Studies reveal how psychology and social engineering help cyber criminals reel in their victims
Although the exploits associated with ransomware have been around for several years, recent high-profile attacks against businesses and national infrastructure have placed it firmly in the public e ye. The majority of this coverage has focused on the identification of the perpetrators, alongside speculation that state-sponsored agents may be involved. The focus for research in this area often relates to the underlying technical mechanisms that are used to infiltrate systems and deploy such attacks. However, one element that is often overlooked is the human aspect of such attacks in terms of pressure to pay the ransom and also the techniques used to elicit such.
My work presents a slightly different focus, and I am what is referred to as a cyberpsychologist. For many, this term appears to be made up and is often linked to science-fiction, such as Doctor Who and the Cybermen. However, I can assure the reader that the term is real, and refers to a psychologist who is interested in aspects of human behaviour that are mitigated or mediated by digital technology. To bring this into the current context, I am interested in how these attacks impact on the victim, and how the attacker crafts the ransomware splash screen to elicit a certain type of response from their target.
Irrespective of the technical mechanisms that are put into place to mitigate such attacks, the end-point is generally the same: the pink-organic interface (the human) sitting behind the computer screen. This individual, irrespective of if they are a home end-user or part of a wider organisation, has a set of predispositions that will govern their response to such attacks and their propensity to pay the ransom.
In recent work conducted alongside SentinelOne, I examined a sample of ransomware splash screens for their content, both in terms of the physical structure but also the language being used. What became apparent from this work is there are a wide variety of psychological techniques being employed by attackers, and the majority of these fall under the banner of persuasion and influence. For the most part, such techniques are often the calling card of the social engineer, and are used to elicit information from an individual without them necessarily being aware they are giving it away.
So for example, asking for a favour from someone might seem like a fairly innocuous occurrence that has no potential comeback. However, social norms (unwritten rules that govern our social interactions) mean that once we ask for a favour, we are trapped in a cycle of reciprocation; if the person we asked a favour of requests one in return, we are obligated to respond.
This is just one mechanism the social engineer may use to manipulate an environment in order to get the information they want, e.g. ‘I made you a cup of tea the other day, you couldn’t let me borrow your ID card or password for a while, could you?’ We don’t like to be the odd one out, or the one that is talked about in a bad light, so we generally oblige, with dire consequences for cyber security.
In the context of ransomware, such techniques aren’t that hard to spot. For the most part, the tactics used employ aspects of fear, scarcity and authority to name just a few. Often the attacker will detail that the victim has to respond to the ransom request within a certain period of time, and the fear of loss (of files) places an additional pressure on the victim.
Time criticality places a stress on the individual, often making them think less rationally and making them opt for a decision that in hindsight could have been examined more logically. But who has the time to do this when you only have a few days to get Bitcoins in order to get your files back? More importantly, what is a Bitcoin and how do I get them?
Well, fortunately for those victims who are less technically savvy, the attackers have this covered. Evidently they are aware that many victims won’t have the first clue what a Bitcoin is, so they load the ransomware splash screens with helpful hints and tips on how to buy them and where to get them from, even to the point of providing helpful video tutorials. This again shows a level of sophistication on behalf of the attacker that is sometimes missed: they emulate the customer service pitch of successful businesses by signposting ‘how to’ advice, a list of frequently asked questions and the option to contact a member of the team.
Such a process does something else – it makes the attacker look more credible, organised and more business-like. In terms of social engineering, greater credibility brings about an air of authority, and if you think someone has authority, you are in turn more likely to comply with their requests. Rather than viewing the attacker as a criminal, they become a service organisation that is supplying an answer to a problem they have created.
So what is the point of this type of research? Predominantly, it presents a new perspective on a digital crime that is often overlooked in favour of a further technical intervention. However, if such interventions were working effectively, ransomware attackers would have long since given up and there would be many empty Bitcoin wallets.
If we can gain a deeper understanding of how attackers are using aspects of psychology to influence victims to pay ransoms, we can produce and deploy more effective human-factor countermeasures. If we also have an understanding of the decision-making processes that underlie the response to a ransomware attack, we can start to mitigate threats and help victims take a more informed course of action.
There are barriers to such work, and obviously many victims of ransomware will not wish their susceptibility to such attacks to be common knowledge. This means such attacks go underreported, and the lack of clarity in disclosure for such attacks (as well as a general reticence to acknowledge human factors have a role in protecting the company or organisation) makes for a very frustrating research environment. Until such barriers are overcome and we have a better landscape for discussing such attacks and sharing information, victims will still be isolated and criminals will be cashing in their Bitcoins.
Dr Lee Hadlington is a cyberpsychologist at De Montfort University. His current research interests focus on exploring human factors in cyber security, as well as helping businesses understand and develop better interventions to help mitigate threats. He is keen to engage in collaborative research with businesses and organisations with the aim of developing case studies to show the effectiveness of different training strategies. He can be contacted at firstname.lastname@example.org