Ransomware Tactics and Mind GamesThe shift from technology to psychology By: Incident Response Team
SecureWorks® analysts have been researching, detecting, and responding to ransomware incidents since ransomware emerged in 2005. Over the years, ransomware developers and distributors have improved their technology and tactics to adapt to victims' defenses and maintain profitability, generating nearly $1 billion in profits from ransomware in 2016. Analysis of the ransomware evolution reveals a shift from strict technological advances to psychological advances that pressure victims to pay ransoms faster.
Setting the standard — The original crypto ransomware examples
Ransomware prevents victims from accessing their computer files until a ransom is paid. It typically encrypts victims' files, offering to provide a decryption method when the threat actors receive payment. Initial ransom demands were nominal but increased as the victim pay rate increased. The pay rate was influenced by reports that victims recovered their data after paying the ransom, despite FBI recommendations not to pay.
Keeping better secrets — Cryptography the right way
Early ransomware's weak cryptographic algorithms allowed researchers to create decryption tools to recover data. As ransomware matured, variants began using more sophisticated algorithms to prevent unauthorized decryption of affected files. Victims were forced to pay the ransom or recover data from other sources.
Fighting shadows — Removing the volume shadow copy
Denial of access is a fundamental requirement for a successful ransomware campaign. Security researchers found that leveraging the Microsoft Windows Volume Shadow Copy Service (VSS) could allow victims to recover a portion of their encrypted data. If VSS is enabled, it maintains “snapshot” copies of files, known as shadow copies, on the computer. Recovering these copies gives the victim access to the file data at the time of the last snapshot. In 2014, SecureWorks analysts observed the CryptoWall ransomware deleting the VSS shadows and disabling Windows' System Restore, which prevented recovery of encrypted files using these techniques.
Offering assistance — Malware with a customer service number
Modern ransomware demands payment via Bitcoin, a digital currency that facilitates the transfer of funds independent of a central authority. Its lack of control and decentralized nature allows ransomware distributors to conduct anonymous transactions. However, many victims are not familiar with this technology, prompting threat actors to provide help documents and even support hotlines to assist victims with payment processing.
Applying psychological pressure — Pay now or lose the data
Some ransomware variants apply an urgency to ransom payments. For example, Jigsaw deletes a portion of the encrypted files every 60 minutes and each time the infection restarts. There is little chance of recovering deleted files, even after the ransom is paid. Other variants increase the ransom if it is not paid within a certain timeframe. These tactics focus victims' attention on prompt payment to avoid data loss rather than on alternative options of data recovery.
Using referrals — Infect friends to retrieve files
In late 2016, the Popcorn Time ransomware introduced an option for victims to recover their files by sending malware to others. Victims who choose that option allow the ransomware distributors to leverage the trust of the victims' peers to increase infection rates.
Implications for the future
The trend suggests that threat actors will continue the focus on psychological criminal tactics in 2017. As ransomware evolves, organizations must implement security measures beyond standard data backups to protect themselves. Stronger acceptable computer use policies and faster detection and response cycles are needed to minimize the pressure ransomware distributers can apply to victims. SecureWorks analysts expect threat actors to leverage tactics such as defamation and extortion in addition to the traditional ransom to increase their chance of success.