Functions describe the actions that predators (D) and prey (Y) can take in each state (Clean (O), Infected (I), Compromised (C), and Recovering (R). Each function is called with an assigned probability, which may depend on parameters of the predator and prey. Probabilities of the form \(p_{XYN}\) describe the probability that a function is called. The subscripts in the notation describe whether X is a predator or prey function (D/Y), the state Y that it is called from (O/I/C/R), and an identifying number N.
The probabilities refer to the probability of a function being called at each step of the model. We chose to model a “step” of the model as a day. Based on the time periods ransomware attacks usually last for, we posit that days are a sufficiently granular timespan for modelling and abstraction of the actions taken by predators and prey during a ransomware attack. For example, in a survey of IT and security professionals, 66% of companies estimated it would take five or more days to fully recover from a ransomware attack if they did not pay the ransom [
3]; another survey stated that in 2021 one month was the average time taken to recover from an attack [
10]; while Yuryna-Connolly et al. found that across 55 ransomware cases, interruptions as a result of ransomware attacks were likely to last days (rather than hours), and dependent on the severity of the impact, it could take up from up to one week to more than two weeks to regain business continuity, and in more severe cases it could take months for the organisation to fully recover [
77].
4.5.1 Justifications for Function Probabilities.
We present support for our assignment of probabilities to functions. As we discuss in Section
7, there is a lack of data to support the probabilities that organisations take various defensive actions, and we have therefore had to make various assumptions based on limited data.
Prey functions:. Protection: We assume that organisations with higher protection capability are more likely to succeed in preventing delivery of ransomware. We assign the probability of preventing delivery to be prey[protection capability]]: {“high”: 0.9, “medium”: 0.5, “low”: 0.1}. In the absence of evidence to support more specific treatment, we use these as a standard set of values for most of the function probabilities determined by H/M/L prey capabilities (protection, detection, and response).
Detection: We assume that organisations with “high” detection capability will detect types of ransomware with “low” or “medium” hardness of detection with higher probability. We assume that organisations with “low” detection capability have a low chance of detecting ransomware before execution and will not detect ransomware with “high” detection hardness.
Response functions: We assume that organisations with higher levels of response capability are more likely to take the actions recommended by various guidance sources (R13):
•
Organisations with “high” response capability are more likely (than those with “medium” or “low” response capability) to take the following actions in response to compromise: successfully clean ransomware; restore from backups (if they have them); otherwise fix impacts; disconnect from the threat vector; remove vulnerability.
•
Organisations with “high” response capability are unlikely to pay the ransom, since most guidance recommends against this, and this is therefore assigned a lower probability for organisations with higher response capability. We assume that organisations with “low” response capability take these recommended actions with a lower probability and are relatively more likely to pay the ransom earlier. We assume that organisations with all levels of response capability are more likely to pay the ransom if the attacker applies payment pressure.
In the absence of evidence to support more specific treatment, the probabilities used are the same for these functions: prey[response capability]: {“high”: 0.9, “medium”: 0.5, “low”: 0.1} (and the converse for ransom payment: {“high”: 0.1, “medium”: 0.5, “low”: 0.9}).
Vulnerability removal: In the “prompted” cases, vulnerability-remediation probabilities are handled in line with the treatment of response functions described above. In the unprompted case (i.e., patching following the organisation’s normal patch cycle), we model daily patching for organisations with “high” patching capability (since an automatic patching tool such as Windows Update will check for updates at least daily) and quarterly patching for organisations with “low” patching capability.
Connecting and disconnecting: For disconnecting in the “prompted” case, the probability is handled in line with the treatment of response functions described above. The likelihood of disconnecting in an unprompted case is very low—for this simulation, we set the probability to 0.
The probability of connecting to the Internet in the prompted case (after becoming clean) is very high—we set the probability to 1. In an unprompted case, the probability of connecting is very low—we set the probability to 0.
Discarding: The probability that a prey discards their data is lower; we assume that this action is likely to be taken as a last resort. Furthermore, in the absence of evidence supporting assignment of probability according to response capability (since the action is recommended neither for nor against by guidance), a single value is used.
World functions:.
Creating patches: We use 0.1 as the probability that a patch is created at each step. This reflects statistics from a Mandiant study of vulnerabilities, which showed the average time between disclosure and patch availability to be approximately nine days [
44].
Creating impact-fixing tool: This probability is determined based on the predator’s hardness of impact-fixing value. In the absence of other evidence, we assign the same probability as for patch creation for the creation of tools to fix ransomware with “medium” hardness and vary the probability in the case of ransomware with “low” and “high” hardness, relative to the standard H/M/L treatment scale described (i.e., \(0.2 * \lbrace 0.1, 0.5, 0.9\rbrace\) .