Ransomware and the wolves of Yellowstone

In 1995, wolves were reintroduced into Yellowstone National Park for the first time since their extinction in the 1920s. What happened next was unexpected. They triggered a trophic cascade through the whole ecosystem and ended up changing the course of rivers. Without wolves to predate them, the number of elk in Yellowstone had ballooned, and as a result the vegetation had been grazed back to almost nothing. Reintroducing wolves changed the behavior of the elk. They avoided danger zones in valleys and gorges, so vegetation in those places began to regenerate. Bare valley sides became thickets of cottonwood and aspen.

The wolves also became predators of the coyotes. The coyotes moved up the hillsides and suppressed the foxes. This increased the population of rabbits and mice, which attracted more weasels and badgers.

Also, wolves rarely consumed the whole elk carcass, often leaving two thirds behind. This became carrion for eagles, ravens, and bears.

The wolves also transformed the physical geography. The new aspen thickets on the riverbanks reduced soil erosion and attracted beavers, who built dams that created new pools and lakes. So, the reintroduction of a predator at the top of the food chain had unexpected ripple effects that changed not just the behavior of the prey, but also the whole underlying landscape. What lessons can we draw from this to apply to cyber risk?

Clearly prey change their behavior when a new predator arrives on the scene. The imperative to change is driven by the relative ratio of damage and reward. In the Yellowstone example, a wolf predating on an elk kills it and only eats a small part of the carcass.

The reward to the wolf is small but the damage to the elk is great.

Now, from an evolutionary standpoint, this asymmetry means that the pressure for the elk to change their behavior is much greater than the pressure on the wolf to change.

Now let’s look at a ransomware example. Typically, the ransom demand is a very small proportion of the overall cost of a ransomware incident. Most of the damage is caused by the interruption to the business and the incident response costs. So, we have a big asymmetry between the reward to the predator and the damage to the prey. This would imply, if we use predator-prey modeling, that the cycle is about to change in favor of the prey. There is little pressure for the predator to change behavior, because they are more than satisfied.

There is a huge amount of pressure for the prey to change behavior because of the massive damage being done. Behavior is changing. The recent hardening in the cyber insurance market has driven prospective clients to strengthen their cyber defenses. Cloud-based backup technologies are improving, and the failover market is forecast to grow at 45% annually.6 The landscape is also changing. Regulations banning the payment of ransoms are coming to the fore. Ransomware is triggering a trophic cascade through the cyber ecosystem.