In 1992, the co-founder of the software company Adobe Inc., Chuck Geschke, was kidnapped. Arriving for work, Mr. Geschke was abducted from the company parking lot and held hostage for four days until his family paid a $650,000 ransom. According to a scholar from King’s College, kidnappers release hostages when they believe they’ve negotiated the most they can get.
I suspect that corporate ransomware is somewhat similar.
This week, hackers compromised the data systems of a company that carries gasoline, diesel fuel, and natural gas to the U.S. East Coast. To contain any further damage, Colonial Pipeline Co. shut down parts of its delivery network. In a PR statement the hackers (rather unusually) said their only intent was money. Investigators believe that each of 40 victim organizations paid those hackers somewhere between $200,000 and $2 million.
WSJ provided the bigger picture:
Colonial Pipeline is not alone. Retailers and education topped a list of 13 hacked sectors:
Like all markets, the ransom process has a demand and a supply side through which price is determined.
It makes sense that kidnappers and hackers are on the supply side. Their upward sloping supply curve reflects a willingness and ability to increase their activity when price rises. For kidnapping, the same groups of people exhibit somewhat predictable supply-side behavior. To get their money each time, they have to return the individual. Then, the next event unfolds somewhat similarly. The hostage “return rate” is actually close to 97% for individuals who have insurance.
Meanwhile, the victims are on the demand side. Their goal is minimizing the equilibrium price. We can hypothesize that they are more willing and able to pay when price is lower. For ransomware hackers, the increase in events seems to indicate rosy expectations.
You can see the increase in recent complaints:
Our Bottom Line: Moral Hazard
While many economic ideas relate to ransom markets, let’s just look at moral hazard. Moral hazard is defined as a response that encourages more of the same behavior. It involves situations that range from “too big to fail” to kidnapping. With “too big to fail,” the moral hazard is the rescue. If a bank knows that a government will save it, the behavior continues.
Similarly, guaranteed payment creates moral hazard for kidnapping and hacking.
My sources and more: Today, a WSJ article and a past econlife post on hostage markets created the perfect synergy. Meanwhile Wired had the Colonial Pipeline hacking facts and Econtalk had much more on ransom research.