[BreachExchange] Exploring the psychology of ransomware

[Destry Winant]

https://betanews.com/2017/07/26/psychology-of-ransomware/

In recent months we've seen high profile ransomware attacks target
many businesses, and we've seen cyber criminals making greater efforts
to target their victims.

A new study from endpoint protection company SentinelOne and De
Montfort University has been looking at how social engineering tactics
are used by cyber criminals to manipulate and elicit payments from
victims.

"We noticed that there's a wide range of techniques used in the splash
screens that we see and we thought it would be interesting to
understand the things that went into them, the icons and so on," says
Tony Rowan chief security consultant of SentinelOne. "Rather than just
guessing we thought that the thing to do was to get someone who knows
what they're doing on the psychology front, so we turned to the De
Montfort team."

The study looks at the 'splash screens' displayed when a machine is
locked by ransomware, and finds varying levels of sophistication among
attacks, but it does identify some common trends. These include making
payments time critical, stressing consequences such as deleting files,
taking a customer service approach, and using official looking
imagery.

"There are structural similarities in the patterns of what attackers
are using to elicit payment," says Dr Lee Hadlington PhD, senior
lecturer in cyberpsychology at De Montfort University. "These are
fairly standard but there are tweaks and individual elements that
stand out as unusual and different. Whether consciously or not they
are using aspects of social engineering by using things such as
scarcity, aspects of influence and authority."

In over half the samples (57 percent), a 'ticking clock' device -- in
which a specific amount of time is given to pay a ransom -- was used
to create a sense of urgency and to persuade the victim to pay
quickly. Deadlines given ranged from 10 hours to more than 96 hours.

The most likely consequence given for not paying the demand or missing
the deadline was that files would be deleted and the victim wouldn't
be able to access them. In other screens, threats were made to publish
the locked files online.

51 percent of splash screens included some aspect of customer service,
such as instructions on how to buy Bitcoins or presenting frequently
asked questions. One example offers victims the chance to 'speak to a
member of the team'. "There are attempts to emulate what works in
business with things like FAQs, 'contact the team' or 'refer to this
website'," adds Dr Hadlington. "We saw one example that listed links
to FBI stories -- which may have been spoofed -- advising people to
pay the ransom to get their files back."

The research also looks the use of a variety of imagery, including
official trademarks or emblems, such as the crest of the FBI, which
instil the notion of authority and credibility to the request. One of
the most prominent pop cultural images used is 'Jigsaw' -- a character
from the Saw horror movie series. "Imagery is being used in two ways,"
says Dr Hadlington. "The first is the menacing aspect like the Jigsaw
character and the V for Vendetta mask. The other imagery we see is the
official badges, the FBI and government shields, in order to give an
air of authority. There are also the badge and lock type icons that
you see on things like antivirus software and cyber security
products."

Bitcoin is the preferred mechanism for payment, 75 percent of
ransomware splash screens asked for payment in BTC. Over half the
sample (55 percent) contained the ransom demand in the initial splash
screen. The average amount asked for by attackers was 0.47 BTC ($1,164
USD). "The more organized attackers seem to have more reasonable
pricing," says Dr Hadlington. "They tend to go for lower amounts as
they're trying to get a wider spread of people to pay up. The more
disorganized and badly presented ones just say, 'we want 300
Bitcoins'. A lot of these splash screens will actually give you
information on how to buy Bitcoins, we've even seen one with a video
tutorial."