Journalist Kevin Townsend asked my opinion on a report from de Montfort University (in Leicester, in the UK) offering analysis of what the report calls ‘splash pages’ of various examples of ransomware, and claiming to show that ‘whilst there was a wide variation in the construction of ransomware splash screens, there was a good degree of commonality, particularly in terms of the structure and use of key aspects of social engineering used to elicit payment from the victims.’ Kevin was dubious about the value of the research, since ‘at this stage, the only social engineering they can do is to persuade the victim to pay up.’
And he has a point (in fact, several points): after all, it’s a binary decision that doesn’t really call for sophisticated social engineering. Do you value your data enough to pay the ransom, or do you decline to provide comfort to the criminal and refuse to pay up? While a range of social engineering techniques can be seen at work in this context, is it possible to assess how successful they are, or even whether they’re particularly relevant?
I agree that the practical application of this research, as represented in the ‘key points’ at the end of the paper, does seem limited, certainly in terms of hard-core security. And I agree that there are no obvious metrics for establishing how ‘successful’ social engineering is in this context. If your data is unavailable, maybe all you really want to know is how to get it back. However, it does raise some interesting questions, both directly and implicitly. Why do (some of) the criminals apparently think the social engineering is important in this context?
Of course, social engineering may play a vital part in persuading a victim to open a malicious executable or website that allows ransomware to get a foothold on the victim’s system in the first place, but that isn’t the issue that the de Montfort report is looking at.
Review of this article
Social engineering aspectAccording to David Harley statement, social engineering in a ransomware attack seems to exist but is very hard to qualify or quantify.
Anyway, a ransomware needs a human interaction to be successful (the victim has to pay in order to make the attack profitable, check this review). It is obvious from the attacker point of view that this part of the process must be optimized.
Ransomware attacks are sadly more and more professional. This part of the process will certainly be improved. If not yet, social engineering will be used.
With the increase of the volume and accuracy of public data about individuals, it will be easier for an attacker to fake a person identity. Specially for those having authority on the victim to make him/her pay more easily.
An example of company responseFirst of all, if you have a backup of your data, just clean infected supports (by erasing their bits totally and reinstalling them from scratch) and restore your data. The attack is over and you temporarily won.
If the encrypted data are important and you do not have them elsewhere, contact a professional before doing anything (have a look at the No more ransom project).
According to the ransomware the response may change. The professional is here to activate the correct one.
Be warned that the possibility of rescuing your data is far less than 100%.
In both case, keep a track of the "human" interaction from the attacker. Who he claims to be ? How did he contact you ?
It is important to continuously check the part of your IT process that will never be automatized.
If the impersonated one is an existing and known person, contact him/her as his/her online identity can be extremely compromized.
And of course, back up and train your staff before the next attacks.