Ransomware is a psychological game, and you need to stay several steps ahead.

Cybercrime is very much a psychological game and ransomware is no different.  Psychology plays a role in almost all aspects of an attack from determining whether phishing messages effectively grab the attention of target users to whether victims pay the ransom.

Psychology of ransomware distribution

A majority of ransomware is distributed through phishing emails, instant message, and SMS.  Distributors use tactics designed to make a victim click a link quickly.  They create a sense of urgency that prompts an immediate response.  This preys on a person’s emotions, especially fear.  Victims are told they might lose access to an account; that an unauthorized payment has been made; or medical benefits are about to change.  These things scare victims into clicking the link and, in the process, getting a dose of ransomware.

Ransomware distributors also understand victim’s desires.  They know that most people would take an easy path to money, recognition, or free merchandise if they could and they offer the break their targets are looking for.

Psychology of ransomware demands

Ransomware demands rely primarily on the fear of losing data.  Infections are often noticed when access to data is needed.  Suddenly, rather than seeing the files, a ransom message is displayed.  Victims fear to lose that data.  Even when backups are available, they fear not being able to restore all data and that, if a restore fails, it would be impossible to get the files back from the extortionist.

Fear is also used in ransom messages that display warnings of illegal or embarrassing behavior.  Those accused of a crime from fake FBI warnings or messages regarding pornography viewing are loath to seek help from others in restoring files or remediating the ransomware because they fear that their activities could be put under a microscope and that friends, family, or coworkers might think less of them.  Many victims fell prey to these messages because police phishing can create anxiety or panic.  Victims see the email listing a fine and want to disprove it, so they click the link to obtain the details.

Ransomware also uses tactics that further build anxiety such as assigning deadlines to ransom payments.  TruCrypt, for example, have demanded payment in 72 hours.  After that, recovery keys would be unavailable.  Other variants have deleted random files as deadlines approach.

Some have taken a completely different approach.  CryptMix promised to donate ransoms to charity if victims paid their large demand of 5 bitcoins to decrypt data.  When faced with a difficult decision, people want to know that they are doing the right thing and CryptMix allows victims to believe that they are helping someone in the process.  Whether anyone actually believes that the authors will donate the ransom money to charity is beside the point because it is the desire to believe that really matters and it is that desire that ransomware authors count on.

Ransomware authors and distributors know how to push our psychological buttons.  That is why it is important to prepare yourself psychologically for an attack and for the phishing messages that are often used to distribute ransomware.  Take the time to consider emails, instant messages, and SMS before clicking links or downloading software.  Plan how you will respond if you have an infection.  Verify that you have good backups and that you know how to perform a restore operation.  Finally, know who you trust to help you in such an event.  An objective perspective can bring rationality to the fears presented by extortionists.


This post is Part 2 of 4 of a series discussing Ransomware: Part 1: The Economics of Ransomware, Part 3: The 6 Phases of an Advanced Ransomware Threat, and Part 4: A Timeline of Ransomware Advances.  To learn more about what ransomware is and how it is distributed, please visit our blog post The Five W’s (and How) of Ransomware.