Recently, travel management company CWT became yet another victim of a ransomware attack. The company paid the attackers over 400 Bitcoins ($4.5million) to get its data back. The negotiations between CWT and the attackers were documented in a fascinating thread by Reuters writer Jack Stubbs. Mr. Stubbs made note of how professional and congenial the back and forth between the two parties was. For example:
I recommend you read the whole thing. However. faithful readers of the Security Economics blog know that we dig in to the economics of security. In this case, we look at the economics of ransomware. So, let’s start with some history and background.
Ronald Coase was born in England in 1910. He attended the London School of Economics, and eventually moved to the US and settled in as a professor at the University of Chicago. In 1960, Coase wrote his landmark paper “The Problem of Social Cost.” The paper was instrumental in getting Coase awarded the Nobel Prize in Economics in 1991. The paper is foundational to the field of law and economics, and has become the most frequently cited work in all of legal scholarship.
In a nutshell, The Coase Theorem states that:
Under ideal economic conditions, where there is a conflict of property rights, the involved parties can bargain or negotiate terms that will accurately reflect the full costs and underlying values of the property rights at issue.
It is important to note that the terms negotiated will be Pareto optimal. An outcome is Pareto optimal if there is no alternative that improves one participant’s well-being without reducing the other participant’s well-being. Importantly, Coase’s Theorem demonstrates that the negotiation is optimal regardless of which party had rights to the property before the property rights were infringed upon. The theory also assumes that the transaction costs (e.g., costs of negotiation) are essentially zero.
Now, with that background, let’s get back to CWT. CWT was certainly wronged by the its attackers. When they were approached by the attackers they could have simply refused to pay the ransom. However, that would have almost certainly resulted in a very high cost to rebuild their servers and a major loss of customer data. They negotiated with the attackers to come to an agreement (a $4.5 million payment) that they felt was economically acceptable. Similarly, the attackers negotiated down from their original $10 million asking price. Had they walked away from the negotiations, they would have lost any chance at making money and recouping their operating expenses. The negotiation costs were negligible, as the bargaining was done quite quickly over a chat channel, so the main assumption for Coase’s Theorem was met. We can therefore state that the $4.5 million settlement was optimal to both parties.
A ransomware attack is obviously a criminal deed and companies should be vigilant to avoid being victims. However, a negotiated ransom is less, and often much less, than the actual cost of getting the information back by other means (if that is even possible).
So we have economically proven, based on Coase’s Theorem, that the optimal way to get out of a ransomware situation is to negotiate and pay the ransom. Now, I know what some of you are saying: What about if they just take our money and leave our systems locked? Doesn’t the FBI recommend against paying ransoms? Haven’t you heard about externalities??? Yes, I have heard all those arguments, and my next blog post will address them, so stay tuned.