Ransomware Payments Should Require a Sin Tax

A tax could largely mitigate the growing ransomware problem. The following is a proposal for a scheduled, gradual increase in the tax rate on ransom payments:

  1. The ransom demanded by an attacker is a function of the expected likelihood that the victim will pay that amount.

  2. If a tax is legally enforced, the market will adapt: “optimal” ransoms will decrease to account for tax rates. For instance, a 100% tax would have the victim be legally bound to matching a $1M ransom payment with a $1M tax to account for negative externalities. Thus, an attacker, knowing this, could only reasonably expect to demand half the amount to get paid.

  3. With each subsequent increase in tax rates, a market equilibrium will be reached, given sufficient time.

  4. As tax rates approach the limit of effectiveness (in terms of compliance and enforceability), the funding of ransomware is significantly reduced and attacks are much less widespread.

Why not favor an outright ban?

  • A ban can also be considered in terms of immediately adopting an infinite (or very extreme) tax rate, and this argument focuses on the practical implications of a gradual rate increase. If immediate implementation of a one-billion percent tax rate seems unreasonable, then a ban is similarly unreasonable.

  • Consider those immediately-impacted after the policy takes effect. A tax can be gradually increased as the market adapts to each tier so as not to overly-penalize those who are immediately hit by ransomware following its implementation; each time the market adapts, a cost equilibrium is reached for the victim. By starting with a low tax, attackers will adopt their demands to the commensurate lower probability of payouts for higher amounts, while organizations would have time to adapt to this norm. The tax would be raised over time to avoid imposing a special burden to those victims who are immediately hit by the new tax after its initial rollout; the gradual raising of this tax would give time for attackers to absorb this new information and adopt to lower payments with their optimal demand amounts. At each tax rate increase, when the equilibrium is reached, the victim’s cost is once-again equalized, yet the attacker’s gain is again further-reduced.

  • Compliance: a tax, similar to a ban, accounts for the negative externalities. A ban would reduce negative externalities, but due to the increased severity for victims, compliance of a ban would drive payments underground; conversely, a tax means that attackers are always making demands they expect the victim to be able to pay, given the current tax rate.

  • Case-by-case severity of the attack and costs incurred can be factored into the victim’s judgment on payment, whereas a ban immediately imposes maximum cost onto the victim.

  • Tax proceeds could be earmarked for a counter-ransomware agency, perhaps even with a fraction further-directed toward the recovery of the ransom payment.

The taxation approach does not aim to reduce the per-attack instance severity; it only reduces the expected frequency due to less benefit to the attacker. This follows from the attacker’s extortion-maximizing objective function that accounts for known enforced taxes and compliance rates, along with the attacker’s unknown implicit probability distribution over the likelihood of total costs that the victim is willing to pay. While the tax does not benefit the immediate next victims following its implementation (it likely harms them further with this additional tax burden), many would-be future victims are the beneficiaries of lower ransomware funding and thus a significantly-reduced number of attacks. At no stage does the magnitude of the attack become lessened for the victim; it is only the frequency of attacks that the policy aims to address. If the tax were high enough, the viral coefficient of ransomware’s growth would be < 1.0 due to declining interest as payouts diminish.

Taxation immediately reduces the frequency of payouts, as it shifts the decision threshold for payment by making it more expensive (and thus funding of future ransomware attacks). Thus, funding of and incentives for ransomware attacks almost immediately begin to drop the moment the policy gets implemented. The status quo is effectively a 0% tax rate (in most countries).

Finally, it is worth considering a similar governmentally-enforced tax policy for ransom payments in general (not just ransomware).