Ransomware crooks have become skilled psychological manipulators in their attempts to fleece victims of file-encrypting malware.
Analysis of the psychology behind ransomware "splash screens", the initial warning screens of ransomware attacks, commissioned by SentinelOne, reveals how social engineering tactics are used by cyber criminals to manipulate and elicit payments from individuals.
The report, "Exploring the Psychological Mechanisms used in Ransomware Splash Screens" (pdf) by Dr. Lee Hadlington, senior lecturer of cyberpsychology at De Montfort University, Leicester, analyses the language, visuals and payment types from 76 splash screens. The investigation highlighted how key social engineering techniques – fear, authority, scarcity (or urgency) and humour – are exploited by cyber criminals as part and parcel of ransomware attacks. Differing levels of sophistication are in play from different attackers.
From the analysis of the splash screen samples, common trends highlighted include:
Time criticality: In over half the samples (57 per cent) featured a "ticking clock" device. The method is used to create a sense of urgency and to persuade the victim to pay quickly, with deadlines ranging from 10 hours to more than 96 hours.
- Consequences: The most likely consequence given for not paying the demand or missing the deadline was that files would be lost. Some screens featured threats made to "publish" the locked files on the internet.
- The Customer Service Approach: Just over half (51 per cent) of splash screens included some aspect of customer service, such as instructions on how to buy Bitcoins (BTC) or offering answers to frequently asked questions (FAQs). One example offers victims the chance to "speak to a member of the team".
- Imagery: ransomware splash screens featured a variety of imagery, including official trademarks or emblems, such as the crest of the FBI, which instil the notion of authority and credibility to the request. One of the most prominent pop cultural images used was "Jigsaw" – a character from the Saw horror movie series.
- Payment: Three in four (75 per cent) ransomware splash screens asked for payment in BTC. Over half the sample (55 per cent) contained the ransom demand in the initial splash screen. The average amount asked for by attackers was 0.47 BTC ($1,164 USD). Payment via MoneyPax or Western Union money transfers was also recorded during the study.
The Jigsaw character from the Saw film series in used in several ransomware splash screen [source: De Montfort University research paper via SentinelOne]
Dr Hadlington concluded: “We know that psychology plays a significant part in cyber crime - what’s been most interesting from this study is uncovering the various ways that key social engineering techniques are used to intimidate or influence victims. With ransomware on the rise, it’s important that we improve our understanding of this aspect of the attack and how language, imagery and other aspects of the initial ransom demand are used to coerce victims.”
Chris Pogue, head of services at security vendor Nuix and a former US Army officer, said the risk versus potential reward was worth it for cybercriminals distributing ransomware partly because of the unlikelihood of law enforcement intervention. "There's also a lack of connection between what they do and the consequences of their crime," he added.
Pogue described ransomware as a "low skilled attack" that has been commoditised through the emergence of ransomware-as-a-service. "Ransomware is the attack du jour but the shadow economy is robust and criminals are always coming up with new ways to steal and monetise things," Pogue told El Reg. "Ransomware is one vector among hundreds." ®