More than any other form of cyber crime, ransomware is designed to prey upon human nature. As anyone who has been the victim of an attack will know, the ransom demand can invoke a range of emotions from fear and anxiety, to anger, embarrassment and even guilt. Motivated by the prospect of financial gain, cybercriminals are adept at using techniques to pressurise or manipulate individuals, and are adapting these in their efforts to extort larger payments from more victims.
These social engineering techniques play a key part in how organisations and individuals respond to an attack. However, whilst ransomware has been at the top of the public’s consciousness following recent high profile attacks, the psychological mechanisms used in ransomware demands have been less well documented. To this end, SentinelOne recently commissioned research to better understand the tactics used by attackers, from analysis of the digital ransom notes. This revealed the differing levels of sophistication on the part of the attackers as well as some of the more unusual ways attackers are manipulating their victims. By shining a light on the psychology at play we are better placed, as an industry to defend against this increasingly destructive form of cyber crime.
Taking Data Hostage
Ransomware is designed with a very specific and straightforward purpose in mind. In taking data captive, by encrypting it and making it unusable, criminals can exert pressure on the victim to pay them a sum of money. For an individual who is desperate to regain access to their data and whose business is being held hostage, the hackers then hold the balance of power. For some organisations, who simply can’t continue to operate without the data being released, paying the ransom can seem like the only option. As such, earlier this year, the FBI warned that ransomware could become a billion dollar industry and we’re seeing a worrying trend towards more targeted attacks on large companies with the aim of extorting greater sums of money.
For most victims of these attacks, the first indication that they’ve been targeted is the pop up notice with the ransom demand. The language and imagery used in these ‘splash screens’ are all designed to invoke a response from the target and these exhibit signs of the criminal’s mind games at work. Social engineering techniques are used to pile the pressure on the victim, such as:
The use of a specific time limit to create a sense of urgency. Time is not on the victim’s side when the first notification is received and the research found that a deadline appeared in more than half the ransomware samples. This creates a sense of urgency in the victim, and coerced them into making a decision quickly. This element of urgency is significant as the decisions made in the first minutes following a ransomware warning can make all the difference between containing and managing the threat, or of the attack spreading and causing even more widespread disruption.
There would often be a consequence for not making a payment, to force the victim to make a decision quickly. They could be threatened with their data being publicly disclosed or, in several cases, the ransom amount increased as time between the onset of the attack and payment elapsed. The attackers would also threaten to delete a file each hour after the payment deadline.
In some cases there were also indications of the attacker attempting to provide an element of ‘customer service’ - another ploy used to attempt to elicit prompt payment. They would provide ‘frequently asked questions’ or even offer instructions on how the victim could purchase bitcoins (BTC) to pay the ransom.
Fight or Flight
From this analysis, it’s evident that cyber criminals are exploiting particular traits in human nature to achieve their goals. However, victims should not feel powerless when faced with these demands; building awareness of these techniques can prevent individuals from being taken in by their claims and leads to more effective strategies for mitigating the impact of attacks.
Firstly, despite the pressure that is piled onto the victim, our advice is that entering into negotiations and making payments should be avoided. There are, of course, no guarantees that the cyber criminals will fulfil any promises to provide the decryption keys, once payment is made. Moreover, if they are achieving their goal of extorting money from businesses with the means to pay, they will go on committing these crimes.
Reporting these crimes is also important: train staff on internal drills and reporting systems so that decisive action to isolate attacks can be taken quickly. On a wider level, we would encourage more organisations to report attacks to law enforcement authorities. Many victims of cyber crime are reluctant to report that their data has been encrypted and, as such, it’s difficult to create a clear picture of the scale of the problem and to know how and where to allocate resources to combat threats. From our own research, of organisations which had suffered a ransomware attack in the past 12 months, only 54% of respondents had reported the incidents to law enforcement.
Finally, with attacks on the rise, preparation, prevention and detection of threats should be high on the agenda. Implement patch updates, back-up critical information and perform tests on restoring data regularly. Attacks are becoming more sophisticated and harder to detect through static, signature based security tools. However new approaches to ransomware detection, which use behaviour-based monitoring and sophisticated algorithms, rather than static signatures, can mitigate and stop ransomware in its tracks.
Ransomware is a serious threat, and attackers will capitalise on the fear-factor which it instils in even the most cyber-savvy organisation. It’s understandable that attacks will elicit a range of human emotions - given the hefty costs and associated disruption to business that an attack can leave in its wake. However, we shouldn’t react using our heart over our heads: the response to detection and prevention calls for action which is well-planned, thoroughly tested and which doesn’t play into the hands of the attackers.
Tony Rowan, Chief Security Consultant, SentinelOne
Image Credit: Carlos Amarillo / Shutterstock