The Political Economy of Ransomware
Ransomware is really good at extorting money, and it can also be good at extracting geopolitical concessions. On May 7, Colonial Pipeline paid nearly $5 million to restore its systems after DarkSide used encryption to hold hostage the pipeline, which supplies nearly half of the East Coast’s fuel to 50 million people. Then, late last month, the cyber insurance company CNA paid a staggering $40 million in ransom. The problem is that, although it may be comforting to believe that these events have nothing to do with geopolitics, next time around the hackers may want something more than bitcoins.
Many scholars and observers agree that coercion is inherently difficult in cyberspace, but ransomware is quickly emerging as a counterexample. Ransomware has been able to successfully extort victims not simply because of the use of cryptocurrency, which is more difficult to trace than cash, nor just because Russia offers safe havens to cyber criminals, as some have argued. In fact, insights from game theory show that extortion using encryption has been successful so far also because it is, in many ways, a better technology for hostage-taking compared to preexisting methods, such as sieges and blockades.
This means that a failure to reconsider the fundamentals of cyber coercion could lead to strategic surprise, if U.S. policymakers fail to anticipate states using encryption coercively. For example, in 2014 North Korea tried to coerce Sony into dropping the release of The Interview because it found the movie’s portrayal of Kim Jong Un objectionable. Their next attempt at cyber coercion may leverage totally different tools.
What Is Ransomware?
Ransomware is a type of cyber attack that encrypts a victim’s data and offers to decrypt them for a ransom. Increasingly, attackers will also exfiltrate data and use it as blackmail in a double-extortion scheme. Using strong, non-reversible encryption for extortion is an old idea, dating back to a 1996 paper by Moti Yung and Adam Young. As more and more critical systems became connected and reliant on digital information over the past two decades, their denial could inflict higher and higher costs, and hackers started to exploit the idea for financial gain beyond theoretical musings.
Ransomware’s prevalence is reminiscent of the “Golden Age of Piracy.” It is fast becoming one of the biggest cyber threats in both the public and private sectors. Cybersecurity Ventures projected that, in 2021, a ransomware attack would occur every 11 seconds and the total economic damage from ransomware attacks would amount to $20 billion. The average ransom paid is rising fast as well, from $115,123 in 2019 to $312,493 in 2020. This number is likely to grow even more in 2021, as companies are frequently paying ransom amounts in the millions. In a survey of 5,000 IT managers across 26 countries, 51 percent said they had suffered a ransomware attack within the past year. The sectors affected are also diverse, including healthcare, education, manufacturing, retail, energy, and financial services. By any measure, ransomware has become a successful business model for cyber criminals.
Hostage-Taking in Cyberspace
Just as piracy and privateering thrived as commercial shipping increased, ransomware exploits the conditional denial of data in the Information Age. While ransomware’s success is in part fueled by bad practices, such as insurance coverage for ransoms, it is also due to the inherent properties of encryption, which serves as a great hostage-taking technology.
My research uses game theory to explain why hackers would choose encryption rather than destructive malware to extort victims and how the strategic logic of ransomware compares to similar preexisting technologies like sieges and blockades. Ransomware solves key credibility and commitment problems faced in other hostage situations. Furthermore, potential strategic problems, such as the difficulty of making a credible promise to decrypt upon payment, may have technical solutions.
First, ransomware serves as a counterexample to the claim that coercion is difficult in cyberspace because it bypasses the “cyber commitment problem.” Attackers face a tradeoff between the need to demonstrate the capability to carry out an attack and the need to maintain a covert presence until the final payload is dropped. Because many destructive cyber operations rely on exploiting a vulnerability in the target’s systems, not conveying any information about how the attackers could carry out their threat may lead the target to think that the attacker is bluffing. On the other hand, conveying too much information can easily prompt the target to disconnect or patch the vulnerability.
For example, in 2014 North Korea threatened to launch a cyber attack on South Korea’s power plants unless its demands were met by Christmas. But the articulation of this threat prompted a lockdown on the plants as well as 24/7 security monitoring and drills, essentially calling North Korea’s bluff. Ransomware, however, bypasses this tradeoff entirely because the attackers only need to stay hidden up to the point of executing the encryption. Successful encryption of the target’s data serves as the ultimate credible signal of capability, and the target cannot undo this encryption the way it could mitigate a vulnerability.
Second, encryption allows the attackers to impose costs on the victim in an automatic manner, without incurring costs themselves. This departs from other coercive techniques. Laying a siege, for example, is expensive not only to the defender but also to the attacker, and the attacker furthermore has an opportunity to reevaluate the decision to stay each day. The attacker faces a problem in irrevocably committing to lay a siege for long enough to compel the defender to decide it’s not worth it to wait it out. The same dilemma also exists in committing to torture. On the other hand, once encryption is executed, the attacker neither incurs costs on a daily basis nor has to execute the code each day. This serves as a hand-tying mechanism that resolves the attacker’s commitment to apply force.
Third, encryption is reversible, providing an extra incentive for the victim to concede. Consider another coercive technique: a bombing campaign. Each building destroyed is gone for good and becomes a sunk cost for the victim. The most an attacker can promise in return for concessions is the hope of leaving the remainder of the city untouched. Thus, as a bombing campaign drags on, the incentive for the defender to concede diminishes. The same logic works with destructive malware such as wipers, which destroy a computer’s hard drive by wiping its data. Every workstation destroyed creates sunk costs. On the other hand, decryption, at least in theory, provides the prospect of restoring the entire “city” if the victim concedes, and it does not rely on destroying portions of the asset held hostage to inflict costs.
Finally, these advantages aside, the commitment problem regarding the promise to decrypt (and never return again) is a real one, though not as severe as conventional wisdom suggests. This is the most significant concern for victims: Will the attacker restore my systems if and only if I pay? What if they encrypt me again next month, knowing my willingness to pay?
Attackers need to find a way to credibly commit to this promise – and there are ways to do it, if they truly want to exchange decryption for ransom. For example, the transaction can be automated as a hands-tying mechanism, where a decryption key is released if and only if a certain amount of ransom is submitted. Attackers can — and frequently do — decrypt a small portion of the stolen data for free to verify that the decryption key actually works. Finally, attackers can show the victims the vulnerabilities they exploited and perhaps even offer security patches as a credible signal that they will not attack again upon receiving payment. (Of course, there is an entirely different question of encryption used purely for destructive purposes without the intent to ever decrypt, such as NotPetya or Iran’s use of ransomware against Israel. Even here, an attacker who wants to leverage encryption coercively, not purely for brute force, will have an incentive to signal that intent and will have technical ways to do so.)
Geopolitical Dimensions of Ransomware
One of the first wars fought by the United States was against the “Barbary States” from 1801 to 1805 over their disruption of U.S. merchant shipping through piracy. Max Boot, in his description of piracy along the Barbary Coast around this time, notes that European states frequently paid tribute or purchased “passports” to ensure free passage in the Mediterranean. The rulers of the Barbary States of North Africa used economic gains from such practices to maintain their political power.
Fast forward to present day and ransomware is achieving the same effect by holding data hostage rather than merchant shipping. As the source of national economic prosperity expands from maritime trade to an information economy, data and the systems that rely on it have come to have significant value. Their denial can therefore inflict costs, and the ability to deny them conditionally can be used to coerce. Both the pure and conditional denial of economic activity in cyberspace have geopolitical implications.
The more obvious geopolitical dimension is that many, though not all, of the ransomware operators are Russian-speaking cyber criminal groups and are often either implicitly or explicitly given safe haven by Russian intelligence agencies in exchange for excluding Russian targets from their operations. For example, DarkSide’s code will automatically avoid encrypting a system that has languages used in Russia and Eastern European states. As a result of this protection, only a handful of ransomware operators are ever extradited and prosecuted. Just as many states relied on privateers to seize shipments — sometimes belonging to their strategic adversary — modern-day privateering in cyberspace is also intertwined with strategic competition among states.
The less obvious geopolitical dimension is that the ability to deny data conditionally translates into power. Trends in ransomware show that encryption is one way to achieve denial, and it may significantly revise our understanding of how states will leverage cyberspace for strategic ends.
At a minimum, encryption offers an alternative way to directly hold adversary assets at risk, without first having to win in combat to seize a major city, develop a nuclear and missile program, or occupy a geographical chokepoint. This would be a particularly attractive option for states such as Iran or North Korea that have strategic rivals but do not otherwise have sufficient conventional military capabilities to achieve the same effect.
Cyber means provide a cheaper, lower barrier of entry for coercion than a conventional military buildup, even if it may be at a much smaller scale. Especially where preexisting deterrence structures make escalation too costly and therefore unlikely, states may attempt such small-scale coercion. For example, Iran seized a South Korean tanker in January and demanded that South Korea release $7 billion of Iranian funds that its banks had frozen in 2019 to comply with U.S. sanctions. South Korea ended up unfreezing $1 billion in exchange for the crew’s release and eventually paid $100,000 more for the ship’s release as well. In the future, other states could use encryption of a factory, power plant, or a pipeline to create a similar hostage situation, even if they do not control the Strait of Hormuz. Encryption may not be able to compel big concessions, such as the unconditional surrender of a state, but it may be able to compel allies to stop cooperating with U.S. sanctions enforcement.
Some might say that state actors are fundamentally different from nonstate, criminal actors and thus would not use ransomware to extract political concessions. However, such a claim has to examine whether those differences matter in ways that specifically undermine the aforementioned strategic logic of encryption. For example, some might argue that state interactions have a longer “shadow of future” and therefore the state being coerced faces greater reputational costs. However, scholars have argued that even in normal crisis-bargaining situations reputational costs can be anticipated and therefore offset using side payments or smaller demands.
Another argument might be that state actors enjoy less anonymity and therefore run a greater risk of retaliation. But fear of retaliation has not stopped states from launching cyber attacks even more destructive than encryption, such as NotPetya, the shutdown of the Ukrainian power grid, or even bank robberies. Concern for retaliation has also not stopped states from reckless behavior that increases collateral damage, such as China’s handling of the Microsoft Exchange hack and North Korea’s use of worms in WannaCry. The Barbary pirates neither masked their identity nor used cryptocurrency and yet they still maintained a lucrative piracy business in the Mediterranean for decades, as long as states saw paying tribute as a cheaper alternative to waging war. Similarly, while states might prefer having more plausible deniability than not in cyberspace, maintaining anonymity is not a necessary condition for launching a cyber attack.
In short, it’s hard to find fundamental differences between state and nonstate actors in ways that undermine the strategic logic of encryption.
In order to avoid strategic surprise, U.S. policymakers ought to reexamine the claim that adversaries will primarily use cyber means for espionage and covert action, but not for coercion. States have proven time and time again to be creative in how they leverage cyberspace, identifying overlooked areas and exploiting it for strategic gain. States like North Korea are already operating at the intersection of criminal and strategic activity in cyberspace, including the deployment of ransomware. It is only a matter of time before they connect the rest of the dots.
The question is not whether encryption will ever be used for geopolitical gain instead of bitcoins, but when and how. In the short term, the newly formed Ransomware Task Force — a partnership between the U.S. government and private-sector players — should continue to coordinate policy solutions to ransomware. For example, more cyber insurance providers should stop covering ransom payments and should instead actively incentivize victims to choose not to pay by covering the cost of system recovery without decryption. Where possible, real-time or offline backups should be subsidized or incorporated in insurance underwriting. In the longer term, policymakers should foster research collaboration between practitioners and academics to identify scenarios in which adversaries could use encryption coercively, which systems would be most vulnerable to such an attempt, and how such scenarios would impact America’s strategic position.
Jenny Jun is a nonresident fellow at the Atlantic Council’s Cyber Statecraft Initiative and Ph.D. candidate at Columbia University’s Department of Political Science. Her research focuses on understanding the dynamics of conflict in and through cyberspace. She is a co-author of the 2015 CSIS report North Korea’s Cyber Operations: Strategy and Responses and comments regularly on North Korea’s cyber activities.