Ethics, Economics, and Ransomware: How Human Decisions Grow the Threat

Abstract

This paper examines the modern history of ransomware and its evolution to the current form of large-scale ransomware attacks (ones that disrupt entire organizations). Within that timeframe, public reporting, articles, and news media reporting on large-scale ransomware attacks is reviewed to create an empirical analysis of ransom payments, conditions that led to those payments, and if data was ultimately recovered. Three factors were discovered that lead to organization to pay the ransom when recovery is impossible or cost-prohibitive: the rise of cyberinsurance companies that dictate responses that lessen their financial exposure, many victim organizations who have to always operate such as hospitals and emergency services, and the fiduciary duty of business executives to act in the best interest of a company. Lastly, we look at the concept of outlawing ransom payments and relate it the policy of outlawing random payments in kidnapping.