theory to analyze the attack and help the defender in

making an informed decision.

3 BASIC RANSOMWARE

3.1 The Threat

A malware is a software program which is designed

with malicious intent to cause harm to the victim by

the attacker. When the intent of a malware is mon-

etary gain by hijacking victim’s resources for a ran-

som, it is called a ransomware. Depending upon the

nature and level of sophistication, a ransomware can

be of an APT type or of a basic nature. An APT type

ransomware is generally created by nation state ac-

tors. They are highly sophisticated attacks and are

mounted through multiple clandestine stages (Baksi

and Upadhyaya, 2018). For such attacks, even though

monetary gain is generally the primary goal, they may

have other concealed and/or disguised agenda. On

the other hand, in a basic ransomware attack, the at-

tacker encrypts the resources under risk and charges

a ransom. If the ransom is paid, the attacker releases

the encrypted resources, else the victim loses the re-

sources forever. Such attacks generally have only one

goal, i.e., to make the resources inaccessible to the

victim until the ransom is paid. Both the APT type

ransomware and the basic ransomware can be of three

types, namely, crypto, locker and hybrid as discussed

earlier. Attack and threat models for them exist in

the literature (Kolodenker et al., 2017) (Zimba and

Chishimba, 2019). In our paper, we restrict ourselves

to the research concerning defense against basic ran-

somware.

Parameterized attack graphs have been proposed

in the literature to model attacks that exploit vulner-

abilities. The attack graphs capture attacker’s pre-

conditions, system and network vulnerabilities, at-

tacker effects, and the impact of the attack on the

network (Sheyner et al., 2002). The attacker pre-

condition component include the attacker’s capabili-

ties and the knowledge needed to stage the attacks at

an atomic level. However, attack graphs were found

to be not very useful due to scalability concerns re-

garding both model speciﬁcations and eventual threat

analysis (Chinchani et al., 2005). Even with auto-

mated tools for attack graph generation (Sheyner and

Wing, 2003), such traditional approaches are not fea-

sible in the context of ransomware where the attacker

might use social engineering tactics and launch the at-

tack in multiple stages. Game theory can effectively

model this type of attacks and capture the interactions

between the attacker and the defender. In order to fa-

cilitate the development of the game model, we intro-

duce two parameters, that are speciﬁc to ransomware

type attacks, as described in the next section.

3.2 The Game

We now present a game to depict the ransomware at-

tack on a vulnerable and under-prepared system. We

assume that the attacker exploited some form of vul-

nerability, thereby not giving the defender any time

for preparedness. Once the attack has occurred, the

defender is left with one of two choices. The ﬁrst

choice is to pay ransom and hope the decryption key

is released by the attacker, while, the other option in-

volves not paying ransom. The defender can make

these choices based on certain conditions. In this sec-

tion, we analyze two conditions which would help the

defender make an informed decision on the payment

of ransom and decryption of the encrypted resources

ICISSP 2022 - 8th International Conference on Information Systems Security and Privacy

244

held for ransom. In accordance with our assumptions,

the willingness of the defender to pay ransom primar-

ily depends on two factors, the value of recovered re-

sources under siege and the reputation of the attacker.

Figure 1 gives a pictorial representation of the

game. The game begins with the attacker choosing

either of the two strategies “Attack” or “No Attack.”

If the attacker chooses the strategy “No Attack”, then

the defender has nothing to do in order to respond to

the attack. But if the attacker chooses to mount an

“Attack”, the vulnerable resources are encrypted and

then the defender is left with one of the two choices,

“Pay” or “No Pay” of the ransom. Once the defender

has made its move, the attacker has two more strate-

gies to choose from, “Release” or “No Release” of the

decryption key. If the attacker is a rational player, it

will only release the decryption key if a ransom pay-

ment is received. If it does not receive the ransom, it

will not release the decryption key. But there can be

situations where the attacker may choose to do other-

wise. That way the attacker chooses not to be rational.

The reasons for the attacker not being rational can be

many but it is outside the scope of this paper. Since

the attacker can be rational or irrational, the reputation

of the attacker can play an important role in making

an informed decision on the part of the defender when

it is under attack.

In eq. (1), parameter r

Rec

gives the ratio of re-

covered resources after payment of the ransom to the

total value of assets of the defender. Variable R is the

value of the resources under risk and/or siege. The

ransom value charged by the attacker is denoted by β.

The value of recovered resources, once the ransom is

paid, is given by R−β. The value of total assets of the

defender is denoted by R

TotalAssets

. Therefore, r

Rec

in-

dicates the importance of the recovered resources for

the defender, given the total value of assets, once the

ransom is paid and assuming the encrypted resources

have been released.

Rec

R − β

TotalAssets

(1)

In eq. (2) below, parameter r

Rep

establishes the

reputation of the attacker either as a rational or irra-

tional player in the game. The higher the value of

Rep

, the more rational is the attacker and the higher

is its trustworthiness. In an incident, if the attacker

releases the decryption key on receiving the ransom

payment, we assign 1 as the value of reputation for

that incident. If the attacker chooses not to release

the decryption key when the defender has not made

the ransom payment, we assign 1 as the value of rep-

utation for that incident. For other cases we assign

0 as the value of reputation for that particular inci-

Table 1: Attacker Notations.

Notation Description

, x

Attacker’s ﬁrst and second strategies, respectively

∗

x Optimal strategy and best response, respectively

, U

∗

Expected Utility and Optimal Utility, respectively

Release Decision to release the encryption keys (value 0 or 1)

(1-Release) Decision to not release the encryption keys (No Release)

Table 2: Defender Notations.

Notation Description

y Defender’s Strategy

∗

y Optimal strategy and best response, respectively

, U

∗

Expected Utility and Optimal Utility, respectively

Pay Decision to pay the ransom (value 0 or 1)

(1-Pay) Decision to not pay the ransom (No Pay)

dent. Then we take a mean of the reputation values

of all the last known reported incidents to calculate

the overall reputation of the attacker. If the attack is a

ﬁrst time attack, we assign a value of 0.5 to r

Rep

for

the purpose of decision making. The attackers when

they act rationally, the r

Rep

value for them for the next

game goes up. If they act irrationally, then they incur

penalty and the r

Rep

value goes down which results in

lower willingness to pay the ransom on the part of the

defender.

Rep

= [Mean o f all last k nown reported incidents]

(2)

Tables 1 and 2 list the notations used for describ-

ing the utility functions and strategies of the attacker

and the defender, respectively.

With all the parameters under consideration, we

look into the strategies of both the attacker and the

defender. Variable x

represents the strategy for the

attacker which can take up values “Attack” or “No At-

tack.” We assign the value of the strategy “Attack” as

1 when the attacker decides to attack and 0 otherwise.

Similarly for the “No Attack” strategy, the value is 1

when there is no attack, and 0 otherwise. The strategy

variable x

for the attacker can take up values “Re-

lease” or “No Release.” The value of “Release” is 1

when the attacker decides to release the decryption

key, and 0 otherwise. Similarly, the value of “No Re-

lease” is 1 when the attacker decides against releas-

ing the decryption key, and 0 otherwise. The decision

variable for the defender is denoted by y. It takes up

either of the two strategies as its value, viz. “Pay”

and “No Pay.” After an attack has taken place, if the

defender decides to pay the ransom then the value of

the strategy “Pay” is 1, and 0 otherwise. Similarly, if

the defender decides against payment of the ransom,

the value of “No Pay” strategy is 1, and 0 otherwise.

Now, with x

= Attack, y = Pay, and x

= Release,

we deﬁne the utility functions of the attacker and the

defender. Equations (3) and (4) show the utility func-

tions of the defender and the attacker, respectively.

Game Theoretic Analysis of Ransomware: A Preliminary Study

245

Figure 1: Basic Ransomware Attack.

≡ (x

) ∗ [(y) ∗{(x

) ∗ (R − β)

+ (1 − x

) ∗ (−R −β)}

+ (1 − y)∗ {(x

) ∗ (R) +(1 − x

) ∗ (−R)}]

+ (1 − x

) ∗ (0)

(3)

≡ (x

) ∗ [(y) ∗{(x

) ∗ (β)

+ (1 − x

) ∗ (β)} +(1 − y) ∗{(x

) ∗ (0)

+ (1 − x

) ∗ (0)}]

+ (1 − x

) ∗ (λ)

(4)

The above equations show all strategies and all

scenarios including the ones which generated a pay-

off of 0 for the player. The simpliﬁed equations are:

≡ (x

) ∗ [(y) ∗ {(x

) ∗ (R − β)+(1 − x

) ∗ (−R − β)}

+(1 − y) ∗ {(x

) ∗ (R) + (1 − x

) ∗ (−R)}]

(5)

≡ (x

) ∗ [(y) ∗{(x

) ∗ (β) +(1 − x

) ∗ (β)}]

+(1 − x

) ∗ (λ)

(6)

The defender makes a decision of paying the ran-

som based on the value of resource which it might get

back on payment of the ransom, and the reputation of

the malware. If the values of r

Rec

and r

Rep

are “sig-

niﬁcantly high” then the defender should pay the ran-

som. If the values of r

Rec

and r

Rep

are “signiﬁcantly

low”, then the defender should decide not to pay the

ransom. Table 3 shows the four main scenarios for

different values of r

Rec

and r

Rep

. The high and low

values of r

Rec

and r

Rep

are set by a threshold deﬁned

by the defender. The threshold for r

Rec

is t

Rec

, value

Table 3: Recovered Resources and Reputation Value for

Defender.

Value of Affected Resources (r

Rec

)

High (H) Low (L)

Reputation (r

Rep

)

High (H) H, H H, L

Low (L) L, H L, L

of which is decided by the defender based on the total

value of assets it owns. If r

Rec

≥ t

Rec

it is said to have

a “High (H)” value. Otherwise r

Rec

is said to have a

“Low (L)” value. Similarly, If r

Rep

≥ t

Rep

it is said

to have a “High (H)” value. Otherwise r

Rep

is said to

have a “Low (L)” value. Predetermining the thresh-

old values helps the defender in attack preparedness.

This also helps in making economic decisions with

contingency plans in place.

With the strategies and utility functions in place,

we now describe how the players make strategic deci-

sions and how the game proceeds. Then we present

equilibrium solutions depending upon the various

conditions. Thereafter we conduct a sensitivity anal-

ysis so that the defender can visualize the expected

change in the decision from the change in the param-

eters. The change in the value of parameter r

Rec

sig-

niﬁes a change in the importance of the value of en-

crypted resources to the defender. Change in r

Rec

caused by a change in any of the three parameters,

viz. R, β and R

TotalAssets

. This would help defender

in attack preparedness, and as may be seen through

the sensitivity analysis, the effects of change in the

value of the parameters on the decision making pro-

cess would be vivid.

ICISSP 2022 - 8th International Conference on Information Systems Security and Privacy

246

Table 4: Pay-off table for the ransomware attack game.

Outcome Attacker Defender

1 β R − β

2 β −R − β

3 0 R

4 0 −R

5 λ 0

4 PRELIMINARY RESULTS

4.1 Decision Making Conditions

Table 4 shows the pay-off for the defender and the

attacker for each outcome. When the attacker de-

cides to attack, the maximum pay-off for the attacker

is the ransom amount it receives, as represented by

= At tack) = β. For this ransomware, the main

goal is monetary gain from the ransom received from

the victims. If the attacker decides not to attack, then

its pay-off is the savings by avoiding the cost of attack

as represented by U

(x = No Attack) = λ.

For x

= Attack the following condition must

hold,

≡ U

(x = Attack) ≥ U

(x = No Attack) ≡ β ≥ λ

For x

= No Attack the following condition must

hold,

≡ U

(x = Attack) < U

(x = No Attack) ≡ β < λ

From the conditions F

and F

we get,

∗

(

“Attack” β≥λ

“No Attack” Otherwise

(7)

For x

= Release or x

= No Release the following

condition should hold so that it is in the best interest

of the attacker,

∗

(

“Release” y=“Pay”

“No Release” Otherwise

(8)

The attacker can make decisions based on the pay-

off table. The attacker starts the game by making the

ﬁrst move. The ﬁrst mover’s advantage goes to them.

When the attacker attacks, the defender is left with the

choice of paying or not paying the ransom. Once the

defender has made the decision, the attacker decides

to release or not release the decryption key. With this

decision, the attacker ends the game. The decision

for the defender cannot be made easily in a similar

fashion. The pay-off table does not quantify the im-

portance of the value of resources for the defender.

Moreover, the pay-off table does not guarantee or give

insight into the rationality and reputation of the at-

tacker. Consequently, the defender needs to depend

on other parameters. Considering this aspect, in this

paper we introduced two parameters to help make the

defender an informed decision, viz. r

Rec

and r

Rep

The defender decides the threshold for both the

parameters. If the value of the parameter is above the

threshold, then it is quantiﬁed to have a “High (H)”

value, else “Low (L)” value. Once the defender has

the values for both parameters, they need to refer to

Table 3 in order to make the decision. Therefore, the

optimal strategy is

∗

(

“Pay” r

Rec

≥ t

Rec

AND r

Rep

≥ t

Rep

“No Pay” r

Rec

< t

Rec

OR r

Rep

< t

Rep

(9)

4.2 Equilibrium Solutions

The game presents the conditions, the strategies, and

the pay-offs for each strategy. Considering these fac-

tors, Table 5 presents the best responses for both the

attacker and the defender. Given the conditions, these

best responses translate to equilibrium solutions for

the game.

Parameter λ denotes the cost of attack on the part

of the attacker. When they decide not to mount an at-

tack, i.e., the strategy is “No Attack”, the pay-off is λ.

This is the ﬁnancial saving they make by avoiding the

cost of attack. If the system is harder to inﬁltrate, then

the value of λ is higher. For the defender it means, if

the system they build is more secure against inﬁltra-

tion, the value of λ increases which discourages the

attacker from mounting the attack. This information

is important because this encourages to use a stronger

encryption system to secure the database and use se-

curity best practices to lower the number of vulnera-

bilities that might exist in the system.

In the event of an attack, the defender is left with

either of the two choices, viz. “Pay” and “No Pay.”

This is where the threshold values for r

Rec

and r

Rep

comes handy in the decision making process. The de-

fender needs to decide a value for t

Rec

based on the

value of resources under siege and the total value of

resources owned by them. This helps to decide the

limit at which the defender is comfortable in paying

the ransom. For different values of the resources, ran-

som, and total assets, as r

Rec

goes below t

Rec

, the will-

ingness to pay the ransom decreases. The reason be-

ing the value of recovered resources becomes less im-

portant to the defender.

The defender shouldn’t rely on the r

Rec

parameter

alone. The reputation of the malware is also impor-

tant. If the value of r

Rec

is low, i.e., less than t

Rec

the resources are less important to the defender and

Game Theoretic Analysis of Ransomware: A Preliminary Study

247

Table 5: Best Response of the Attacker and the Defender given the conditions (Equilibrium Strategies).

Conditions Strategies

Attacker Defender Attacker(

) Defender(

β < λ N/A No Attack, Nothing Do Nothing

β ≥ λ r

Rep

≥ t

Rep

AND r

Rec

≥ t

Rec

Attack, Release Pay

β ≥ λ r

Rep

< t

Rep

OR r

Rec

< t

Rec

Attack, No Release No Pay

it can decide not to pay the ransom. But if it is high,

i.e., r

Rec

≥ t

Rec

, the next action the defender should

take is to check the value of r

Rep

. If r

Rep

< t

Rep

, the

reputation of the malware is low. This signiﬁes that

if the defender pays the ransom, there is a very high

possibility that the attacker wouldn’t release the de-

cryption key either. But if r

Rep

≥ t

Rep

, the reputation

of the malware is high and it can be trusted with the

payment of the ransom. The best strategy for the de-

fender therefore would be to “Pay” the ransom when

Rec

≥ t

Rec

and r

Rep

≥ t

Rep

and “No Pay” otherwise.

The attacker, if feels that the pay-off is higher

when x

= Attack as compared to x

= No Attack,

then mounts the attack. For the basic ransomware

considered in this paper, with attacker being ra-

tional, it is in its best interest to release the de-

cryption key on receiving the ransom payment and

not releasing decryption key, otherwise. There-

fore, the attacker’s best strategy would be

Attack, Release on receiving the ransom payment and

= Attack, No Release if the ransom payment is

not made.

4.3 Sensitivity Analysis

In this section, we perform a sensitivity analysis to

determine how the values of ransom and total assets

affect the decision making of the defender.

To begin with, we assume an organization with

a value of total assets (R

TotalAssets

) of $10,000. The

value of resources (R) under siege is $1,000. The

threshold values for the recovered resources param-

eter (t

Rec

) and the reputation parameter (t

Rep

) are as-

signed 0.05 and 0.5, respectively. For the purpose of

analysis, we use the value of r

Rep

to be 0.618 (this

is obtained by randomly generating a few reputations

for past incidents and taking the mean). The ransom

value (β) was set at $300. Now in order to understand

how much the total value of all assets affect the deci-

sion making process, we vary R

TotalAssets

while keep-

ing the values of other parameters unchanged. When

the value of R

TotalAssets

is $14,000, the r

Rec

value is

at the threshold. Figure 2a shows how the value of

Rec

changes as we increase the value of total assets

owned by the defender. The idea is to visualize the

change in the importance of the value of resources

under siege for the defender when the value of total

(a) Importance of the resources for the defender.

(b) Decision made by the defender.

Figure 2: Sensitivity Analysis by varying R

TotalAssets

assets owned by them changes. The higher the value

of r

Rec

, the more important is the encrypted resources

to the defender. Figure 2b shows how the decision of

the defender changes as the importance of the value

of encrypted resources changes. The decision “Pay”

is denoted by the value 1. The decision “No Pay” or

not to pay the ransom is denoted by the value 0, i.e.,

No Pay = 1 −Pay = 0. The plot shows that when the

importance of the encrypted resources diminishes, the

willingness to pay the ransom decreases. From equa-

tion (1) and Figure 2a, it is apparent that r

Rec

is in-

versely related to R

TotalAssets

Now, we vary the ransom value from $100 to

$1,000. We keep the value of R at $1,000, t

Rec

0.05,

Rep

0.5, and r

Rep

0.618. Figure 3a shows how increas-

ing the ransom value affects the r

Rec

value. When

ICISSP 2022 - 8th International Conference on Information Systems Security and Privacy

248

(a) Importance of the resources for the defender.

(b) Decision made by the defender.

Figure 3: Sensitivity Analysis by varying Ransom Value.

the ransom value is $500, it is the threshold value for

Rec

. The ﬁgure shows that as the value of ransom in-

creases, the effective value of the recovered resources

decreases. Therefore, the importance of the same to

the defender decreases and so does the willingness

to pay the ransom. Figure 3b shows how increasing

the ransom value affects the decision of the defender.

The decision “Pay” is denoted by value 1 for a ran-

som value and the decision “No Pay” is denoted by

0. With an increase in the value of the ransom, the

willingness to pay decreases owing to the fact that the

effective value of the recovered resources diminishes.

From equation (1) and Figure 3a, it is evident that the

relationship between r

Rec

and β is linear with a nega-

tive slope.

The sensitivity analysis shows how one can visu-

alize the importance of each parameter in the decision

making process. In this paper we presented an exam-

ple with synthetic data. But, this is applicable in the

real world if the defender wants to plug-in real val-

ues. This decision making process helps to make an

informed decision when faced with an attack. The

sensitivity analysis helps to visualize the effect of the

attack and helps in attack preparedness on the part of

the defender.

4.4 Prescriptive Solution

The sensitivity analysis in Section 4.3 shows how the

change in the value of ransom or change in the to-

tal value of assets owned by the defender affects the

decision made by them. The equilibrium strategies

for the attacker and the defender are shown in Table

5. The game is designed without any data and the

equilibrium strategies were obtained through back-

ward induction. Even though the sensitivity analy-

ses were performed on an example set of data, the

game would work ﬁne for any range of data for a ba-

sic ransomware attack. Data on ransomware attacks

are hard to come by as institutions and organizations

often do not report the details fearing the leakage of

sensitive information in the public domain and/or ad-

verse effects on their reputation. Therefore, there can

be an argument here about the incomplete informa-

tion game (Harsanyi, 1994). To begin with, one can

argue that λ value is an unknown entity to the de-

fender. But through penetration testing and/or em-

ployment of ethical hackers that value can be known

with quite precision (Krishnan and Wei, 2019) (Zan-

tua et al., 2018). Another value r

Rep

may seem to

be unknown. But through media reports and brows-

ing through historical attacks by the same malware or

the same attackers, it can be calculated. If no infor-

mation is available whatsoever, then the value of r

Rep

is assumed to be 0.5. This way the game no longer

becomes an incomplete information game. With the

values under consideration and assumption, Table 5

and Algorithm 1 present a prescriptive solution to a

basic ransomware attack. The equilibrium strategies

and the algorithm present an opportunity for the de-

fender to prepare in advance and/or make an informed

decision when under attack from ransomware.

Algorithm 1: Choosing Defender’s strategy based on the

Optimized Strategy of Attacker from Table 5.

Rec

= # Set by Defender based on system conﬁg.

Rep

= # Set by Defender based on info collected

if β ≥ λ then

if r

Rec

≥ t

Rec

AND r

Rep

≥ t

Rep

then

return Pay

else

return No Pay

end if

else if β < λ AND

= No Attack then

return Do Nothing

end if

The basic ransomware may come with few more

features. An important feature being an early dead-

line for ransom payment. After this early deadline,

often the value of ransom demanded is doubled. If

Game Theoretic Analysis of Ransomware: A Preliminary Study

249

the defender wishes to pay the ransom, then they will

have to pay double the amount after the early dead-

line. In this scenario, the defender can simply update

the values of the parameters wherever applicable, in-

cluding the value of the ransom. Another feature in

the game can be the existence of a bargaining stage

between the attacker and the defender. After the bar-

gaining process, if the ransom value changes and/or

value of resources under siege changes, then the de-

fender can update the value of the parameters in the

game. The value of r

Rep

is calculated by observing

the ransomware attacks which have been known to the

defender and/or reported publicly as shown in the eq.

(2). If the attack is happening for the ﬁrst time and/or

there exists no reports of historical occurrence of the

same, then the defender can proceed with the value

of 0.5 for r

Rep

. But through proper investigation, and

if any further clue can be found that links the ongo-

ing attack to some other attack and/or attacker, then

the defender can update eq. (2) using the values from

those attacks. Thereafter, the defender can update the

values of the parameters and tables in the game.

The defender, with the updated game can refer to

Table 5 and Algorithm 1 to make an informed deci-

sion. Having a strong security system, effective intru-

sion detection system, strong encryption system and

following proper security practices, the defender ef-

fectively increases the value of λ. This acts as a de-

terrent against probable attacks on the system.

5 CONCLUSION AND FUTURE

WORK

In this paper we used game theory to analyze the at-

tack defense scenario involving a basic ransomware

and a victim. We introduced two parameters which

would help the defender in making an informed deci-

sion when under attack. The r

Rec

parameter is the ra-

tio of the value of recovered resources after payment

of ransom to the total value of all the assets owned by

the defender. This helps the defender to quantify the

importance of the resources under siege. The higher

the value of r

Rec

, the more willing the defender is to

pay ransom. This paper presents a second parameter

for decision making so that the defender doesn’t lose

out much in the game. This parameter r

Rep

helps the

defender to guess how “trustworthy” the malware is.

The higher the reputation, the more willing is the de-

fender to pay the ransom. The algorithm presented in

this paper summarizes the process to obtain the equi-

librium solutions when the defender is under attack

from a basic ransomware. The parameters and the al-

gorithm presented in this paper would not only help

the defender in preparedness but also help in making

an informed decision when under attack.

Through a formal analysis of a basic ransomware,

our research provides a preliminary treatment of the

mitigation strategies to counter advanced threats. This

paper also provides a metric for the payment strat-

egy. The results, approach and the methodology can

be used to analyze a more sophisticated ransomware

attack, viz. the APT type ransomware. This is part of

our future work. The game theoretic analysis for such

scenarios would include elaborate games. Another

future research could be done on deciding proper

threshold values through various forms of investiga-

tions including psychological investigations, if appli-

cable. The analysis presented in this paper paves way

for future research on APT type ransomware.

ACKNOWLEDGEMENTS

This research is supported in part by the National Sci-

ence Foundation under Grant No. DGE –1754085.

Usual disclaimers apply.

REFERENCES

Baksi, R. P. and Upadhyaya, S. J. (2017). Kidemonas:

The silent guardian. Secure Knowledge Management

(SKM ‘17), Tampa, FL.

Baksi, R. P. and Upadhyaya, S. J. (2018). A comprehen-

sive model for elucidating advanced persistent threats

(APT). In Proceedings of the International Confer-

ence on Security and Management (SAM), pages 245–

251. The Steering Committee of The World Congress

in Computer Science, Computer Enigineering.

Baksi, R. P. and Upadhyaya, S. J. (2020). Decepticon: a

theoretical framework to counter advanced persistent

threats. Information Systems Frontiers, pages 1–17.

BBC (2021). Colonial pipeline boss conﬁrms $4.4M ran-

som payment. The British Broadcasting Corporation.

Cartwright, E., Hernandez Castro, J., and Cartwright, A.

(2019). To pay or not: game theoretic models of ran-

somware. Journal of Cybersecurity, 5(1):tyz009.

C¸ eker, H., Zhuang, J., Upadhyaya, S., La, Q. D., and

Soong, B.-H. (2016). Deception-based game theoreti-

cal approach to mitigate DoS attacks. In International

conference on decision and game theory for security,

pages 18–38. Springer.

Chinchani, R., Iyer, A., Ngo, H., and Upadhyaya, S. (2005).

Towards a theory of insider threat assessment. In 2005

International Conference on Dependable Systems and

Networks (DSN’05), pages 108–117.

Davis, H. L. (2017). How ECMC got hacked by cyber extor-

tionists – and how it’s recovering. The Buffalo News.

ICISSP 2022 - 8th International Conference on Information Systems Security and Privacy

250

Deere, S. (2018). Conﬁdential report: Atlanta’s cyber attack

could cost taxpayers $17 million. The Atlanta Journal

Constitution.

Gintis, H. (2009). Game theory evolving. Princeton univer-

sity press.

Goud, N. (2017). ECMC spends $10 million to recover

from a cyber attack! Cyber Security Insider.

Harsanyi, J. C. (1994). Games with incomplete information.

In Evolution and Progress in Democracies, pages 43–

55. Springer.

Khouzani, M., Sarkar, S., and Altman, E. (2011). A dy-

namic game solution to malware attack. In 2011 Pro-

ceedings IEEE INFOCOM, pages 2138–2146. IEEE.

Kolodenker, E., Koch, W., Stringhini, G., and Egele, M.

(2017). Paybreak: Defense against cryptographic ran-

somware. In Proceedings of the 2017 ACM on Asia

Conference on Computer and Communications Secu-

rity, pages 599–611.

Krishnan, S. and Wei, M. (2019). Scada testbed for vulner-

ability assessments, penetration testing and incident

forensics. In 2019 7th International Symposium on

Digital Forensics and Security (ISDFS), pages 1–6.

IEEE.

Milosevic, J., Sklavos, N., and Koutsikou, K. (2016). Mal-

ware in IoT software and hardware. Workshop on

Trustworthy Manufacturing and Utilization of Secure

Devices (TRUDEVICE’16), Barcelona, Spain.

Newman, L. H. (2018). Atlanta spent $2.6M to recover

from a $52,000 ransomware scare. Wired.

Pauna, A. (2012). Improved self adaptive honeypots capa-

ble of detecting rootkit malware. In 2012 9th Inter-

national Conference on Communications (COMM),

pages 281–284. IEEE.

Selten, R. (1977). A simple game model of kidnapping.

In Mathematical Economics and Game Theory, pages

139–155. Springer.

Selten, R. (1988). A simple game model of kidnapping. In

Models of strategic rationality, pages 77–93. Springer.

Sheyner, O., Haines, J., Jha, S., Lippmann, R., and Wing,

J. (2002). Automated generation and analysis of at-

tack graphs. In Proceedings 2002 IEEE Symposium

on Security and Privacy, pages 273–284.

Sheyner, O. and Wing, J. (2003). Tools for generating and

analyzing attack graphs. volume 3188, pages 344–

372.

Spyridopoulos, T., Oikonomou, G., Tryfonas, T., and Ge,

M. (2013). Game theoretic approach for cost-beneﬁt

analysis of malware proliferation prevention. In IFIP

International Information Security Conference, pages

28–41. Springer.

Zakaria, W. Z. A., Abdollah, M. F., Mohd, O., and Arifﬁn,

A. F. M. (2017). The rise of ransomware. In Proceed-

ings of the 2017 International Conference on Software

and e-Business, pages 66–70.

Zantua, M. A., Popovsky, V., Endicott-Popovsky, B., and

Holt, F. B. (2018). Discovering a proﬁle for protect

and defend: Penetration testing. In International Con-

ference on Learning and Collaboration Technologies,

pages 530–540. Springer.

Zimba, A. and Chishimba, M. (2019). Understanding the

evolution of ransomware: paradigm shifts in attack

structures. International Journal of computer network

and information security, 11(1):26.

Game Theoretic Analysis of Ransomware: A Preliminary Study

251