Skip Navigation

The Economics of Paying Ransom

June 21, 2021

Collective action poses the second challenge. Businesses collectively have an interest in not rewarding cybercrime, yet individual businesses suffer these attacks.

The cyberattack on the Colonial Pipeline by the hacker group DarkSide disrupted gasoline supplies across the Southeast.  The company caused a stir by paying a 75 Bitcoin ransom to DarkSide.  America historically has been opposed to paying evildoers, as reflected in the slogan, “Millions for defense, but not one cent in tribute,” and President Jefferson sending the Navy and Marines to fight the Barbary Pirates.

          Ransomware raises many economic issues.  A first question is, do hackers ever give the data back if paid?  DarkSide provided Colonial Pipeline a key to decrypt their data.  According to Proofpoint, this is the norm: 70 percent of ransom payers got their data back, 20 percent never got their data back, and 10 percent received a second ransom demand.

          From an economic perspective, this is not surprising.  About two dozen groups, identifying themselves by name and known to insurance companies, carry out most of the sophisticated attacks.  Insurers would never recommend payment in the future to a group which has reneged.  The hackers must deliver as promised to make money.

          Some have suggested making payment of ransom for cyberattacks illegal.  If no one ever paid ransom, the hackers could not make money.  Refusing to pay ransom though faces two significant economic challenges.

          The first is time consistency.  Kidnapping illustrates this concept.  Before an event, the incentive exists to say, “We will never pay ransom.”  If the bad guys believe this, they will never invest the time, effort, and expense to stage a kidnapping.  Once they hold hostages, however, our incentive changes; negotiating just this one time now makes sense.  Our policy to never pay ransom is not credible.

          Collective action poses the second challenge.  Businesses collectively have an interest in not rewarding cybercrime, yet individual businesses suffer these attacks.  A business which does not pay ransom benefits other businesses, creating the challenge.  Why should Continental Pipeline suffer losses to make other businesses less likely to be attacked?

          Why do businesses pay ransom?  Reports mention several factors.  A business may face a closure of unknown length and cost.  Customers’ personal information will be sold if ransom is not paid, leading to fines and bad publicity.  And the hackers might sell proprietary information to competitors.

          Good economists know better than to second guess business managers’ decisions.  Decisions to pay ransom often involve the business’ executives, its insurance carrier, and tech security experts.  They know the options and likely costs and should make a good decision, despite the pressure of a crisis.

          Insurance companies and government regulations reduce organizations’ vulnerability to hackers, which is good.  But what about channeling President Jefferson and going after the hackers?  Most of the hacker groups operate in Russia, which provides Safe Haven as long as the hackers do not target Russian companies.  Some law enforcement options may exist.  Federal prosecutors apparently recovered most of the Bitcoins paid to DarkSide.

          Crime is a very costly way to transfer wealth.  Stolen merchandise typically sells for one-third (or less) of market value.  A criminal might have to steal thousands in property to net $1,000.  Ransomware appears much more wasteful than traditional theft.  Consider just the value of the time Americans spent searching for gas during the disruption.  Remember then that the ransom was about $4.4 million.

          Cybercrime makes us poorer.  The hackers and defenders at tech security companies are highly skilled computer programmers.  But instead of making new apps or games, they are hacking or defending existing computer systems.  Add to this the service disruption during cyberattacks, the reduced use of technology for fear of being hacked, and the time spent on security training.  The costs may be $1 trillion annually, or one percent of global GDP.

          We must guard here against comparing the real world to an imagined utopia.  We cannot costlessly protect our property from thieves or our computers from malware, or make people no longer willing to steal from others.  Economics teaches that there are no perfect solutions in life, only tradeoffs.  Vigilance, antivirus programs, and backup are the tradeoffs we face with cybercrime.

[Originally posted on Yellow Hammer News]

Author
Daniel Sutter is Affiliated Senior Scholar at the Mercatus Center and Professor of Economics at the Manuel H. Johnson Center for Political Economy at Troy University.
dsutter@troy.edu