Ransomware is surprisingly big business, and big businesses are ruthlessly efficient at getting what they want. Some criminal outfits have even reached a scale where they can employ surprisingly efficient customer service operatives to field user queries, just like legitimate businesses. But there’s more to getting payment than having assistance on tap, and a new study from De Montfort University has lifted the lid on the tricks that ransomware outfits use to ensure that their targets pay up on time.
In total, Dr Lee Hadlington, senior lecturer in cyberpsychology, examined 76 ransomware splash screens, taking note of the language used and the visuals employed. “We know that psychology plays a significant part in cybercrime,” he writes in the report. “What’s been most interesting from this study is uncovering the various ways that key social engineering techniques are used to intimidate or influence victims.
“With ransomware on the rise, it’s important that we improve our understanding of this aspect of the attack and how language, imagery and other aspects of the initial ransom demand are used to coerce victims.”
11 things we learned from a ransomware helpline
Ransomware is rampant because it gets results
No-one is blameless when it comes to the NHS WannaCry hack
As you might expect, the most common motif was a sense of urgency. In all, 57% of the samples analysed included a ticking countdown clock, highlighting how little time the victim has to act to recover their files. This, of course, is almost always accompanied by a consequence of inaction – otherwise, it’s just a pointless egg timer. In the vast majority of cases, the consequence is that locked files are deleted, but in some instances, the cybercriminals threaten to release the files to the internet, which could be a worse outcome, depending on the nature of the content. Some increase the unlocking fee after the deadline, while others threaten to delete an additional file for every hour the ransom goes unpaid.
Imagery designed to intimidate is the order of the day with ransomware. Most commonly, this features official logos designed to scare the victim in complying: the FBI logo is a particularly common image. Weirdly, some of the samples prominently feature Jigsaw from the movie Saw, which is definitely a straight to DVD sequel if ever I saw one.
As you might expect, the vast majority of ransomware demands (75%) call for payment in bitcoin: it’s untraceable and secure. And the average demand? Just under half a bitcoin, which doesn’t sound like much, but actually translates to a whopping £998.85 at current rates. In the remaining 25% of instances, more traditional payment methods such as MoneyPax or Western Union transfers are accepted – presumably because the need to invest in Bitcoin reduces the number of people prepared to pay up (39% of ransomware samples included step-by-step instructions of how to buy Bitcoin).
In fact, a surprising number of ransomware suppliers (51%) include guidance for their victims, either in the form of FAQs or with live customer support. We’ve already seen how these operate, but it’s still surprising to see just how widespread this customer-friendly approach is in the world of cybercrime.
The official advice for victims of ransomware remains to not pay up: the more people pay, the harder it is to wipe out once and for all. With that in mind, it’s unsurprising that ransomware vendors use every trick at their disposal to ensure that human nature takes over, and victims pay the ransom – even if common sense tells them to cut their losses and move on.