Should we outlaw ransomware payments?

Abstract

In recent times, there has been an upsurge in ransomware attacks, where an attacker encrypts a user's files and then demands a ransom in exchange for the decryption key. While paying the ransom allows the user to quickly unlock the locked files and avoid potentially larger losses, it also strengthens the hands of the attacker and increases the chance of a future attack. We study this dilemma of the victims and the externality posed by their actions using a game-theoretic model on top of a Markov decision process. The resulting equilibrium leads to several interesting insights such as that legally prohibiting ransom payments may not always have the desired economic effects-in some cases, a ban may be effective in addressing the economic externality but, in others, it could reduce public welfare. Our findings have important implications for policymakers who are currently debating legislation that, if enacted, will outlaw ransom payments to attackers.