Threats 101
Brianna Gammons
Feb 2017

The Psychology of Ransomware: 5 Mind Games Criminals Play

Ransomware reached a new high in 2016 and continues to grow.

But it’s not just a surge in attack volume that organizations are struggling with, it’s the mushrooming diversity of those attacks. There was a 400% spike in ransomware variants in 2016. That increase in variety is one of the key reasons why ransomware has continued to be so successful.

With all those chances for iteration, not only are attackers experimenting with new programs and code, they’re also getting creative when it comes to messaging and trickery.

We recently spoke with security expert Troy Hunt about the growing diversity of ransomware in the wild and several notably twisted tactics hackers are using to make their attacks more profitable and effective.


“Attackers are really figuring out how to tap into not just the digital side of things to compromise systems, but how to tap into people’s psyches and push the right buttons that will cause them to pay. I suspect that we’re going to see a lot more creativity there in 2017.”

Troy Hunt, Microsoft Regional Director & Most Valuable Professional for Developer Security, Pluralsight author, and international speaker.

Exactly how are ransomware criminals getting more creative? Here are five ways they’re using psychology to create urgency, put victims off balance, and increase their likelihood of getting paid:


1) The “Tick Tock” Game (using ticking countdowns to create urgency)

“For one day only!” “Act now! Sale ends Friday!” — marketers unfortunately aren’t the only ones who realize the power of a limited-time offer. Ransomware authors leverage this tactic to play mind games with their victims, too.

Hunt points out that several variants prominently feature countdown timers on their ransom screens, along with notifications that either the ransom price will go up or the victim’s files will be destroyed if the allotted time runs out.

Seeing the clock literally clicking in front of them promotes a sense of panic and urgency that can encourage victims to act quickly, Hunt explains. That’s all by design — the attackers know the longer the victim has to think about their predicament and research potential solutions, the less likely it is that they’ll pay.


Source: Bleeping Computer

Some ransomware variants like Jigsaw and Stampado take the ticking countdown tactic even further, threatening to delete one or more files every hour until payment is received.


2) The “You’re Busted” Game (pretending to be a law enforcement agency to put victims on the defensive)

This is an older tactic that has stuck around for a reason — it unfortunately works. Rather than alerting victims they’ve been hacked, some ransom screens are disguised to look like notices from official government or law enforcement agencies, spooking victims into thinking they’ve been caught red-handed doing something wrong.

A classic example is the fake FBI alert used by the ransomware variant Reveton. The ransom screen used by Virlock (pictured below) is a more recent example. It says the victim’s computer has been locked due to copyright infringement (likely through streaming pirated movies or music, a victim might assume), a crime that carries penalties of up to five years in prison and a $250,000 fine. Because it’s the victim’s first offense, they have the opportunity to pay a fee of $250.


Source: Bleeping Computer

By leveraging official government seals the bogus warning can look just legitimate enough to generate some very real anxiety in victims. The threat of a much larger potential penalty is another psychological trigger that can make them feel like $250 is catching a break and they should take advantage while they can.

Another devious variation of this mind game is an alert announcing child pornography has been found on the victim’s computer.


3) The “Infect a Friend” Game (turning ransomware into a chain letter)

Hunt points to the ransomware Popcorn Time as another variant that plays games with its victims. But rather than simply make a standard ransom demand and wait for victims to fork over a Bitcoin, it offers them an alternative way to regain access to their files — by infecting other people.

The ransom note includes a “referral link” that victims are encouraged to share. If two people get infected with the ransomware from clicking that link, the attackers will supposedly send the original victim the decryption key for free.



By offering you such a twisted choice, the authors behind Popcorn Time are either banking on your propensity to do “the right thing” (in which case they get paid) or your sense of self preservation (in which case they get more chances to get paid). Either way, they win.


4) The “Fake-Out” Game (pretending to be ransomware)

Criminals know a cash cow when they see one, and that’s exactly what ransomware has become. The migration to ransomware reached a new high-water mark last September, when anti-phishing company PhishMe found that more than 97 percent of the phishing emails they analyzed in Q3 were delivering ransomware.  

With the popularity and prevalence of ransomware surging, it was only a matter of time before criminals figured out they don’t necessarily need to go to the trouble of deploying fully functioning ransomware to be effective. All they have to do is design attacks that look like ransomware and trust that they can bluff victims into taking the bait.

According to a Citrix study, 39 percent of UK businesses have fallen for these types of bluff attacks where a criminal falsely claims to have blocked access to files and systems when in fact no encryption has occurred. Worse, 61 percent of those businesses actually paid the ransom. In these cases, simply deploying the threat of ransomware is just as lucrative as a deploying real ransomware program would be.

In another example of criminals finding a shortcut, some attackers have taken to deploying malware that skips the complicated task of encrypting victim files and deletes them instead. The criminals still make ransom demands based on recovering the files, but they have no real intention or capability of doing so. The Anonpop Fake Ransomware is an example of this devious trick in action.


Source: Bleeping Computer

Anonpop and other examples of fake ransomware serve as good reminders that it’s important to try to determine what type of ransomware you’ve been infected with if you do suffer an attack. Some ransomware variants have flaws, and others have been reverse engineered so decryption tools could be made available.

To find out what type of ransomware you may be infected with and whether a decryption tool is available, see our Ransomware Decryption Tool Finder.


5) The “Public Disclosure” Game (threatening to release private info)

It’s bad enough ransomware victims have to worry about losing access to their files forever. Now some attackers are threatening to release the information they capture publicly for the entire world to see (a tactic known as doxing). For many victim organizations, that’s a threat that carries even more weight than the threat of data loss, especially considering the latter can sometimes be mitigated by recovering from backup.

Imagine the ramifications for healthcare providers, for example, if not only were they locked out of accessing patient health records, but those records were later leaked online.

By adding doxing to the mix, criminals are able to turn every ransomware attack into public data breach event. Tweet this.

Up to this point, many organizations have been able to avoid embarrassment and unwanted publicity by handling ransomware attacks privately. But by adding doxxing to the mix, criminals are able to turn up the pressure and make every ransomware attack a potentially very public data breach event.

We’ve seen signs of ransomware moving in this direction already this year, and experts including Hunt agree it’s an extremely likely evolution. This makes a wipe-and-restore-from-backup recovery plan look a lot less sweet. When the threat of disclosure is on the table, prevention becomes a more important strategy.


5 Tips to Prevent Ransomware from Playing Games with Your Users

How can you ensure you and your users won’t get blindsided and fall victim to one of these mind games? Here are a few quick tips:

  1. Train your users how to recognize phishing emails (the primary delivery vehicle for ransomware).
  2. Implement software restriction policies that help prevent malware from running.
  3. Don’t give users admin privileges (unless they truly need them).
  4. Have a proper backup strategy in place and test it regularly.
  5. Implement runtime malware defense to stop the ransomware that gets past antivirus.

Looking for more ransomware tips and resources? Check out our Complete Guide to Ransomware to learn everything there is to know.

For more from Troy Hunt, check out his blog and see our post, "5 Ways for Small IT Teams to Stay Ahead in the Evolving Security Landscape."

Feature photo by Ryan Somma 

Brianna Gammons

Brianna Gammons

Brianna is helping us grow an active community of security beginners and experts alike. She is exploring topics like security in healthcare and how to keep companies safe from ransomware.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.