Spillover Effect of Ransomware: Economic Analysis of Web Vulnerability Market

The number of ransomwares reported having increased rapidly since 2013, the range of ransomware
victims is expanding beyond its traditional domain of PC users to include firms, hospitals and government
organizations; and the technologies used to create ransomware are becoming increasingly
sophisticated. This paper conducts time series analysis on software vulnerability price data from
SCIP’s database vulDB and CVE data from NIST database NVD to find out if the spread of ransomwares
around 2013 triggered price changes in software vulnerabilities used to create them. The
time frame for our analysis is from 2011 to 2016, and we pay special attention to the time periods before
and after 2013, the point of ransomware surges. Our analysis reveals that the number of software
vulnerabilities related to ransomware spiked, and that the average price of these vulnerabilities fell
during the period between 2013 to early 2014. At the time, there were several events that took place
in the security industry that may have triggered these changes. First, there was entry of gray market
brokers such as Zerodium and ransomware developers that started to buy up vulnerabilities as selling
ransomware on the black market was becoming part of the business portfolio of cyber-criminal organizations.
This could have contributed to the increase in vulnerabilities reported, which could also be
considered as representative of the number of vulnerabilities traded. Such suspected shift in demand
for vulnerabilities, as well as the spread of ransomware around 2013, could have encouraged hackers
and security researchers to engage in searching for vulnerabilities and developing their exploits
for sale. This would have raised the supply of vulnerability exploits, particularly those relevant to
ransomware and imposed a downward pressure on their prices. Overall, our paper offers empirical
evidence demonstrating that the market participants affecting software vulnerability market is not
limited to software vendors and hackers but extends to cybercrime groups and researchers serving
their crimeware demands.