“Extortionality” in Ransomware Attacks: A Microeconomic Study of Extortion and Externality

Practice- and Policy-Oriented Abstract Ransomware attacks have emerged as one of the biggest threats to cybersecurity. Faced with business disruptions, many organizations accede to ransom demands, and in doing so, they embolden the attackers to launch more attacks, elevating the chance of a future breach for others. We study this externality using a multiperiod game among multiple firms, each of which has a choice to pay or not pay if breached in a particular period, its action having implications for future periods. How should a policymaker intervene to mitigate this externality, and is prohibition necessary? What might work or how it might work as a policy tool depends critically on the behavior of the attacker (extortionist). If the attacker is not strategic, fiscal interventions could work, and a complete prohibition on ransom payment is unnecessary. If the attackers are strategic, though, they may respond to the policymaker’s tax/subsidy in a manner that could increase victims’ propensity to pay, rendering fiscal intervention ineffective as a policy lever. In such a case, prohibition may be the only way to mitigate the externality. Overall, our analysis provides a framework for comparing different types of policy interventions and raises concerns for policymakers and social planners to pause and ponder.