Psychology of Ransomware: How Extortionists Use Fear, Anger and Humor to Hold Your Data Hostage

Written by

Over the last year there has been an incredible explosion in ransomware attacks and the security community is getting ready for a very active 2018.

No doubt some percentage of the extortionist’s ill-gotten gains will be reinvested to make ransomware tools even better. It’s a bit cliché to say, but the best way to defend against a ransomware attack is to heed the advice of Sun Tzu, who said in his transcendent strategy book “The Art of War”: “If you know the enemy and know yourself, you need not fear the result of a hundred battles.”

Research conducted by De Montfort University has found that three of the key emotional triggers that a majority of attackers leverage are: scarcity, authority and liking.
As any good sales and marketing expert knows - people find objects or opportunities more attractive if they are rare, scarce or hard to obtain. Scarcity is often coupled with the pressure of urgency, usually in the form of a time-critical offer. This forces people to react quickly causing them to make fundamental errors in decision-making and is perhaps the most common connective tissue between ransomware attacks. Below is an example of this kind of tactic in the wild:

This splash screen displays a countdown timer and a promise to delete files every hour until the ransom is paid. The purpose is to cause the victim to panic so that they don’t consider all options and think through a proper response.

Additionally, by increasing urgency the attacker also enhances the probability of a quick payment because the fear of the loss of data outweighs the cost of paying the ransom.
By understanding when and why the attacker is using this tactic, we can better defend ourselves. The attacker obviously wants a quick payment, but a primary reason for speed is they know that skilled IT teams may be able to decrypt or recover data without paying a ransom. Additionally, companies that perform regular backups significantly mitigate the consequences of data loss.

If the victim thinks to contact IT support, check with their anti-malware vendor or simply remembers that they have regular backups saved - the victim is able to escape unscathed with their data.

Individuals are more willing to respond to requests or follow directions from someone they view as being in authority. It usually doesn’t matter if they actually hold authority or not – if we believe they do, we will follow their instructions.

Here we have a splash screen that uses three law enforcement badges to showcase authority. It also elevates the stakes for the victim and moves them from fear of deleted files to the fear of legal action and jail time. The threats and consequences become more personal and emotions run higher, causing the victim to make snap decisions.
Attackers want to increase the urgency and the stakes so that victims don’t think through the situation as normal. For example, the attacker here is asking for the fine to be paid in Bitcoin, which is certainly not something any government or law enforcement agency would request. By taking a step back and thinking through the situation, most people would be able to determine that this is not valid.
If people think that someone is out to help, or if they can make you like them, then you are more apt to comply with requests. This tactic comes to life in ransomware attacks in the form of FAQs or other “customer service” options for victims.

In this example, the attacker actually offers the victim a way to get in touch with “someone from the team” to help them navigate through the payment process. This is similar to the kind of customer service you would find when needing to pay a bill online or other common activities and causes the victim to see it as a legitimate request by the attacker. It also causes the victims to think that the attacker is actually helping them in finding a way to get their files back.
The lesson here is to be on alert regarding any request for payment. Unless you initiated the process, be skeptical and do not react without consulting your IT, security team or anti-malware provider.
At the end of the day, attackers use many different methods to play on our emotions in order to get what they want and the best defense of any type of ransomware attack is preparation. IT and security teams need to ensure everyone understands the company policies if an attack happens so that no one panics and acts independently.

What’s hot on Infosecurity Magazine?