Submit to this Journal Review for this Journal Propose a Special Issue

Article Menu

Share Help Cite Discuss in SciProfiles

Open AccessArticle

Peer-Review Record

Ransomware and Reputation

Games 2019, 10(2), 26; https://doi.org/10.3390/g10020026

by Anna Cartwright¹

and Edward Cartwright^2,*

Reviewer 1: Anonymous

Reviewer 2: Anonymous

Reviewer 3:

Michael J. O’Brien

Games 2019, 10(2), 26; https://doi.org/10.3390/g10020026

Submission received: 28 February 2019 / Revised: 7 May 2019 / Accepted: 11 May 2019 / Published: 10 June 2019

(This article belongs to the Special Issue Game Theory for Security)

Round 1

Reviewer 1 Report

(see file)

A report on the paper entitled “Ransomware and Reputation”

The paper discusses a population game of one criminal randomly matched with one victim from a population. The criminal encrypts files and asks a ransom. The victim pays the ransom, or not. Then the criminal re- turns the files, or not. The paper first develops a model, gives results for two polar cases and then proceeds with simulation results for “in- between” cases.

The basic idea hinges on reputation concerns. The idea, of course, is well known. Past behavior of one player is used by other players as a tool to induce behavior in the given game. Also in this situation for a victim to pay up depends on a belief about the probability of getting the files back.

(Evaluation)

Judging from the literature review this does fill a gap in the specific literature on ransomware. But the discussion in the conclusion makes it clear that it seems a little odd to talk of reputation in this field. Not so much because this is a criminal activity, but because of the anonymity and the hit-and-run culture of internet crime. In this context to speak of a brand as the authors do in the conclusion, seems a little far-fetched to me. Since the costs of setting-up this kind of business seems relatively low you would right away have free riders entering the market once a strand of ransomware has developed some sort of reputation.

The presentation of beliefs is quite odd and not well motivated. Why are victims not Bayesian updaters? The probability in equa- tion (12) is not clear. If it is the sum of past incidences of having given back the files, how is it not greater 1?

Only in the very end concerns of law enforcement are introduced. There should be a discussion on this, because the threat of being caught will certainly make criminals pursued short-term strate- gies. Is it simply that it is impossible for law enforcement to detect and prosecute this due to jurisdiction concerns?

3. (Minor points)

It is not clear what the purpose of the closed-form solution in equations (7) to (11). It does not seem to be needed later on and is not discussed further.

The first part of the conclusion could easily be moved to the in- troduction, because it clears up some specifics of this “market” for the uninitiated reader.

Comments for author File: Comments.pdf

Author Response

(Original comment) Judging from the literature review this does fill a gap in the specific literature on ransomware. But the discussion in the conclusion makes it clear that it seems a little odd to talk of reputation in this field. Not so much because this is a criminal activity, but because of the anonymity and the hit-and-run culture of internet crime. In this context to speak of a brand as the authors do in the conclusion, seems a little far-fetched to me. Since the costs of setting-up this kind of business seems relatively low you would right away have free riders entering the market once a strand of ransomware has developed some sort of reputation.

(Reply) This comment touches on a number of interesting and related points. On the one hand you could argue (as Cussack and Ward essentially do) that the inability of ransomware criminals to build a 'brand' or 'reputation' basically means ransomware is doomed to fail. The flip side of this is that there is (at least in principle) the potential for building a brand and reputation. There are examples, CryptoLocker and CryptoWall being two, that built a good reputation of returning files (and plenty that had a bad reputation). Technically it can be difficult to copy a particular strain of ransomware and so the criminals probably have a few weeks or months to cash in before free-riders damage the brand. This can be a fast evolving environment. We comment on this now in the paper. Crucially, we are not arguing that ransomware strands will get a reputation, we are just saying that this is a critical issue in how ransomware will evolve.

The presentation of beliefs is quite odd and not well motivated. Why are victims not Bayesian updaters? The probability in equation (12) is not clear. If it is the sum of past incidences of having given back the files, how is it not greater 1?

We have said more on beliefs and where these come from. In an appendix we show that independent beliefs and a grim-trigger strategy can be consistent with Bayesian updating and Bayes Nash equilibrium. But, overall we are skeptical that Bayesian updating is appropriate for our setting. The evidence that people can Bayesian update is weak and in our setting it seems optimistic to assume a ransomware victim would optimally interpret all the information that has gone before. Instead, we, therefore, propose a simple belief-based learning model based on empirical frequencies. This is consistent with models in the literature. Equation (12) contained a typo which is now fixed.

Only in the very end concerns of law enforcement are introduced. There should be a discussion on this, because the threat of being caught will certainly make criminals pursued short-term strategies. Is it simply that it is impossible for law enforcement to detect and prosecute this due to jurisdiction concerns?

It is not clear what the purpose of the closed-form solution in equations (7) to (11). It does not seem to be needed later on and is not discussed further.

This is merely an example applying Propositions 1 and 2. It could be dropped but seems to add some value. And now the appendix does make use of the equations.

The first part of the conclusion could easily be moved to the introduction, because it clears up some specifics of this “market” for the uninitiated reader.

We have expanded the first two paragraphs of the introduction to add a bit more detail on ransomware.

Reviewer 2 Report

Summary

This paper considers a repeated game prisonner's dilemma between a long-lived cyber-criminal and series of short-lived victims. In each period, the victim must decide whether or not to pay the ransom demanded by the criminal in order to recover their stolen data, while the criminal must decide whether or not to give back the data.

First, it is assumed that a victim has access to all the past history of the game, so it knows whether or not the criminal received ransom money and returned the data. Proposition~1 states that there is a subgame-perfect Nash equilibrium (SPE) of the repeated game in which the stage-game Nash equilibrium is repeated in every period. That is, the victim never pays and the criminal never returns the data. Proposition~2 states that when the criminal is sufficiently patient, there is an equilibrium in which the victim pays the ransom and the criminal returns the data.

The paper then considers the case in which the series of short-lived victims only observe a subset of the past history in play. Proposition~3 shows that when the sample size is one, there is an equilibrium in which the data is always returned, and Proposition~4 states that when the sample is large it cannot be optimal to always return the data.

Main comments

This paper is framed as a model of reputation building for cyber-criminals, but it is not a reputation model: there is no incomplete information (uncertainty about the type of the cyber-criminal), and so we are left with a standard repeated-game between a long-lived and a short-lived player. Therefore we know that the infinite repetition of the stage-game NE is always an SPE, and when the long-lived player is patient enough the folk-theorem tells us that anything can be sustained in equilibrium.

As a result, the paper should be re-framed in reference to standard repeated games model, and reference to reputation and belief formation should be removed, unless the model changes to a reputation model.

Minor comments

- I would suggest to write a history as $h_t = \{r_1,p_1,g_t, \ldots , r_{n-1}, p_{n-1}, g_{n-1}\}$.

- The histories upon which the criminal and the victim condition their strategies are not the same. In period $n$, the victim observes $r_{n-1}$ while the criminal also observes $p_{n-1}$.

- In line 81, it is ambiguous to talk about one particular criminal, because the model doesn't accommodate for multiple long-lived players.

- Is there a $1/n$ factor missing in Equation~(12)?

- How important is the cost parameter $c$? If $c=0$ then it would be weakly optimal for the criminal to return the data, absent of any reputation effects. So it actually using $c=0$ seems like a good idea to focus on the reputation effects. In any case, a small discussion of this parameter would be interesting.

Evaluation

This paper offers a simple application of repeated games and the Folk theorem to cyber-criminality. However, it is misguided in talking about reputation and belief formation. I think the authors should either incorporate elements of reputation models in their paper, or abandon that terminology and embrace the one of repeated games and the Folk theorem. In its current form, I do not see the paper as suitable.

Author Response

(Original comment) This paper is framed as a model of reputation building for cyber-criminals, but it is not a reputation model: there is no incomplete information (uncertainty about the type of the cyber-criminal), and so we are left with a standard repeated-game between a long-lived and a short-lived player. Therefore we know that the infinite repetition of the stage-game NE is always an SPE, and when the long-lived player is patient enough the folk-theorem tells us that anything can be sustained in equilibrium.

(Reply) Thank you for this comment which was very useful. We initially used the word 'reputation' in its more general literary sense, and the sense used by others in the ransomware literature (e.g. Cusack and Ward 2018). Following your comment we have revisited the notion of reputation in the game theoretic literature. We believe that reputation, as we use it is consistent with the game theoretic notion of reputation. In particular, the victim is trying to discern whether or not the criminal will honor ransom payments; this could be mapped to uncertainty over the type of the criminal. We now comment on this fully (see the end of Section 2).

In the main body of the paper we have not gone down the route of explicitly setting out a model of incomplete information because this seems too restrictive. Our 'black box' approach allows us to model the incentives of the criminal without imposing strong assumptions on the victims. In a new appendix we illustrate Bayesian Nash equilibria consistent with models of reputation. This relates to the comment about the Folk Theorem. In our model the criminal takes as given the behavior of the victims. So, the Folk Theory is mute here. We are looking at whether the criminal has an incentive to return files given how victims behave.

I would suggest to write a history as $h_t = \{r_1,p_1,g_t, \ldots , r_{n-1}, p_{n-1}, g_{n-1}\}$.

Changed as suggested.

The histories upon which the criminal and the victim condition their strategies are not the same. In period $n$, the victim observes $r_{n-1}$ while the criminal also observes $p_{n-1}$.

We set up history merely to look at belief formation of victims. So, the criminal is not important here. But we did need to clarify that the victim observes $r_n$. This is now reflected in Section 2.

In line 81, it is ambiguous to talk about one particular criminal, because the model doesn't accommodate for multiple long-lived players.

We agree that we were talking loosely here. It is trivial to extend our game to one with multiple criminals and apply our results. In the revised version we are more careful with our language around this point.

Is there a $1/n$ factor missing in Equation~(12)?

Yes. Thanks for pointing that out.

How important is the cost parameter $c$? If $c=0$ then it would be weakly optimal for the criminal to return the data, absent of any reputation effects. So it actually using $c=0$ seems like a good idea to focus on the reputation effects. In any case, a small discussion of this parameter would be interesting.

We now discuss the interpretation of $c$ in Section 2. We also have a new appendix which considers the case of $c=0$.

Reviewer 3 Report

This is a really good paper that covers a topic of high interest: ransomware. This is a growing concern across the globe, and, as the authors point out, there is a considerable literature on it. The clever aspect of their paper — and one I had never considered — concerns the reputation of the people holding files/devices hostage, with "reputation" defined as whether one's files get returned after the ransom payment. Criminals have three choices—return the files, take the money and run, or ask for more ransom, perhaps after returning some of the files. They show the conditions under which scenario is superior or inferior. Importantly, all scenarios depend on a victim knowing what all other victims are doing. This is fine in simulations, but, and the authors know this, it probably does not apply to the real world. One would have to know about a ransomer's reputation, which can only be gained socially, either through word of mouth or via search engines.

This leads me to make a few observations that might strengthen the paper, especially those who might be scared away by the math. That would be too bad because the paper has a lot to say.

For example, on page 1 is this statement: "We show that in a baseline case where victims are unresponsive to past experience it is optimal for the criminal to not return files." I think the authors really need to help their readers out by explaining here why that's the case. When I read that, my first thought was, "Why? It can't take more than a second to hit a button and unlock a machine or return some files. Where's the 'cost'?" The rationale for why this should be the case needs to be brought up again in the conclusion, where this statement is made (page 9): "In this setting, the optimal strategy (if there is no way for the criminal to create a distinct brand) is to not return the files." Again, why? This may be a case where simulation and the real world don't match—a simulation in which costs are assigned that don't really exist out in the world.

I also have a problem with the following statement, which follows immediately the one I just mentioned (page 9): "This [strategy], though, cannot succeed in the long run and ultimately would mean that ransomware has no viable future." Here, they're referring to the take-the-money-and-run strategy in situations where the payers cannot discern repetitional differences. My question is this: Why does this mean that ransomware has no viable future? What are people who are attacked going to do? Not pay? If so, then the world comes to a screeching halt. You need to convince me that irrespective of reputations being made (and recognized) people aren't going to pay. What recourse do they have? Better back-up systems? if that were the answer, we wouldn't have much in the way of ransomware today.

Mike O'Brien

Author Response

This is a really good paper that covers a topic of high interest: ransomware.

Thanks for the positive comment.

This is a growing concern across the globe, and, as the authors point out, there is a considerable literature on it. The clever aspect of their paper — and one I had never considered — concerns the reputation of the people holding files/devices hostage, with "reputation" defined as whether one's files get returned after the ransom payment. Criminals have three choices—return the files, take the money and run, or ask for more ransom, perhaps after returning some of the files. They show the conditions under which scenario is superior or inferior. Importantly, all scenarios depend on a victim knowing what all other victims are doing. This is fine in simulations, but, and the authors know this, it probably does not apply to the real world. One would have to know about a ransomer's reputation, which can only be gained socially, either through word of mouth or via search engines.

Yes, we have in mind here word of mouth, forums and the like. Potentially law enforcement, insurance companies etc. may have more detailed complete data on whether files are returned for particular ransomware strands.

This leads me to make a few observations that might strengthen the paper, especially those who might be scared away by the math. That would be too bad because the paper has a lot to say.

Thanks for this comment, which is related to one of Referee 2. We believe that there will almost inevitably be some costs (however small) to returning files to victims. The biggest cost is likely to be the `customer support' of guiding (non computer literate) victims on how to decrypt files. To just return the private key is not enough - because that does not preserve reputation. They need the victim to get access to their files again. We have commented on this in the intro and in Section 2.

In our opinion if ransomware started to get a bad reputation then people would not pay and ransomware disappears. The 'problem' is that criminals do seem to be honoring ransomware payments most of the time. The famous wayward comment of an FBI agent publicly telling people to pay the ransom is consistent with the more general impression that paying the ransom can make sense. The advice on the web often says 'paying is not guaranteed to get files back' - but that framing gives the impression there is a good chance of getting them back. With WannaCry people stopped paying quickly as word got around that nobody was getting their files back. So, a more general point here is that ransomware strands with a good reputation are likely to be more of a threat. We added some to the Conclusion as suggested. Ultimately, we think that ransomware does have a future but that is because the criminals will return files often enough.

Round 2

Reviewer 1 Report

i think the paper has really improved now

Author Response

Thanks for the suggestions and comments on the previous edition. Nothing more to add here.

Reviewer 2 Report

Line 121/122: I disagree with that statement. Ina reputation model, beliefs are shaped by the fact that past actions reveal information about the time. In a standard repeated game setting, beliefs are shaped by past actions only insofar as past actions reflect the strategy choice of the cybercriminal. (See the book by Mailath and Samuelson, Section 15.1).

However I think that the paper has greatly improved by having a more sound discussion about beliefs and commitment types.

Author Response

Thanks for the comments and suggestions on the earlier version. In terms of this version:

> I disagree with that statement. Ina reputation model, beliefs are shaped by the fact that past actions reveal information about the time. In a standard repeated game setting, beliefs are shaped by past actions only insofar as past actions reflect the strategy choice of the cybercriminal. (See the book by Mailath and Samuelson, Section 15.1).

We are not entirely clear how this point (which we agree with) relates to what we wrote. We used the phrase 'Or it could be the short-run players put some positive probability the criminal is a `commitment type' who has a behaviour strategy to honour ransom payments'. Here we are linking type with the strategy associated with that type - which seems ok to us. To find a good compromise, in the current version we write `a `commitment type' who will honour ransom payments'. Hopefully, that addresses the issue and clears up any uncertainty.

Article Menu

Ransomware and Reputation

Further Information

Guidelines

MDPI Initiatives

Follow MDPI