Security Experts:

Researcher Analyzes Psychology of Ransomware Splash Screens

The 'splash screens' of seventy-six different types of ransomware have been analyzed by a cyber-psychologist from De Montfort University. Commissioned by SentinelOne, the subsequent report 'Exploring the Psychological Mechanisms used in Ransomware Splash Screens' (PDF) is designed to reveal how social engineering tactics are used by cyber criminals to manipulate and elicit payments from individuals.

All successful ransomware infections have one common factor -- an explanatory instruction screen to describe what has happened and explain how the victims can recover their files through the payment of a ransom. It is these explanatory screens that comprise the 'splash screens' that are analyzed.

The content and design of the splash screens varies widely but they all have the same intention: to ensure that the victim pays up. "The argument presented in the current report," writes the author, Dr Lee Hadlington, "suggests that these tactics are closely aligned to the concept of social engineering, working on aspects of fear, urgency, scarcity, authority and, in some cases, humor."

He admits that it isn't clear whether the use of archetypal social engineering methods is by design or imitation; but they do occur. The primary social engineering techniques are 'urgency' ('pay within a short deadline or the fee will double'); fear ('or you will lose all of your personal files'); authority ('you must do what I say'); and -- sometimes -- approachability ('email me if you need further instructions').

Hadlington says, "We know that psychology plays a significant part in cyber crime -- what's been most interesting from this study is uncovering the various ways that key social engineering techniques are used to intimidate or influence victims. With ransomware on the rise, it's important that we improve our understanding of this aspect of the attack and how language, imagery and other aspects of the initial ransom demand are used to coerce victims." 

While the analysis of the splash screens is interesting and thorough, it does not explain why it is important to understand a technique (social engineering) that is already well-understood and thoroughly analyzed. Furthermore, there is no ability to study the effectiveness of the social engineering techniques (which would at least benefit social engineering research if not ransomware research).

One difficulty is that we do not fully understand the underlying purpose of this social engineering. David Harley, a senior research fellow with ESET, has his own thoughts. "As I see it, the importance of social engineering in notifications lies mostly in these areas," he told SecurityWeek in an emailed comment: "[firstly] pressuring the victim into taking the desirable action of paying up more or less immediately, rather than exploring other options. Especially if there's a risk that grey- or whitehat researchers will come up with a way of recovering data without paying.

"[Secondly] pressuring the victim into paying for recovery of data that aren't actually lost; and [thirdly] pressuring the victim into paying for recovery of data for which the criminals don't actually have a recovery mechanism, before some interfering security researcher points out that paying up doesn't achieve anything."

The big weakness in the report is the inability to measure the effectiveness of the splash screens. This is something that the author admits: "Not all splash screens are the same -- there is a distinct difference in terms of the level of sophistication of mechanisms used to gain payment, presentation of the splash screens and provision of information for further contact. However, there is no further data to explore how such differences map to their success in terms of eliciting payment."

Tony Rowan, a director at SentinelOne, accepts the difficulty in measuring the success of the different splash screens. "This is an interesting area," he told SecurityWeek, "and we have looked for data to use in a correlation exercise.  At this stage, the payment data is too disparate and unverifiable to be useful for a correlation exercise, though this is an area we will continue to look at."

But as Harley adds, "As someone with a background in social sciences, I find these questions rather interesting; but from an academic point of view, without subjective data to draw on which aren't present in this study, they're just conjecture."

Without the ability to measure the effectiveness of the different splash screens, there can be no serious conclusions from the analysis. This is admitted: "By expanding the current work with more empirical research, a clearer understanding of why certain ransomware splash screens are more successful at eliciting a payment over others could be obtained," writes Hadlington. "Such information could in turn be used to provide effective mitigation techniques for such attacks, as well as giving both investigators and victims a clearer pathway for help and advice in the event of an attack."

But even then, it is not at all clear how understanding the efficiency of different social engineering techniques in splash screens could help provide 'effective mitigation techniques for such attacks'. It has to be said that this research will be of more interest to students of social engineering than to students of cyber security.

view counter
Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.