The pyschology of ransomware demands – Why do we pay??

4 min read.

News Article
28 July 2017

SentinelOne is NETprotocol’s chosen partner for endpoint protection and has recently commissioned this ground-breaking research which examines ransomware ‘splash screens’ – the initial warning screens of ransomware attacks – and analyses why victims give in to ransom demands despite there being other options available.

The report “Exploring the Psychological Mechanisms used in Ransomware Splash Screens” carried out by senior lecturer of cyberpsychology at De Montfort University, Leicester, reveals the techniques used by cyber-attackers to maniuplate and elicit payment from individuals in the inital warning screen of a ransomware attack – known as the ‘splash screen’.

This report is the first of its kind and makes an interesting read, providing IT professionals and users with critical information analysing the language, visuals and payment types from 76 splash screens, to highlight how key social engineering techniques – fear, authority, scarcity (or urgency) and humour – are exploited by cyber criminals in ransomware attacks.

In the wake of a wave of serious ransomware attacks which have spread worldwide affecting public and private sector organisations, the report provides a sample of ransomware splash screens and explores their shared features and individual nuances, with the aim of helping victims make better and informed decisions, beating the cyber-criminals at their own game.

In particular common trends from the research which need to be highlighted include:

  • Time criticality: In over half the samples (57%), the ‘ticking clock’ device – in which a specific amount of time is given to pay a ransom – was used to create a sense of urgency and to persuade the victim to pay quickly. Deadlines given ranged from 10 hours to more than 96 hours.

  • Consequences: The most likely consequence given for not paying the demand or missing the deadline was that files would be deleted and the victim would not be able to access them. In other screens, threats were made to publish the locked files on the Internet.

  • The Customer Service Approach: 51% of splash screens included some aspect of customer service, such as instructions on how to buy Bitcoins (BTC) or presenting frequently asked questions (FAQs). One example offers victims the chance to ‘speak to a member of the team’.

  • Imagery: The research also examines the use of a variety of imagery, including official trademarks or emblems, such as the crest of the FBI, which instil the notion of authority and credibility to the request. One of the most prominent pop cultural images used was ‘Jigsaw’ – a character from the Saw horror movie series.

  • Payment: BTC was the preferred mechanism for payment; 75% of ransomware splash screens asked for payment in BTC. Over half the sample (55%) contained the ransom demand in the initial splash screen. The average amount asked for by attackers was 0.47 BTC ($1,164 USD).

“We know that psychology plays a significant part in cyber crime – what’s been most interesting from this study is uncovering the various ways that key social engineering techniques are used to intimidate or influence victims” said Dr Lee Hadlington PhD of Demontford University. “With ransomware on the rise, it’s important that we improve our understanding of this aspect of the attack and how language, imagery and other aspects of the initial ransom demand are used to coerce victims.”

“Although ransomware has leapt to the top of the public’s consciousness following recent attacks, what’s been less well documented is exactly how the criminals are manipulating their targets into paying up,” said Tony Rowan, chief security consultant at SentinelOne. “This report sheds light on the most common tactics used, with the aim that, through awareness, we are better placed to advise individuals and businesses how not to be duped by these criminals’ claims.”