[BreachExchange] Why you are probably thinking about ransomware the wrong way…

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 22 18:59:20 EDT 2018


Ransomware is now nothing new, but it’s profitable, and hackers are still
widely deploying it. Mitigating ransomware is actually fairly
straightforward. If you have backups, if your network is segmented, really
all you have to do is wipe the infected computers, and reimage them from
clean backups. If you’re prepared, the recovery can take place relatively
quickly. However, although ransomware recovery is relatively
straightforward for well-prepared organizations, successful attacks still
cause disruption and stress. The best solution is to avoid ransomware
attacks in the first place and to do this organizations need to stop
focussing on technology and start looking to where the real key to the
problem resides. It comes down to human psychology.

Here are four things you need to know about ransomware if we’re ever going
to stop it.

The real target of ransomware might not be what you think…

If you think your IT systems are the target of ransomware, you’re not
alone. But you’re also not correct. Your IT systems are just the delivery
mechanism. The real target is your employees.

Ransoms rely on psychological manipulation that IT systems aren’t
susceptible to. The systems are the prisoner being held for money.
The psychology of ransomware is complex, and the two main types — locker
and crypto — use different tactics and are successful within different
populations of people (more on this later).
It’s not just a case of getting your workforce to abide by security rules
and keep their eyes open for dodgy ransom notes (this just helps prevent
the data and system from becoming prisoners).

You must recognize employees’ unique psychological susceptibilities and
design work practices that prevent individuals within your workforce from
becoming attractive targets.

Who is more likely to fall for ransomware?

As highlighted above, ransomware uses complex psychological tactics to get
their targets to pay. The two main types of ransomware play off different
psychological vulnerabilities.

Crypto finds and encrypts valuable data and typically asks for a fee to
unencrypt the files, often creating a time pressure for paying. Crypto
plays on the ‘endowment effect’ in the victim, taking advantage of the
value people place in what they own versus what they don’t.

It also makes use of the Ellsberg Paradox by making it look like there is a
certain, and positive, outcome if the target complies with the ransom
demand (e.g., they get their data back), as opposed to an uncertain, and
potentially negative, outcome if they don’t (e.g., their boss will be mad
and they may or may not lose their job).

By contrast, locker ransomware typically locks a system, preventing the
target from using it and imposes a fine for release. It often works by
deception, with the perpetrator posing as an authority figure who has
supposedly identified a misdemeanour and uses the dishonesty principle —
the conviction that anything you have done wrong will be used against you —
to get you to comply with their wishes.

The effects of both these tactics are greatly amplified if the target is
physically isolated from their colleagues and their organizational support
network, or even if they perceive themselves to be.

When you look at the victims of ransomware, they’re often remote workers or
people who associate themselves primarily with their profession rather than
their employer (e.g., doctors, nurses, policemen, and so on).

If you’re in an open-plan office and a ransomware screen pops up, you’re
likely to point it out to your colleagues before acting yourself. However,
if you are in your home office or feel only loosely affiliated with your
employer, you’re more likely to take matters into your own hands.

The risk of ransomware can be reduced by fostering a corporate culture that
reduces the feelings of real or perceived isolation.

How to short-circuit the entire value prop behind ransomware

If you’re hit with ransomware, your data and IT systems are the ransom
prisoners, held hostage until the perpetrators receive payment. But there’s
a crucial difference between your data and the traditional prisoner in a
ransom scheme, like a person or an object of monetary value.

Data, unlike a person, is easily copied or cloned. When you think about it
logically, hackers shouldn’t be able to hold data for ransom by withholding
access to it. If you always have a clean copy (or the ability to create a
copy), there’s no point in paying a ransom to have the original released.

Likewise, it’s now the norm to access our data through multiple devices,
which means that locking one access route has limited impact.

While the only option for goods and people is to deploy security measures
to protect them, data and IT systems can be protected by duplication. It’s
not only cheaper, but also more practical.

The perpetrators could of course threaten to publicise sensitive data they
hold to ransom, but this is technically ‘extortionware’ rather than

How companies avoid becoming ransomware victims

Ransomware attacks aren’t over when your systems get infected and locked
down. When you launch your response and recovery, the attack is almost
always still taking place, and you might have to shift strategies on the

As any military commander will tell you, ‘plans rarely survive first
contact with the enemy’. This means that if you only have a single response
plan, without the means to deviate from it, your opponent will quickly
learn what it is and overcome it. In short, you will become a victim.

Obviously, it’s essential to have a solid backup strategy and business
continuity and disaster recovery arrangements in place. But your response
won’t succeed unless you also have the crisis leadership skills and
knowledge to adapt your response in real time. You must lead your
organization through the complex, uncertain, and unstable environment
that’s created by a large-scale ransomware attack.

How do you stop ransomware?

There’s no single solution to the ransomware problem. However,
organizations that are most successful at managing the associated risks
have taken advantage of features that data and IT systems offer to back up
and protect their data, while recognizing that much can be done to
safeguard their people from becoming targets.

By understanding the psychology behind ransomware and how it affects your
employees, you can sidestep the risk of ransomware and avoid becoming the
next victim.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180522/d8d56e3e/attachment.html>

More information about the BreachExchange mailing list