Changing the Game – Algorithmic Game Theory in Ransomware Negotiations

Table of Contents

  1. Executive Summary:. 2
  2. Introduction… 2
  3. Defining Ransomware.. 4
  4. Impact of Ransomware Attacks on Organizations. 5

III.           Key Players in Ransomware Negotiations.. 8

  1. Ransomware Negotiators. 8
  2. The Lawyer’s Role in Ransomware Negotiations. 10
  3. Using Game Theory in Ransomware Negotiations.. 13
  4. Limitations of the Traditional Game Theory Model.. 15
  5. AI For Data Analytics.. 18
  6. Algorithmic Game Theory Models.. 20

VII.         Strategies for Implementing AGT Modeling… 21

  1. Role of the Lawyer after AGT Modeling is Implemented.. 22
  2. In-House Led Tabletop Exercises. 22
  3. The Advantages of Legal Panels in Implementing AGT Modeling.. 24
  4. Improving Negotiating Power with Cyber-Insurance Providers.. 27

VIII.              Conclusion… 28

I.              Executive Summary:

Ransomware attacks are a growing threat, inflicting significant operational, financial, and reputational damage on organizations worldwide. With attackers exploiting information asymmetry, traditional game theory negotiation strategies are inadequate in minimizing these risks. This paper explores how Algorithmic Game Theory (AGT) can strengthen an organization’s leverage in negotiations by creating adaptive, data-informed strategies tailored to an organization’s specific vulnerabilities and priorities. Organizations face unique challenges during ransomware negotiations, including the unpredictability of the attacker’s behavior, the evolving ransomware landscape, and the limited amounts of useful historical data. AGT addresses these challenges by integrating the organization’s unique data and enabling organizations to simulate potential negotiation outcomes, assess risks, and make informed decisions. Organizations with sufficient financial resources and computational power may be able to implement AGT modeling in-house. However, other organizations that lack these resources might find it more compelling to leverage third-party AGT providers or legal panels. These parties can manage AGT modeling, conduct tabletop exercises, and recommend organizational changes to improve ransomware preparedness. Additionally, AGT model outputs can empower organizations to negotiate more effectively with cyber insurance providers, shifting leverage by demonstrating preparedness and reducing perceived risk.

II.            Introduction

Imagine a busy corporation on a typical workday—emails are flying, meetings are in full swing, and projects are on tight deadlines. Suddenly, everything grinds to a halt. Files are inaccessible, systems are frozen, and a threatening message appears on every screen,  announcing that the company’s data has been encrypted and will only be released once a ransom payment has been made. Panic sets in as people scramble to understand the scale of the attack. Teams can’t access critical files, customer information is at risk, and executives realize they’re at the mercy of an anonymous attacker.

In these moments, companies face a difficult choice: negotiate with the attackers or refuse and risk even greater losses. In these scenarios, ransomware negotiations are particularly challenging because of the information asymmetry. Attackers know far more about the breach, the data they’ve compromised, and system vulnerabilities than the defenders do. With so little information, traditional negotiation tactics often fall short in high-stakes situations.

This paper explores how Algorithmic Game Theory (AGT) can help organizations negotiate with ransomware attackers by simulating various negotiation scenarios, setting boundaries like maximum ransom offers, and even using stalling tactics to buy time for system defenses. But AGT isn’t without challenges—it requires high-quality data, computational resources, and skilled human oversight. There are three approaches for implementing AGT modeling that account for these challenges: Organizations with the financial and computational capacity can develop AGT modeling in-house. Other organizations that lack the resources or find in-house solutions to be inefficient may outsource the modeling to specialized third-party providers with expertise in artificial intelligence and game theory modeling. A final approach might involve shifting the burden of implementation to a legal panel with specialized expertise.

Beyond addressing the immediate need to negotiate with ransomware attackers during a breach, AGT models offer additional benefits by enhancing incident response procedures, improve decision-making, and disaster recovery plans before a breach even occurs. AGT model outputs can also strengthen leverage with cyber insurance providers. While challenges such as high resource demands, data quality, and human oversight remain, AGT models have the potential to change ransomware negotiations for the better.

A.            Defining Ransomware

Ransomware is a “form of malware designed to encrypt files on a device, rendering any files and the systems that rely on them unusable.”[1]Essentially, it’s a digital hostage situation where vital data or systems are held for ransom. Ransomware attackers often demand that a ransom be paid in exchange for the release of the data. To make their attacks more credible, bad actors target and threaten to “sell or leak exfiltrated data or authentication information if the ransom is not paid.”[2] The most common ways bad actors infiltrate victim’s devices are through phishing, malicious websites, and downloads.

Over the last few years, the frequency of ransomware attacks has risen significantly. Between 2023 and 2024 alone, there were 4,893 ransomware attacks.[3] Within that same period, survey reports conducted by Sophos, a global leader in innovation security solutions, found that ransom payment has increased by 500% in the last year.[4] Organizations who reported paying the ransom paid $ 2 million, which is up from $400,000 in 2023.[5]

Moreover, these attacks often occur in rapid succession. According to a study conducted by Cybereason, 58% of the surveyed organizations reported that they suffered more than one ransomware attack.[6] During the second attack, around 63% of organizations reported that the attackers demanded even more ransom, likely because the attackers perceived the organization to be vulnerable and capable of paying higher amounts.[7]

The scope and intensity of ransomware attacks have also intensified in nature and scope. Out of the fifteen most active ransomware groups in 2024, nine were newcomers.[8] Not only are there more active ransomware groups, they are becoming more aggressive and destructive. Bad actors often engage in “lateral movement to target critical data and propagate ransomware across entire networks.”[9] It has also become more commonplace for bad actors to delete system backups, which makes it difficult for disrupted organizations to restore their systems. To make matters worse, once an organization becomes a victim of a ransomware attack, it will likely be a victim of a second attack.

Thus, in recent years, organizations have faced a precarious situation as ransomware attacks have increased significantly in frequency, scope, and intensity, making it more likely for victims to quickly concede to attackers and pay the demanded ransom in full.

B.             Impact of Ransomware Attacks on Organizations

The impact of ransomware attacks on organizations extends far beyond the payment of ransom. Ransomware attacks can bring operations to a halt, cause reputational damage, and even cause organizational setbacks. When an organization falls victim to a ransomware attack, business operations can be halted for weeks, resulting in substantial revenue loss. Even when operations are restored, returning to normal daily operations might take even more time. Some of these consequences are due to the likely outcome that compromised data will not be recovered. As the 2024 Ransomware Trends Report from Veeam Software puts it, organizations can expect that only 57% of data will be recovered in the event of a ransomware attack.[10]

In addition to halting operations, ransomware attacks can cause significant reputational damage. Businesses and organizations invest significant resources into building their reputation to ensure their customers see them in a good light. All this work goes up in smoke in a matter of seconds when an organization suffers a ransomware attack. Losing sensitive customer data, for example, can reflect poorly on an organization’s ability to manage its internal affairs or its trustworthiness. Moreover, ransomware attacks not only affect customers, but they might also change how other companies perceive you. Ransomware attacks might make it difficult for prospective partners to trust in a company’s ability to implement strict security and privacy practices.

The Target ransomware attack is a prime example of the material and reputational costs of ransomware attacks on organizations. In September 2013, bad actors were able to infiltrate Target’s network through an email-based phishing scam to trick an employee from a third-party contractor, which they then leveraged to successfully deploy malware on 40,000 of 60,000 of Target’s Point-of-sale system .[11] The breach compromised Target’s customers’ personal data and credit card details to the tone of “40 million credit card numbers and 70 million addresses, phone numbers, and other pieces of personal information.”[12] In 2015, Target announced that the breach cost the company $162 million in costs associated with the ransomware attack. About $18.5 million was paid to settle a multi-state lawsuit (the largest multistate data breach settlement at the time), $10 million to settle a federal class-action lawsuit, $39 million was paid to a separate class-action lawsuit brought by several U.S. banks, and finally, $67 million to was paid to Visa.[13] Target also felt heavy costs on the stock market. The day Target announced the ransomware attack, its share price fell 2.2%.

In addition, Target experienced reputation damage from the breach, such as losing customer confidence and distrust in senior leadership. Putting numbers to this—Target’s profits dropped by 46% in 2013.[14] Moreover, Target’s delayed response to the attack led to the resignation of  both CEO Gregg Steinhafel and Beth Jacobs, the company’s Chief Information Officer.[15]

The devastating impact of ransomware attacks on organizations, as made evident by the Target breach, highlights the multifaceted risks organizations face— from operational disruptions and financial losses to long-lasting reputational damage. These consequences make it clear that ransomware attacks cannot be treated as purely technical or financial issues, resolved solely through enhanced security measures or immediate ransom payments. The stakes are too high. Given the costs and far-reaching effects of these incidents, ransomware negotiations emerge as a critical strategy for organizations seeking to minimize the organization’s damage, minimize financial loss, and navigate the aftermath of such attacks effectively. Understanding and executing effective negotiation tactics can mean the difference between manageable setbacks and organizational failure.

III.          Key Players in Ransomware Negotiations

A.            Ransomware Negotiators

Specialized ransomware negotiators lead negotiations between the organization and the ransomware attackers. Acting as intermediaries between victims and the attacker, ransomware negotiators rely on expertise in crisis management, communication strategies, and understanding the attackers’ demands and negotiating terms. Their goal is to gather intelligence from the attackers and use existing data on the attackers to help make informed decisions in the negotiation process.

Negotiations typically begin with ransomware negotiators assuming a carefully crafted person, often posing as an employee or representative of the victim organization. This persona is used to establish communications through encrypted channels specified by the attacker.[16] During these exchanges, skilled negotiators employ strategic questioning and psychological tactics to elicit information from the attackers. In some cases, attackers sometimes “inadvertently reveal information that helps security teams understand the scope of the breach or the type of data that was accessed.”[17]

Moreover, understanding the behavior of ransomware attackers is critical to managing threats and predicting negotiation outcomes. By analyzing past data on specific ransomware groups, organizations can gain valuable insight into their negotiation patterns, including the amounts of ransom they typically demand and the upper and lower limits of the settlements the attackers are willing to accept. For example, incident response firm GuidePoint tracked around 70 ransomware groups, mostly from Eastern Europe. This historical data might also help negotiators and organizations evaluate whether attackers are likely to follow through on their threats or simply exploit the situation further.

An organization’s historical data can also serve as a powerful tool for evaluating and managing ransomware threats. On a technical level, organizations can detect security vulnerabilities that attackers might exploit by analyzing past incidents. This can help them speed up and improve the effectiveness of their response. Additionally, historical data can help estimate how long it would take to recover valuable data and the financial impact of operational disruptions and prolonged downtime. Financial and accounting records play an equally important role by enabling organizations to assess when they might be most vulnerable to an attack. For example, during the holiday season, when organizations experience a surge in sales, an interruption caused by an attack could result in significant financial losses. These insights can also help organizations set learning boundaries during negotiations by establishing upper limits of what the organization is willing or capable of paying in ransom. By leveraging internal data on security systems as well as financial and accounting data, organizations can not only prepare more effectively for potential attacks but can also make informed decisions about ransom payments that balance financial, operational, and strategic priorities.

However, the ransomware negotiation landscape has deteriorated significantly in recent years. According to Alejandro Rivas-Vásquez, global head of digital forensics and incident response at NCC Group, global efforts to limit ransom payments and increase cyber incident reporting have weakened the negotiating power of organizations under attack.[18]  This shift, coupled with evolving strategies employed by attacks has made the negotiation process more complex and precarious. Additionally, trust in negotiations has eroded as ransomware groups increasingly fail to honor agreements, such as deleting stolen data even after the ransom is paid.[19] These challenges underscore the need for ransomware negotiators to adapt to the rapidly evolving ransomware space.

B.             The Lawyer’s Role in Ransomware Negotiations

            Lawyers also play a critical role in ransomware negotiations. When an attack hits an organization, the legal team assesses the legal implications of engaging with the attackers, weighing both the immediate and long-term regulatory implications of their decisions.[20] They also collaborate with law enforcement agencies, regulatory bodies, and cyber insurance providers to ensure the organization’s response aligns with legal requirements and mitigates potential risks.

Some of these regulatory hurdles that lawyers have to deal with are U.S. Department of the Treasury’s Office of Foreign Assets Control (OFAC) advisory and Anti-Money Laundering (AML) laws. OFAC’s “Updated Advisory” is directed towards “organizations victimized by ransomware attacks, but also financial institutions, cyber insurance firms, and forensic and incident response firms that assist organizations victimized by ransomware attacks.”[21] The Updated Advisory states the U.S. government’s opposition to ransomware victims making payments to cyber threat actors and emphasizes OFAC’s commitment to bringing enforcement actions against those in connection with such payments.

However, the OFAC advisory encourages victims to take “proactive steps” to implement strong cybersecurity practices before and after a ransomware attack. Firstly, it encourages organizations to implement strong cybersecurity practices as preventative measures and to promptly report ransomware attacks to law enforcement or other relevant agencies. In the event of a ransomware payment made to a sanctioned individual or entity, OFAC will consider these organizations “self-initiated, timely, and complete report of a ransomware attack to law enforcement” and “[f]ull and timely cooperation with law enforcement” as significant mitigating factors when determining the “appropriate enforcement outcome.”[22]

In addition to OFAC guidance, lawyers must also keep Anti-Money Laundering (AML) laws in mind when an organization considers making ransom payments. AML regulations “penalize the involvement in money laundering activities, including penalties of up to $500,000, civil penalties up to the transaction value, and imprisonment.”[23] Given the anonymity of ransomware attackers, organizations might find themselves inadvertently making payments in violation of AML laws.

Lawyers must also be aware of data breach obligations. These obligations refer to regulatory requirements that organizations must fulfill when they experience a data breach, particularly when sensitive, personal, or confidential information is compromised. These obligations vary by jurisdiction and industry. For example, Michigan’s data breach notification law “requires any entity which owns or licenses personal information of Michigan residents to notify affected individuals of unauthorized acquisition of their unencrypted and unredacted personal information.”[24] Furthermore, “notice must be made without unreasonable delay unless the breached entity determines the security breach will not cause substantial loss or injury to, or result in identity theft with respect to, one or more Michigan residents.”[25]

Under certain circumstances, lawyers may need to notify the authorities of personal data breaches. Article 33 of the GDPR requires that:

“In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority competent in accordance with Article 55, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” [26]

In the United States, CISA (Cybersecurity and Infrastructure Security Agency) requires that every ransomware incident be reported to the U.S. government.[27] CISA implores victims of ransomware attacks to report their incidents to the FBI, CISA, or the U.S. Secret Service. Although not always legally required, it is common practice for organizations to maintain detailed records of data breaches, even those that do not trigger notification requirements. Keeping such records can demonstrate compliance with applicable laws and regulations and provide critical documentation if requested by regulators during investigations or audits. Lawyers often play a key role in overseeing this process, ensuring that the records are thorough, accurate, and consistent with the organization’s legal obligations during a breach.

In summary, lawyers play a pivotal role in guiding organizations through the complex legal and regulatory landscape of ransomware attacks and the eventual ransomware negotiations. Often walking a tightrope to balance these competing demands. They must weigh the immediate and long-term implications of engaging with the attackers while navigating the OFAC advisory, AML regulations, and data breach notification requirements. Lawyers act as intermediaries between the organization and law enforcement agencies, regulatory bodies, and cyber insurers to ensure that the organization’s actions are legally compliant.

IV.          Using Game Theory in Ransomware Negotiations

One of the approaches to negotiations is by employing cybersecurity game theory strategies. Game theory is the study of strategic decision-making, where each party’s choice depends on what they think the other will do. Think of it like a high-stakes chess match, where each side tries to anticipate the other’s moves to gain an advantage.

Under the current approach to ransomware negotiations, both negotiators and lawyers play critical roles in developing and applying game theory models to map out potential outcomes, simulating the possible moves and countermoves of both the attackers and the organization. The strategic modeling allows negotiators to identify the most effective negotiation tactics, whether it involves offering a specific counterproposal, deploying stalling strategies, or determining when to walk away from the table. Meanwhile, lawyers provide essential guidance on the legal implications of each potential outcome, ensuring that the decisions negotiators take align with regulatory standards and the broad organizational interests.

By applying game theory to ransomware attacks, with only a few values, one can create a decision tree that helps map out what decisions might be taken to minimize the impact on the victim based on the available options to an attacker. For example, consider these values: (1) The attacker demands $100,000 in ransom, (2) system downtime costs if the attacker releases the data: $50,000, (3) system downtime costs if the attacker does not release the data: $100,000.

Game Theory Decision Tree:

The decision tree above demonstrates the strategic choices available to an organization during a ransomware attack. The tree breaks down the potential outcomes based on the organization’s decision to either to pay or refuse to pay the ransom. In the first scenario, the organization decides to pay the $100,000 ransom if the attacker fulfills their promise and releases the data, allowing the organization to recover critical data and resume operations. Even though the organization pays out $100,000 in ransom, it saves $50,000 in system costs when the attacker releases the data. So, the organization will only incur the $50,000 loss for the downtime caused by the attack.

In the second scenario, the organization pays $100,000 in ransom, but the attacker does not release the data. This outcome represents the worst-case scenario because the organization not only loses the ransom payment, but it must also deal with the financial and operational fallout of prolonged downtime and/or permanent data loss. Therefore, the net loss from this outcome is at least $200,000.

In the third scenario, the organization refuses to give in to the attacker’s demand and refuses to pay the ransom. Surprisingly, the attacker decides to release the data for one reason or another. Although the organization does not pay the ransom, saving $100,000, it still faces potential downtime costs of $50,000. Here, the net loss is $50,000.

In the fourth scenario, the organization does not pay the ransom, and in response, the attacker withholds or destroys the data. While there is no immediate financial loss from paying the ransom, organizations are likely to incur significant costs due to immediate operational downtime, costs of rebuilding systems because of the attackers decision not to release the data. In this scenario the organization incur a cost of at least $100,000. This outcome often leads to the greatest overall loss, as the organization suffers both operational and reputational setbacks—many of which are difficult to quantify—without achieving an immediate resolution.

A.            Limitations of the Traditional Game Theory Model

While the decision tree provides a structured framework to analyze the potential outcomes of a ransomware attack, its practical application is constrained by several limitations, particularly the challenge posed by information asymmetry and the extensive data required to create accurate predictive models. Ultimately, the goal of these models is to reduce uncertainty and provide negotiators and the victim organization with a clearer understanding of the potential risks and rewards associated with different strategies.

However, the effectiveness of game theory decision trees is undermined by its inability to include a number of key variables. One of the biggest variables is the information asymmetry between the attackers and the victims. Attackers often meticulously study their targets from afar, looking for vulnerabilities that the defenders are not aware of. So, when the attackers breach an organization’s system, the attackers know far more about the breach, the data they have compromised, and system vulnerabilities than the defenders. In contrast, the victim organization is left scrambling to assess the full extent of the damage, often with incomplete or unreliable information.

Unfortunately, this asymmetry is also compounded by several factors that place victims at an even greater disadvantage. First, ransomware attackers operate remotely and anonymously, making it nearly impossible to trade or attribute their actions to a certain group. This allows attackers to act without fear of legal or ethical repercussions, while defenders must operate within strict legal, regulatory, and ethical frameworks. Second, attackers often act in small, agile teams, giving them the flexibility to adapt quickly during negotiations, altering their demands or strategies in real-time while the victims are left playing catch up. These factors heighten the complexity of ransomware negotiations by making it more difficult for victims to make strategic decisions while facing organized and unpredictable adversaries.

Another significant issue is the limited quality and relevance of past ransomware attacks due to the rapidly evolving landscape. Whereas in the past, the ransomware space was dominated by a few big players, the space has evolved to include new entities. In 2024 alone, Secureworks, a cybersecurity company, observed a 30% increase in active ransomware groups and identified 31 new groups that had entered the ransomware ecosystem.[28]

In addition to the threat posed by new entrants, ransomware groups often evolve rapidly, employing new technologies and tactics. New technology is often relied on to launch more sophisticated attacks while also lowering the costs of doing so. Aside from new tactics enabled through new technology, new tactics emerge as the ransomware ecosystem becomes more sophisticated. For example, Ransomware-as-a-Serve (RaaS) has significantly transformed the ransomware landscape. This business model “allows experienced developers to sell ransomware tools to less-skilled affiliates, who carry out the attacks.”[29] In this arrangement, affiliates keep up to 80% of the ransom, while the rest goes to the developers.[30] Triple extortion tactics are another example, where the attackers encrypt and steal sensitive data but also target third parties, like customers or business affiliates, to increase the pressure on the victim to meet the ransom demands.[31]

Another major challenge is that even if reliable data is available, it might not always be helpful to an organization. Differences in the size of the organization, financial resources, and the timing of the attack can all influence the dynamics of a ransomware negotiation. For example, a small business with limited financial reserves might approach a negotiation very differently from a multinational corporation with extensive data backups and cyber insurance. Additionally, the value of data can significantly vary from one organization to another. These differences between organizations mean that the historical data might not always be helpful to an organization facing a ransomware attack.

To put it succinctly, the limitations of basic game theory models in ransomware negotiations are the result of several critical factors. The information asymmetry between attackers and defenders, the rapidly evolving ransomware landscape driven by new technologies and tactics, and the inherent differences between organizations —such as size, financial resources, and industry—mean that historical data on ransomware actors is not always useful. These challenges are compounded by the complexity of accounting for each organization’s unique needs and circumstances. Each ransomware negotiation is almost a one-of-a-kind scenario tailored to the specific vulnerabilities, resources, and priorities of the targeted organization. This individuality means that each negotiation process requires unique models that are far beyond the capabilities of the basic game theory decision tree above. These models must be capable of incorporating all the unique data relevant to the targeted organization as well as general data reflecting general changes in the threat landscape.

V.            AI For Data Analytics

            Since the launch of OpenAI’s ChatGPT, much of the discussion surrounding artificial intelligence (AI) has centered on generative AI — its potential, its shortcomings and its ability to revolutionize the future of work. While generative AI is undeniably fascinating and will likely play a significant role in shaping our future, it has caused many to overlook the ways AI has already been integrated into our daily lives. Companies like Spotify and Netflix have been using AI to predict their user’s experience for many years. For instance, Spotify has been using AI models to analyze cast amounts of behavioral data — such as what users listen to, how long they listen, the playlists they create, and even the time of day they stream— to predict what songs or podcasts they might enjoy listening to next.[32] Netflix similarly uses AI to analyze large amounts of data, including viewing habits, ratings, searches, and time spent on the platform, to help its recommendation engine curate personalized content recommendations for Netflix users.[33]

What we learn from Spotify and Netflix’s use of AI is that AI already excels at handling complex data to provide tailored, real-world solutions. So, why not take these lessons and apply them to areas with cast, complex datasets that are difficult to navigate — such as ransomware negotiations? By leveraging AI’s ability to process and interpret large amounts of data we can uncover patterns in the data, predict outcomes, and develop more effective strategies in high-stakes situations like ransomware negotiations.

Another approach that helps conceptualize the limitation of AI is to think about AI as a means of production, like any other machine. They may do a good job of increasing the efficiency of the product, “but their costs are part of the finished product, just as the costs of the raw materials are.”[34] By that same token, AI, just as other robotics, works in the production process but does not create new value on its own. Only human labor can create value with AI only serving as a tool of efficiency in the process.

Imagine a towering crane sitting in the middle of a construction sight. The crane is a tool that makes what would be impossible for human strength alone seem almost effortless. However, the crane is little more than an idle machine, incapable of creating value on its own. It can lift materials but requires human expertise to direct the crane’s power toward a productive outcome. Similarly, AI can process vast amounts of data and perform difficult computational tasks, but it still must rely on human oversight to determine its purpose, interpret its results, and ensure the outcomes align with the organization’s goals. Like the crane operator on a construction site, human decision-making remains critical in guiding and maximizing the utility of AI, especially in high-stakes scenarios like ransomware negotiations.

VI.          Algorithmic Game Theory Models

Algorithmic Game Theory (AGT) builds on the principles of traditional game theory by incorporating computational tools and algorithms to address more complex and dynamic strategic interactions. While basic game theory focuses on the theoretical analysis of decision-making between rational players, often using static models with limited variables, AGT is designed to handle complex, dynamic, and data-intensive strategic scenarios as they exist in the real world.

First, AGT excels in an environment where strategies and information are evolving in real-time. It allows its users to update the models as soon as new data becomes available, making it particularly effective in scenarios like ransomware negotiations, where the attacker’s behaviors and demands might shift during the process.

Secondly, AGT allows for models that are capable of processing and analyzing vast amounts of data, including several variables and players. This makes it more suitable than traditional game theory or modeling complex systems like ransomware negotiations. AGT also makes it possible to integrate past historical data, such as attack patterns of various ransomware groups.

More importantly, AGT opens the door to creating negotiation strategies tailored to the unique circumstances of each organization. Unlike traditional game theory, which is limited to creating simplified decision trees that account only for a few variables, AGT can incorporate more nuanced variables. These might include organization size, the number of employees, annual revenue, and revenue and volume of sales during peak seasons, such as the holiday season, when disruptions can cause outsized losses. Furthermore, AGT can be used to create a model that includes the costs of operational downtime, the relative value of datasets integral to daily operations, the costs of replacing backup data, and finally, the upper and lower limits of what the organization is willing to pay in ransom. By integrating data that represent these more nuanced variables, AGT allows organizations to create a more robust framework that reflects the organization’s unique vulnerabilities, priorities, and constraints, making it an invaluable tool for ransomware negotiations.

VII.        Strategies for Implementing AGT Modeling

Some organizations, particularly large corporations with significant financial and technological resources, may be able to build the infrastructure required to run AGT models in-house. The cost of implementing these systems is exorbitantly expensive because it requires hiring skilled data scientists and creating robust data pipelines. It will also require acquiring computational power capable of processing large datasets and running complex simulations which are required to utilize AGT to generate reliable models. However, the advantage of developing these resources internally is that the organization can maintain greater control over the modeling process and the sensitive organization data required to produce those models. Ultimately, the considerable costs associated with this approach mean that a limited number of financially capable organizations with considerable technological resources at hand will be able to adopt this approach.

For organizations without the resources to implement the tools required to develop AGT models in-house, outsourcing to third-party providers offers a practical alternative. While organizations specializing in AGT models for ransomware negotiations may not exist yet, we can imagine what this firm would look like. These firms would likely be multidisciplinary, serving as analytics providers that leverage expertise in artificial intelligence, algorithmic modeling, game theory, and data science to create predictive models for a wide range of industries. Moreover, these firms will be able to rely on their powerful computational infrastructure to process large datasets and simulate strategic scenarios to help their clients make key decisions during ransomware negotiations.

A.            Role of the Lawyer after AGT Modeling is Implemented

The role of lawyers in ransomware negotiations will evolve significantly with the use of AGT models. While lawyers will continue to play a vital role in ensuring compliance with regulatory frameworks, their responsibilities will expand to include overseeing and implementing organizational policies based on AGT outputs. Lawyers will likely need to act as strategic coordinators, ensuring that organizations are fully prepared to respond effectively to ransomware attacks. This role would involve conducting tabletop exercises similar to fire drills that simulate ransomware scenarios and test the organization’s ability to execute strategies developed through AGT models. These exercises will help refine internal security procedures and ensure that everyone understands their roles during a ransomware negotiation.

Additionally, lawyers will play a critical role in preparing the data and models developed through AGT for ransomware negotiators. By ensuring that the relevant organizational and historical data mentioned above is as accurate as possible and well-organized, lawyers can help ransomware negotiators start from a position of strength. This preparation can also help streamline decision-making, reducing delays and inefficiencies that come up when multiple stakeholders are involved.

B.             In-House Led Tabletop Exercises

AGT model outputs also provide an opportunity to conduct tabletop exercises. A ransomware tabletop exercise is an interactive scenario or simulation designed to prepare an organization for a ransomware attack by testing its incident response procedures, decision-making, and disaster recovery plans.[35] This type of training typically involves assembling members of key decision-makers, like members of the legal team, IT, Cybersecurity experts, and executive leadership teams, to walk through a hypothetical ransomware attack. With AGT outputs guiding the simulation, an organization can leverage data that reflects the organization’s specific vulnerabilities and operational risks.

The results of an AGT model might highlight specific ransomware attack scenarios that are particularly costly to the organization, prompting the organization to conduct targeted practice sessions to strengthen its incident response or to test newly implemented technical measures. For instance, a simulation might model scenarios informed by AGT models, such as an employee opening a phishing email that triggers a ransomware infection or an attack during a peak sales season.

While tabletop exercises may be invaluable for preparing organizations for ransomware attacks, they need to be reinforced by workshops and group training sessions to ensure that they are utilized to their full potential. For example, participants might be required to attend workshops that focus on technical understanding of ransomware attacks, regulatory compliance requirements, or how to communicate effectively during an attack. Moreover, following a tabletop exercise, workshops, or group sessions may be necessary if the results suggest that some aspects of the organization’s incident response or disaster recovery plans require revisions. Cybersecurity experts, using AGT outputs, may use workshops to address performance or weak spots that were exposed during the simulation. The organization, with the advice of cybersecurity experts may make changes to the organization’s incident response. This might include assigning new roles or tasks to key stakeholders.

However, having key personnel organize and attend tabletop exercises and the following workshops requires substantial resources, including time and funding. This makes it challenging for organizations with limited funding to implement these exercises. Even organizations with the financial capacity to conduct tabletop exercises may struggle to justify the time spent on these activities, as it can divert attention from regular workflows with more immediate and tangible incentives. The fact that these activities are built on hypothetical scenarios can make it difficult for organizations to balance the long-term benefits of preparedness with the short-term demands of day-to-day operations.

C.            The Advantages of Legal Panels in Implementing AGT Modeling

While workshops and training programs can help equip the legal department in an organization with the skills needed to understand and oversee AGT modeling, not all organizations may find this approach practical or effective. Engaging with CLE programs or workshops designed to educate lawyers on emerging technologies can be challenging. Lawyers often have demanding schedules, making it difficult to prioritize additional training, especially when the relevance of the subject matter is not immediately clear to their daily practice. Furthermore, some organizations may be more resistant to investing time and resources into programs when they might believe that the threat of a ransomware attack is too remote, or they might simply believe that the programs are too disconnected from day-to-day operations.

An alternative approach would be assigning AGT modeling management to a legal panel. A legal panel can be described as a structural arrangement in which an organization’s in-house counsel engages with a small group of external lawyers or law firms selected by the legal department to provide specialized services. Legal panels provide flexibility by allowing organizations to leverage external expertise without committing to long-term, full-time hires or CLE programs.

The process of selecting a panel includes evaluating the firms/lawyers based on criteria such as expertise, cost efficiency, and industry experience. The idea of creating a legal panel alleviates the added stress on legal departments to manage several law firms. Some of the most important benefits are cost savings, increased efficiency, and strengthened law firm relationships. The benefits of having a legal panel include consistency, efficiency, and flexible fee arrangements (for example, volume discounts or fixed fees for standard work).[36] They are particularly beneficial to organizations that require access to diverse legal expertise across multiple practice areas.

In creating a legal panel that has the expertise required to deal with ransomware, legal departments need to ensure that there are a few seats on the panel with specialists in cybersecurity and data privacy. This legal panel would serve as a centralized team responsible for overseeing the integration of AGT model outputs into an organization’s strategy and operation. It would be the legal panel rather than the organization’s legal department that coordinates with data scientists and IT specialists, cybersecurity experts, and negotiators to ensure that the data used in the AGT model is accurate. There might also be an opportunity for panelists to reach out to consultants who can provide financial and business advice before acting upon and relying on the AGT model outputs.

The legal panel would also ensure that the AGT modeling activities comply with regulatory frameworks, data privacy laws, and that the sensitive information used for modeling is handled with ethical considerations in mind. Panel members would also be active participants in guiding the development and refinement of AGT models, ensuring that they reflect the organization’s unique vulnerabilities, financial constraints, and operations priorities. In addition, the panel would also be tasked with using the AGT model insights to draft organizational policies and guidelines for responding to ransomware attacks. For example, the legal panel can outline emergency roles for key organizational stakeholders and create key strategies for engaging cyber insurers or regulators.

The legal panel would also take on the responsibility of conducting tabletop exercises, relieving the organization’s legal department of this critical task. This eliminates the need for extensive internal training and group workshops that might not be as effective or well-received as previously discussed. Instead, the panel will do a better job of ensuring that the tabletop exercises are conducted efficiently and with the necessary expertise rather than being completely half-heartedly by del department employees or other staff members of the organization who might not have the time, knowledge, or enthusiasm to approach the exercises effectively.

Once the panel has conducted tabletop exercises using AGT model outputs, it can present its findings to the organization and recommend best practices or structural changes needed to enhance preparedness. These recommendations might include identifying key personnel and assigning them streamlined, clearly defined tasks to execute during an emergency ransomware attack. For instance, members of the organization’s IT team might be tasked with specific procedures for initiating backups, restoring critical infrastructure, or even maintaining a record of the infiltration. Similarly, Communications team members might be directed to ensure that they are providing clear and consistent updates to customers, stakeholders, and regulators. Maintaining transparent communication is also crucial for mitigating reputational damage that can arise following a ransomware attack. By assigning these roles ahead of time, the legal panel can alleviate stress and minimize confusion during a ransomware attack.

A legal panel offers an alternative approach to the management of AGT modeling. This approach might be particularly attractive to organizations that find training programs and trainings and group workshops costly, time-consuming, and a generally ineffective strategy. By centralizing these efforts in a legal panel, the panel can alleviate the burden on in-house legal teams and ensure the AGT models are developed and implemented efficiently while maintaining compliance with regulatory standards. Once AGT models have been developed, the panel can work to ensure that the stakeholders are adequately prepared by directing tabletop exercises to create streamlined responsibilities for key organizational members. This approach not only reduces the strain on internal resources but also ensures a more coordinated response during a ransomware attack.

Furthermore, by delegating oversight of the AGT modeling to the legal panel, organizations can enter ransomware negotiations with a clearer understanding of their vulnerabilities, priorities, and limits. Moreover, The panel can represent the organization with confidence, equipping ransomware negotiators with well-defined, data-driven strategies that enhance both the speed and precision of their decision-making.

D.            Improving Negotiating Power with Cyber-Insurance Providers

The organization effort required to compile important data and the outputs of AGT models, which provide data-driven insights into an organization’s risk profile and preparedness, can significantly shift the dynamics with cyber insurance companies. Traditionally, cyber insurance companies wield significant leverage in setting premiums because of their ability to rely on extensive historical data to assess risk and calculate rates. In contrast, organizations have often lacked similar insights into their vulnerabilities, making it difficult to challenge high premium rates or negotiate better terms. However, by leveraging AGT models, organizations can kill two birds with one stone. On the one hand, AGT model outputs can help organizations enter negotiations confidently, as extensively discussed in this paper. On the other hand, procuring the data used to leverage AGT models, as well as the AGT model outputs, can strengthen an organization’s leverage over cyber insurance providers purchasing premiums and showing readiness.

Consider the following hypothetical scenario where an organization negotiates its cyber insurance premiums using AGT model outputs. The cyber insurance company initially proposed a premium of $150,000 annually, citing the organization’s size, industry risk, and the increasing threat of ransomware. However, the organization, having just recently run AGT models, challenges this rate. For example, the organization demonstrates that its downtime costs are significantly lower than industry averages after implementing strategies that cut recovery times by 30%. Additionally, AGT models indicated that the probability of total data loss is under 10% after implementing robust backup systems and network segmentation. Backed with this information, the organization might be able to persuade the cyber insurance company to lower the premiums. This example highlights the potential power of leveraging AGT models to alter the dynamics in cyber insurance negotiations and enable organizations to achieve more equitable rates.

VIII.     Conclusion

As ransomware attacks grow more frequent and sophisticated, organizations need to improve not only their defenses but also their negotiation skills. AGT can offer a transformative framework for addressing the various challenges organizations face during a ransomware attack. By compiling, integrating organization-specific data, and analyzing nuanced organizational variables —such as operational downtime costs, data value, and financial constraints—AGT enables organizations to create adaptive, targeted strategies for ransomware negotiations.

In doing so, AGT improves on traditional game theory approaches to ransomware negotiations that fail to address information asymmetry, rapidly evolving attacker tactics, and the unique needs of individual organizations. AGT not only addresses these gaps but also facilitates more effective decision-making by producing outputs that all organization to refine their responses. Through tabletop exercises informed by AGT outputs, organizations can test and refine their incident response plans, ensuring that all stakeholders are prepared to execute their roles during a ransomware attack.

The role of lawyers and legal panels is also reimagined in the context of AGT implementation. Lawyers move beyond regulatory compliance to become strategic coordinators, overseeing AGT modeling, conducting tabletop exercises, and ensuring organizational preparedness. Meanwhile, legal panels offer a scalable solution for managing AGT models, especially for organizations without the resources to develop these systems in-house.

But the game theory models we use to outmaneuver attackers in these high-stakes situations have applications far beyond ransomware. Imagine using the same strategic framework in M&A negotiations, where anticipating the other party’s moves can be just as crucial, or in a law firm deciding which cases to take on based on predicted outcomes. In the end, the scenarios change, but the principles remain the same—AI-driven game theory helps us transform complexity into clarity, no matter the context.

 

[1] CISA. Ransomware 101. https://www.cisa.gov/stopransomware/ransomware-101.

[2] Id.

[3] SOPHOS. Ransomware payments Increase 500% In the Last Year, Finds Sophos State of Ransomware Report. https://www.sophos.com/en-us/press/press-releases/2024/04/ransomware-payments-increase-500-last-year-finds-sophos-state.

[4] Id.

[5] Id.

[6] Alder, Steve. Majority of Ransowmare Victims That Pay a Ransom Suffer a Second Attack.  https://www.hipaajournal.com/majority-of-ransomware-victims-that-pay-a-ransom-suffer-a-second-attack/#:~:text=Only%2047%25%20of%20organizations%20that,publication%20of%20the%20stolen%20data.

[7] Id.

[8] Security Staff.“There was an 81% year-over-year increase in ransomware attacks.” https://www.securitymagazine.com/articles/100618-there-was-an-81-year-over-year-increase-in-ransomware-attacks

[9] CISA. Ransomware 101. https://www.cisa.gov/stopransomware/ransomware-101.

[10] Ramel, David. Only Half of Ransomware-Compromised Data Will Be Recovered, According to Survey Report. https://thejournal.com/Articles/2024/06/11/Only-Half-of-Ransomware-Compromised-Data-Will-Be-Recovered-According-to-Survey-Report.aspx.

[11] Framework Security. The Target Breach: A Historic Cyberattack with Lasting Consequences. https://www.frameworksec.com/post/the-target-breach-a-historic-cyberattack-with-lasting-consequences.

[12] Riley, Michael, and Elgin, Be. Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It. https://www.bloomberg.com/news/articles/2014-03-13/target-missed-warnings-in-epic-hack-of-credit-card-data

[13] Target Cyber Attack: A Columbia University Case Study. https://www.sipa.columbia.edu/sites/default/files/2022-11/Target%20Final.pdf

[14] Young, Kelli. Cyber Case Study: Target Data Breach. https://coverlink.com/cyber-liability-insurance/target-data-breach/

[15]Columbia SIPA. Target: Data Breach Analysis and Implications. Accessed [Nov. 12, 2024]. https://www.sipa.columbia.edu/sites/default/files/2022-11/Target%20Final.pdf.

[16] Leyden, John. The Ransomware negotiation playbook adds new chapters.  https://www.csoonline.com/article/3568817/the-ransomware-negotiation-playbook-adds-new-chapters.html.

[17] Id.

[18] CSO Online. “The Ransomware Negotiation Playbook Adds New Chapters.” CSO Online, Accessed [Dec. 1, 2024]. https://www.csoonline.com/article/3568817/the-ransomware-negotiation-playbook-adds-new-chapters.html.

[19]  CSO Online. “The Ransomware Negotiation Playbook Adds New Chapters.” CSO Online, Accessed [Dec. 1, 2024]. https://thejournal.com/Articles/2024/06/11/Only-Half-of-Ransomware-Compromised-Data-Will-Be-Recovered-According-to-Survey-Report.aspx.

[20] Leyden, John. The Ransomware negotiation playbook adds new chapters. https://www.csoonline.com/article/3568817/the-ransomware-negotiation-playbook-adds-new-chapters.html.

[21] Fein, Ashden, and Flanaga, Peter. OFAC Issues Updated Guidance on Ransomware Payments. https://www.insideprivacy.com/cybersecurity-2/ofac-issues-updated-guidance-on-ransomware-payments/.

[22] Pleasco, Ronald and Shelhorse, Stacy. When a threat actor strikes: Legal considerations and challenges in a ransomware attack. https://www.dlapiper.com/en-us/insights/publications/2020/12/understanding-ransomware-stratagems.

[23] DLA Piper. “Understanding Ransomware Stratagems.” DLA Piper Insights, December 2020. Accessed [Dec. 5, 2024]. https://www.dlapiper.com/en-us/insights/publications/2020/12/understanding-ransomware-stratagems.

[24] ItGovernanceUSA.” Data breach Notification Laws by State.” https://www.itgovernanceusa.com/data-breach-notification-laws#MI.

[25] Id.

[26] General Data Protection Regulation (GDPR), Article 33. (n.d.). Retrieved from https://gdpr-info.eu/art-33-gdpr/.

[27] https://www.cisa.gov/stopransomware/report-ransomware

[28] Maundril, Beth. “31 New Ransomware Groups Join the Ecosystem in 12 Months.” https://www.infosecurity-magazine.com/news/new-ransomware-groups-emerge-2024/

[29] “Ransomware in 2024: Latest Trends, Mounting Threats, and the Government Response.” https://www.trmlabs.com/post/ransomware-in-2024-latest-trends-mounting-threats-and-the-government-response#:~:text=Ransomware%20attackers%20have%20also%20begun,unless%20the%20ransom%20is%20paid.

[30] Id.

[31] Id.

[32] Kaput, Mike. How Spotify Uses AI (And What You Can Learn from It). https://www.marketingaiinstitute.com/blog/spotify-artificial-intelligence

[33] Netflix and Learn: How Netflix Uses AI to Personalize Recommendations. https://litslink.com/blog/all-about-netflix-artificial-intelligence-the-truth-behind-personalized-content#:~:text=Netflix’s%20AI%20recommendation%20engine%20analyzes,content%20recommendations%20for%20each%20viewer.

[34] Marx and the Robots. Networked Production, AI and Human Labour. https://www.counterfire.org/article/marx-and-the-robots-networked-production-ai-and-human-labour-book-review/.

[35] Ransomware.org. “Ransomware Tabletop Exercises: How to Prevent Ransomware.” Ransomware.org. Accessed [Dec. 5, 2024]. https://ransomware.org/how-to-prevent-ransomware/passive-defense/tabletop-excercises/.

[36]Thomson Reuters. “Legal Panels: Overview.” Practical Law. Accessed [Dec. 5, 2024]. https://uk.practicallaw.thomsonreuters.com/w-012-9222?transitionType=Default&contextData=(sc.Default)&firstPage=true. 

 

 

LinkedIn
Posted in: AI, Cybersecurity, Legal Profession, Legal Research