You’ve infected a computer, locked it down and demanded ransom. Congratulations, you’re a cybercriminal. The bad news is that you’re doing a terrible job of maximizing profits.
Ransomware was an estimated $1 billion-per-year industry as of 2016, but new research from computing and economics academics at the United Kingdom’s University of Kent shows that the “unsophisticated” techniques of ransomware criminals could easily be refined and “could lead to dramatic increases in profits at relatively little costs.”
“The profit [the hackers] can make largely depends on the willingness of those attacked to pay the ransom,” researchers Julio Hernandez-Castro, Edward Cartwright and Anna Stepanova explain in the report. “This, in turn, will depend on various components — how much a victim values their files, the extent to which they trust the criminals to honor their word, willingness to give money to criminals, etc.”
It’s a novel scenario for economists, but the academics approached their research with the cutthroat gusto of a seasoned criminal. To raise profits, attackers ought to be charging enough for ransom so that less than 50 percent of those infected are actually willing to pay for their files back.
Better yet, attackers should be more discriminating in charging different ransoms for different targets. After a computer is successfully infected, the hacker has complete access to all its files and other information. By looking at the specifics of both the hardware (Is it a high-end new model?) and software (Can the hacker see the person’s worth? Do they have software indicating expensive taste?), a hacker can begin to make assumptions on what a victim may be willing to pay.
The researchers recommend hackers experiment: Charge higher for those with larger numbers of files on their computer, record the results and adapt.
“The more information the criminals can extract on expected willingness to pay the more personalized should be the ransom,” they write. “By systematically varying the ransom, and by taking into account the extracted information about victims, the criminals can learn over time the optimal ransom for each ‘type’ of victim. The more personalized the pricing becomes, the closer the criminals come to attaining the maximum achievable profit, corresponding to first degree price discrimination.”
The ultimate goal, “first-degree price discrimination,” is that attackers would be able to uniquely profile each and every victim and charge accordingly.
“While data on current activity is somewhat limited, we would suggest that the techniques currently being used by the criminals are relatively unsophisticated,” the researchers argue. “There certainly seems to exist ample scope for them to refine their techniques, notably for determining the optimal ransom and to make use of price discrimination.”
It’s not all bad news for victims. As attackers start to employ more personalized and effective pricing, less people will end up losing their files because they are unwilling to pay.
The better strategy for victims, however, is to back up important files so that ransomware holds far less danger.
Read the full report below: