Party A steals something of value to Party B and demands a ransom for its return. But once the ransom has been paid, what is to stop Party A from coming back and demanding more?

One mechanism that purchases commitment is reputation. Party A has more ransoms to extract in the future and seeks to be seen as a fair player despite being an extortionist. An interesting example is provided by Cryptowall. This “company” sends an email with a devious attachment, a virus that encrypts your harddrive if you click on it. They demand a ransom in Bitcoin to send the decryption key. The price changes over time.

The fact that they do not take your data means that they cannot come back and demand another ransom for the same data if you pay.

Because the price changes, there can be errors – you pay a ransom of 500 and by that time the price has gone up to 550 and you do not get the decryption key. What to do? A good credit card company would waive a late fee to keep a good reputation and so does Cryptowall. From the New York Times:

Use the CryptoWall message interface to tell the criminals exactly what happened. Be honest, in other words.

So she did. She explained that the virus had struck the same week that a major snowstorm hit Massachusetts and the Thanksgiving holiday shut down the banks. She told them about the unexpected Bitcoin shortfall and about dispatching her daughter to the Coin Cafe A.T.M. at the 11th hour. She swore she had really, really tried not to miss their deadline. And then a weird thing happened: Her decryption key arrived.

(HT: Alex Wearn)

Advertisements