[BreachExchange] Why everyone’s thinking about ransomware the wrong way

[Destry Winant]

http://www.itsecurityguru.org/2018/08/30/everyones-thinking-ransomware-wrong-way/

It’s become a fact of life that hackers might lock down your computer,
blocking access to your most valuable data, and vowing to free it only
if you pay up. Ransomware is nothing new, but it’s profitable, and
hackers are deploying it left and right.

Mitigating ransomware is actually fairly straightforward. If you have
backups, if your network is segmented, really all you have to do is
wipe the infected computers, and reimage them from backups. If you’re
prepared, the recovery takes maybe 20 minutes.

But if it’s so easy to recover from ransomware, why is it still such a
problem? It comes down to human psychology. If we truly want to stop
ransomware in its tracks, it takes an understanding of the real
problems that this malware preys on.

Here are four things you need to know about ransomware if we’re ever
going to stop it:

The real target of ransomware (might not be what you think)

If you think your IT systems are the target of ransomware, you’re not
alone. But you’re also not correct.

Your IT systems are just the delivery mechanism. The real target is
your employees.

Ransoms rely on psychological manipulation that IT systems aren’t
susceptible to (AI isn’t there just yet). The systems are the prisoner
being held for money.

The psychology of ransomware is complex, and the two main types —
locker and crypto — use different tactics and are successful within
different populations of people (more on this later).

It’s not just a case of getting your workforce to abide by security
rules and keep their eyes open for dodgy ransom notes (this just helps
prevent the data and system from becoming prisoners).

You must recognize their unique psychological susceptibilities and
design work practices that prevent individuals within your workforce
from becoming attractive targets.

Who is more likely to fall for ransomware and how to stop them

As mentioned above, ransomware uses complex psychological tactics to
get their targets to pay. The two main types of ransomware play off
different psychological vulnerabilities.

Crypto finds and encrypts valuable data and typically asks for a fee
to unencrypt the files, often creating a time pressure for paying.
Crypto plays on the “endowment effect” in the victim, taking advantage
of the value people place in what they own versus what they don’t.

It also makes use of the Ellsberg Paradox by making it look like there
is a certain, and positive, outcome if the target complies with the
ransom demand (e.g., they get their data back), as opposed to an
uncertain, and potentially negative, outcome if they don’t (e.g.,
their boss will be mad and they may or may not lose their job).

By contrast, locker ransomware typically locks a system, preventing
the target from using it and imposes a fine for release. It often
works by deception, with the perpetrator posing as an authority figure
who has supposedly identified a misdemeanor and uses the dishonesty
principle — the conviction that anything you have done wrong will be
used against you — to get you to comply with their wishes.

The effects of both these tactics are greatly amplified if the target
is physically isolated from their colleagues and their organizational
support network, or even if they perceive themselves to be.

When you look at the victims of ransomware, they’re often remote
workers or people who associate themselves primarily with their
profession rather than their employer (e.g., doctors, nurses,
policemen, and so on).

If you’re in an open-plan office and a ransomware screen pops up,
you’re likely to point it out to your colleagues before acting
yourself. However, if you are in your home office or feel only loosely
affiliated with your employer, you’re more likely to take matters into
your own hands.

The risk of ransomware can be reduced by fostering a corporate culture
that reduces the feelings of real or perceived isolation.

How to short-circuit the entire value prop behind ransomware

If you’re hit with ransomware, your data and IT systems are the ransom
prisoners, held hostage until the perpetrators receive payment. But
there’s a crucial difference between your data and the traditional
prisoner in a ransom scheme, like a person or an object of monetary
value.

Data, unlike a person, is easily copied or cloned. When you think
about it logically, hackers shouldn’t be able to hold data for ransom
by withholding access to it. If you always have a copy (or the ability
to create a copy), there’s no point in paying a ransom to have the
original released.

Likewise, it’s now the norm to access our data through multiple
devices, which means that locking one access route has limited impact.

While the only option for goods and people is to deploy security
measures to protect them, data and IT systems can be protected by
duplication. It’s not only cheaper, but also more practical.

The perpetrators could of course threaten to publicise sensitive data
they hold to ransom, but this is technically “extortionware” rather
than “ransomware.”

How companies avoid becoming ransomware victims

Ransomware attacks aren’t over when your systems get infected and
locked down. When you launch your response and recovery, the attack is
almost always still taking place, and you might have to shift
strategies on the fly.

As any military commander will tell you, “plans rarely survive first
contact with the enemy.” This means that if you only have a single
response plan, without the means to deviate from it, your opponent
will quickly learn what it is and overcome it. In short, you will
become a victim.

Obviously, it’s essential to have a solid backup strategy and business
continuity and disaster recovery arrangements in place. But your
response won’t succeed unless you also have the crisis leadership
skills and knowledge to adapt your response in real time. You must
lead your organization through the complex, uncertain, and unstable
environment that’s created by a large-scale ransomware attack.

How do you stop ransomware?

There’s no single solution to the ransomware problem. However,
organizations that are most successful at managing the associated
risks have taken advantage of features that data and IT systems offer
to back up and protect their data, while recognizing that much can be
done to safeguard their people from becoming targets.

By understanding the psychology behind ransomware and how it affects
your employees, you can sidestep the risk of ransomware and avoid
becoming the next victim.