Ransomware 2.0: to sell, or not to sell a game-theoretical model of data-selling Ransomware

Cybercrime such as ransomware denies access to valuable data until a ransom is paid. Recent ransomware attacks on organizations such as hospitals, schools, government agencies and private businesses raise public awareness of the severe impact on the society. In this paper, we propose a hypothetical new revenue model for the ransomware, i.e., selling the stolen data. Through a game-theoretical analysis between attackers and victims, we contribute a novel model to understand the critical decision variables between the traditional ransomware (ransomware 1.0) - demanding ransom only and the new type of ransomware (ransomware 2.0) - selling the data as well as demanding ransom. Both theoretical modeling and simulation studies suggest that in general ransomware 2.0 is more profitable than ransomware 1.0. Common defensive measures that may work to eliminate the financial incentives of ransomware 1.0 may not work on ransomware 2.0, in particular the data backup practice and the never-pay-ransom strategy. Nevertheless, the uncertainties created by this new revenue model may affect attackers' reputation and users' willingness-to-pay. In turn, ransomware 2.0 may not always increase the profitability of attackers. Another finding of the study suggests that reputation maximization is critical in ransomware 1.0 but not in ransomware 2.0, where attackers should seek imperfect reputation for profit maximization.