Should I Pay or Should I Go? Game Theory and Ransomware

sponsors HackerOne, VerCrypt, and Fitbit. Sorry for forgetting you. I'm wearing your product right now. I don't know how you slipped my mind. I want to introduce our next speaker, who actually, he's pretty cool. He'll do it himself. Thank you. Hi, everybody. Can everybody hear me back there? Boy, am I excited to be here. I love I love B-sides, and I think everybody here loves it too. I'm here to talk about game theory and ransomware. When you're dealing with a ransomware incident, whether you're an incident responder, a CISO, a victim, a member of law enforcement, what's really going on here? And I'm not talking about what particular strain of malware infected your machine or how many bitcoins the perpetrators are asking for. I'm talking

about how do our brains work when we're making very tough, difficult decisions? How do people interact with each other when they're in adversarial situations? That's the essence of game theory. So my name is Tony Martin-Veghi. This is probably my favorite picture of myself. I was about one year old and my parents to this day will brag about how they just rolled me in front of the TV and that was the best babysitter. And I can tell you not much has actually changed to this day. But some odd years later, I now work at Lending Club, just about a mile from here, and I manage the information security risk team. So I do a couple things there, but my main job responsibilities

are quantifying information security risk. And that essentially takes a list of threats that are most likely to realize themselves at Lending Club and take a list of vulnerabilities, then I match them together and try to figure out what risk is most likely to happen and use that to help senior management make better decisions. I have a lot of tools in my toolbox and one of them is decision analysis with game theory. So we're gonna run through that here today. I started getting interested in game theory back in college. I have a degree in economics and took several semesters in that. And I got interested in ransomware back in early 2016 when the Hollywood Presbyterian Hospital had that really nasty ransomware infection back in February. Does

anyone remember that? A couple people remember that. This was a very impactful ransomware incident. I'm from Los Angeles originally, and I grew up about six miles from this hospital, so I can tell you that this is very large. It's a large hospital. They have about 400 beds,

500 doctors. It's a major regional health care center. So this ransomware incident was extremely impactful for not only the people that work there and the patients, but also the people that lived in the community. So around February 4th, 2016, almost a year ago, somebody in the hospital received a phishing email. and there was a Word document attached, a malicious attachment, and the person clicked on it, and next thing you know, their system was infected with ransomware, this particular strain of malware, which was Lockheed, the Lockheed strain of ransomware. What happened with that is the malware started encrypting system files and encrypting user files on this person's computer, JPEGs, Word documents, Excel files, et cetera,

The files were completely inaccessible to this person. Then a ransom note popped up on the screen basically saying, if you don't pay me X amount of dollars, $3.6 million, you'll never see your files again. The IT department believed that this ransomware infection was spreading very quickly. That one person that clicked on the Word document, they called the help desk. That one person turned into two. That two turned into 10. 10 turned into 20. So the IT department and the information security folks correctly believed that they had a crisis on their hands. So they started shutting down servers and systems proactively. They shut down workstations, they shut down laptops, servers, network attached storage. They essentially downed their entire

IT infrastructure to prevent the ransomware from spreading further.

This is a ransom note from the Lockheed strain of ransomware. This isn't the exact ransom note, but it's very similar. I know there's a lot of information up here, but it basically says, we've encrypted all your files, and you better pay us, or you'll never see your files again. So their systems were down for a week while they were trying to deal with this incident, presumably trying to restore from backup, trying to ascertain how serious this was. They were actually working with pen and paper at this hospital. So if you can imagine how hard it is for us to do our jobs on a daily basis without a computer, imagine trying to be a nurse or a doctor or an administrative staff with

a fully electronic hospital. They actually had to reroute 911 patients. So there's people inbound to the hospital, flashing lights in the ambulance, some type of trauma. And the hospital had to turn them away because without a computer, they actually couldn't intake the people. The pharmacy was offline. So yes, question?

Not that I know of. The question was, were there any embedded devices that were hit? And not that I know of. This was a Windows strain of malware.

The pharmacy was offline, so the patients that were already in the hospital, in the beds, the doctor could write a prescription on pad and paper, but they actually couldn't fill the prescription because they relied on computers to do so. The oncology department was offline, so you can imagine how impactful that must be for people there for cancer treatment. And last, there was no lab work anybody could do, so the doctors and nurses could take samples, they could take blood, but they actually couldn't test it. They couldn't do anything with it. So they struggled in this degraded state for about a week until they decided to pay up. They negotiated the ransom from $3.6 million down to 17,000.

And that in and of itself I think is absolutely remarkable that they're able to negotiate the ransom from so high to so low, but it's actually not very rare. If you are able to negotiate with the cyber criminals that are doing this, nine times out of ten, they're gonna lower the price because they want you to pay up. So the question is, did the hospital make the right decision in paying the ransom? Should they have not paid? Should they have just sucked it up and basically restored their IT systems from scratch? And that means rebuilding their IT infrastructure from nothing, like a brand new company or brand new hospital. So the information security community, I think, was very loud and vocal in

their opinion of whether or not they did the right thing. And by information security community, I really mean Twitter. Most of us have this reaction, that, you know, you dummies, This is what happens to you when you don't patch your shit. This is what happens to you when you don't have backups, when you don't have offline backups, when you don't use Linux, when you don't use Mac, just whatever. I mean, the criticism went on and on and on, and everybody said, I would have never paid. This would never happen to me. I would never negotiate or enrich these people. But there's something else at play here. We are clearly losing the war against ransomware. Law firms are starting to set up

Bitcoin retainers for their clients. So what this essentially means is law firms are buying up Bitcoin and holding them for companies for the express purpose of paying cyber extortion, for paying off ransom. So the very fact that they're doing that tells me that most companies believe that Ransomware and cyber extortion is just a foregone conclusion at this point. They're just waiting for the shoe to drop. Ransomware is also on the rise. Kapersky Labs did a study, and they basically said that in 2015, there was one ransomware victim every two minutes. In 2016, there's one ransomware victim every 40 seconds. I think that's astronomical and all signs point toward 2017 being way worse than 2016. We're already off to

a very rocky start.

The best advice that we, and we, I mean the royal we, information security as a whole, the best advice that we have for people is don't pay. But people are paying. Why? So to answer that question why, I have a few more questions. So first one is, why is this an open problem? Why is this a problem that doesn't appear to have a solution? And we can talk all we want about the solutions of patching and backups and stuff like that, but that clearly isn't reaching everybody. It's not reaching all these victims that are happening every day. Next, what incentivizes the players? You have a cyber criminal who has several decisions, several choices to make when they

launch a ransomware, a phishing campaign, and they're sending that out to thousands and thousands of people. And they have decisions to make when they're trying to negotiate with people. Is there anything that we can do to analyze those decisions and insert ourselves in those to try to influence the decisions? And the same thing goes with the victims. they have a lot of decisions too. Can we help those decisions along and try to hope for a better outcome? And last, should we ever pay a ransom? That's the real question here. And I know the title of my talk is, Should I Pay or Should I Go? And that implies that I actually have an answer of whether or not you should pay ransomware.

I probably presume that I'll tell you the answer at the very end of this talk, and I'm actually gonna tell you the answer now, spoiler alert. The answer is, are you ready? It depends, it depends. Like all choices in information security, it's not black and white, it's not a binary decision, it's not option A is clearly the right answer and option B is clearly the wrong answer. It's all shades of risk. Yes? Are there Nash equilibrium? There is Nash equilibrium, yes.

So it's all shades of risk, but what I am going to do is give you a couple tools to help you analyze decisions when you're dealing with these incidents and hopefully give yourselves a better outcome if and when this happens to you or happens to people that you support. And this is where game theory comes in. What is game theory? It's essentially the, it's a mathematical model that studies cooperation and competition between two actors. Those actors can be individuals like one cyber criminal and one victim, or they can be groups of people, like a group of cyber criminals and a pool of victims. So it takes that adversarial relationship and breaks it down into decisions, analyzes

the payouts that you get and the incentives that you have when you make a certain decision, and the outcome of that is better decisions in the long run. Game theory's been around for a really long time, but it really came into its own separate branch of economics in the 1940s when a mathematician named John von Neumann started publishing papers and eventually a book that were absolutely groundbreaking with math, economics, and game theory. And since then, it's been used for many real-world applications. For example, the US military has used it to analyze nuclear war with the Soviet Union. Is nuclear war winnable? And if so, what choices do we have to make when we're fighting that war? It's also been

used for a couple more benign reasons. The most common application that I'm sure a lot of you have heard is the prisoner's dilemma. And what that basically does is it analyzes two criminals that have been caught, and they were accomplices, and they're basically put in separate interrogation rooms. And game theory is used to analyze the decisions that each person can make of whether or not to snitch out on their accomplice. So it's really interesting. It's been used to analyze how to play hide and seek, best ways to play that. It's also been used in a lot of information security applications. Best places to deploy your defenses on your network. It's also used to take down cyber criminal rings. A lot of

companies have used it for that. Where can we insert ourselves into a cyber criminal's decision making process and influence the decision? So now that we have a framework for game theory, let's apply that to ransomware and take a look at some of the game theory attributes of ransomware. So it's a two player game obviously. You have a cyber criminal and a victim. It's also non-cooperative. There's a such thing as cooperative games and game theory, but this is definitely non-cooperative. One would hope that victims aren't in collusion with the attackers. It's also asymmetric, and this talks about the strategy that you use. So if you think about tic-tac-toe, That's symmetric strategy. You have the same strategy as your

opponent, putting an X or an O down on a piece of paper. In game theory with ransomware, it's completely asymmetric. The choices you make, your strategy, is totally different from the cyber criminals decision and strategy. And last is zero sum. This is a term used in economics and mathematics. And it basically describes a situation in which for every winner there's a loser. And the best example I can think of in the real world is a game of poker. When you win a hand of poker, the house loses. When the house wins, you lose. That's basically a zero sum game.

So let's take a look at the players in this game. So I have a confession. I used to use, when I was trying to describe a cyber criminal, I used to use the hooded guy hunched over a keyboard as the pitcher. And I used to use that all the time. And I've thought about it, and I've actually never had a person wearing a hoodie do anything bad to me. So I've decided to never use that again. But raccoons. are nasty little shits and they knock down my trash cans at least once a week. So from now on, cyber criminals are raccoons to me. So these are the two players that we have in our game. We have the cyber criminal and the victim. So let's take a

look at the choices that they have. And this is what's called the decision tree. This is commonly used in in game theory, I know there's a lot of information here, so we're going to zoom in on just a sec, in just a sec, so you don't have to squint your eyes. It basically starts with the cyber criminal in red, flips over to the victim in blue, and then back to the cyber criminal in red. These are the decisions that you make. So, cyber criminal, they have the first choice. Do I start a ransomware campaign, or do I not start a ransomware campaign? What are the incentives for the cyber criminal to start a ransomware campaign? It's obviously financial,

a financial motive there. So if we take a look at this decision, is there anything that we can do in the information security community to disrupt this? And this is interactive. I want people to shout out ideas. Can we disrupt this? Can we stop this from happening? Kind of, yes.

comment was making it hard for the attacker, then they'll change their behavior. So one thing I've been thinking a lot about lately is why are kidnappings down from the 1970s to today? There's a lot of reasons. Stiffer penalties, law enforcement. That might be something we can do here. Have you ever heard of a cyber criminal getting arrested for ransomware? Maybe somebody, but I've never heard of it. Maybe we start there. Maybe that's one place. Let's take a look at the victim. So we're just going to assume here that they made their decision to start the campaign. And now we have the victim. So we're making an assumption that their system's completely infected and they have the ransom note up. So they

have a decision. They can try to restore from backup. And if no backups are available, they have to move to the next option here. So there's a lot of third-party decryptor kits out there for the most common strains of ransomware. There's a great project out there. I recommend everyone taking a look at it. It's called the No More Ransomware Project. And they're a nonprofit, and they're taking all the decryptor kits that the US government, the FBI, anti-virus vendors, security researchers that everybody's come up with and they try to put them in one place and help people decrypt their files without paying the ransom. So if we take a look at these choices here, is there anything that we can do

to interrupt this, to help this along, to make it easier for the victim? Any ideas? Yes. Increased knowledge about the problem, absolutely. My mom got hit with ransomware, had no idea what any of this was. Anyone else? Yes. You're missing an option on the decision tree. The cost of restoring for backups is higher than paying the ransom. The comment was the cost of restoring a backup can be higher than paying the ransom because Presumably, you're restoring from your last backup. You could lose a day's worth of data or more than that. And it can also take a very long time to restore. So for some people, it's easier just to pay the ransom without even trying. Any other ideas?

Enforced backups. What was that? Enforced backups. Enforced backups. A lot of people have the problem with online backups. If you have online backups and they're accessible to the computer, chances are those are going to be encrypted too. So you really need offline backups. And I think that that's something that's easy for everybody in this room, but my mom could never do that.

reduce the pain of backup and restoring so that it's easier and less expensive. I think that's great. We should work on that.

So here's the last decision that somebody would make. So we're assuming that these other decisions have failed. They can't restore from backup, can't find a decryptor kit. So now they have the choice of negotiate and or pay the ransom. and don't pay the ransom. So don't pay the ransom. This essentially means you eat it. Your data's gone. You're restoring from an image or you're buying a new computer. You're rebuilding your IT infrastructure. For most people, that's not really an option. And the last one is, of course, negotiate. I don't have any hard numbers, but I've heard from some folks at FSISAC that paying the ransom's about

80 to 85 percent effective. So that means 80 to 85 percent of the time when you pay the ransom you're going to get a working decryption key. So that's, you know, I would like to see better odds but what can you do when you're dealing with criminals? So the last decision is of course the cyber criminal can either release the data or not release the data. I think They probably have some incentive to release the data because they want to be seen as somewhat trustworthy criminals so that when they victimize you again, you'll pay again. It's interesting. So what now? This is hard. I've thrown out a lot of problems. What do we do now? This is my call to action slide.

For the incident responders. We're faced with a multitude of responses. And it's not just a question of pay or don't pay when you get to the end. There's a ton of things that you can do before you even become a victim. And I think one of the most important things that you can do that I don't think a lot of people are doing is partnering with law enforcement right now. You need to know the name of the special agent at the FBI that works in your regional office. Become, be on a first name basis with this person before you become a victim. They can help you and they do. Next is you can partner with some of the

ISACs. If you happen to work in a sector that has ISACs, you can try to Help them with decryptor kits and know where you can get decryptor kits if you get to that point. And last, I think that this might be controversial, but I do think it's important to prepare for the eventuality that you'll have to pay at some point if you have no options. And that means having Bitcoin ready or having attorneys for you buying Bitcoin. Thought leaders.

We have a lot of thought leaders in security, don't we? There's a ton. I need thought leaders to recognize that this is an open problem and we don't have a solution yet. And patch your shit's not a solution because if you ask the vast majority of IT shops, I'm not talking about our IT shops, I'm sure all of you do a great job at patching, but just IT shops out there, out in the country, ask them what their biggest problem is, they're going to tell you it's patching, that we can't keep up with it. We're months, even a year behind on some of our critical patches. Patching is the number one way that you can avoid ransomware. So there's a huge gap here, and I don't think it's

just a technical solution. I think that there's, we need a multifaceted solution here to solve that. I really think that We just need next generation information security in order to fix that problem. And last, risk managers. I've saved the best for last because I'm a risk manager, so I feel like that if people and companies, executives and companies, don't know how to deal with ransomware, it really is our fault. We're not, we're not, expressing the risk to them in a way that they understand. And the day of licking our finger and sticking it in the wind and going up to someone and saying, that's high risk, or that's red, that's yellow, that's green, those days are over. We can't

do that anymore. It's time for us to join other risk managers and other sectors and do real evidence-based, data-driven, quantitative risk analysis. go to our managers and say, you have a risk and your annual exposure is $5 million. And this is how much it'll cost to fix the problem. And I think that if we start doing that, we can start getting a handle on this problem. And that's essentially where game theory and decision analysis comes in. Analyzing those decisions and trying to make the best optimal outcomes for us and for our companies. So I have some resources here. I know I've crammed probably three semesters of economics into 25 minutes. So if you have any questions, feel free to ping me afterwards. I think we have

a few minutes for questions now. Anybody have anything? Yes.

Are there any companies that have publicly taken a stance and say we'll never pay ransomware? Not that I know of. I haven't heard anybody. The FBI. You talk about the city and the kind of general strategy. Has there been any work actually quantifying the risk of a security vote? A lot of people are doing that. So the question was, we're talking about decision trees. Has anybody done any work on quantifying these security vulnerabilities. There's a lot of different disciplines out there in information security. A lot of them have to deal with risk management, but there's a lot of emerging research right now on attaching dollar figures to security vulnerabilities. And it's something that I'm doing at Lending Club right now, and it's really helping drive some of these decisions.

That if you bring the word red or hi to somebody, It seems bad, but you can get high risk fatigue. But if you bring dollar numbers, dollar figures to somebody, now it starts to make sense. Now they can understand how much that poses a risk to their business. Any other questions?

The question was fighting back ransomware, and there's a lot of companies that are doing that. Microsoft is a notable one that's really taken the lead on taking some of these companies down. Answer the question? Yeah. I just want to hear something. Yeah. OK. Thank you, everybody. again to Tony. And actually, Tony, we have a small gift for you, a brand new Fitbit Ulta on behalf of our sponsor Fitbit. Thank you very much. I want to remind everyone there's a party tonight, popcorn. It's Mr. Robot themes. We're going to have popcorn, cotton candy. It's going to be a lot of fun. We have all sorts of stuff. Be sure to show up tomorrow for more amazing talks. And again, thank you

to HackerOne, VerScript, and Fitbit. Tony will be up here to take any questions that you want to take offline. And thanks for showing up.