IT disaster recovery, cloud computing and information security news

The root of stopping the disruption caused by ransomware is not technology, rather it lies with human psychology. Dr. Sandra Bell looks at why this is the case and what factors organizations should consider.

Ransomware is now nothing new, but it’s profitable, and hackers are still widely deploying it. Mitigating ransomware is actually fairly straightforward. If you have backups, if your network is segmented, really all you have to do is wipe the infected computers, and reimage them from clean backups. If you’re prepared, the recovery can take place relatively quickly. However, although ransomware recovery is relatively straightforward for well-prepared organizations, successful attacks still cause disruption and stress. The best solution is to avoid ransomware attacks in the first place and to do this organizations need to stop focussing on technology and start looking to where the real key to the problem resides. It comes down to human psychology.

Here are four things you need to know about ransomware if we’re ever going to stop it.

The real target of ransomware might not be what you think…

If you think your IT systems are the target of ransomware, you’re not alone. But you’re also not correct. Your IT systems are just the delivery mechanism. The real target is your employees.

Ransoms rely on psychological manipulation that IT systems aren’t susceptible to. The systems are the prisoner being held for money.
The psychology of ransomware is complex, and the two main types — locker and crypto — use different tactics and are successful within different populations of people (more on this later).
It’s not just a case of getting your workforce to abide by security rules and keep their eyes open for dodgy ransom notes (this just helps prevent the data and system from becoming prisoners).

You must recognize employees’ unique psychological susceptibilities and design work practices that prevent individuals within your workforce from becoming attractive targets.

Who is more likely to fall for ransomware?

As highlighted above, ransomware uses complex psychological tactics to get their targets to pay. The two main types of ransomware play off different psychological vulnerabilities.

Crypto finds and encrypts valuable data and typically asks for a fee to unencrypt the files, often creating a time pressure for paying. Crypto plays on the ‘endowment effect’ in the victim, taking advantage of the value people place in what they own versus what they don’t.

It also makes use of the Ellsberg Paradox by making it look like there is a certain, and positive, outcome if the target complies with the ransom demand (e.g., they get their data back), as opposed to an uncertain, and potentially negative, outcome if they don’t (e.g., their boss will be mad and they may or may not lose their job).

By contrast, locker ransomware typically locks a system, preventing the target from using it and imposes a fine for release. It often works by deception, with the perpetrator posing as an authority figure who has supposedly identified a misdemeanour and uses the dishonesty principle — the conviction that anything you have done wrong will be used against you — to get you to comply with their wishes.

The effects of both these tactics are greatly amplified if the target is physically isolated from their colleagues and their organizational support network, or even if they perceive themselves to be.

When you look at the victims of ransomware, they’re often remote workers or people who associate themselves primarily with their profession rather than their employer (e.g., doctors, nurses, policemen, and so on).

If you’re in an open-plan office and a ransomware screen pops up, you’re likely to point it out to your colleagues before acting yourself. However, if you are in your home office or feel only loosely affiliated with your employer, you’re more likely to take matters into your own hands.

The risk of ransomware can be reduced by fostering a corporate culture that reduces the feelings of real or perceived isolation.

How to short-circuit the entire value prop behind ransomware

If you’re hit with ransomware, your data and IT systems are the ransom prisoners, held hostage until the perpetrators receive payment. But there’s a crucial difference between your data and the traditional prisoner in a ransom scheme, like a person or an object of monetary value.

Data, unlike a person, is easily copied or cloned. When you think about it logically, hackers shouldn’t be able to hold data for ransom by withholding access to it. If you always have a clean copy (or the ability to create a copy), there’s no point in paying a ransom to have the original released.

Likewise, it’s now the norm to access our data through multiple devices, which means that locking one access route has limited impact.

While the only option for goods and people is to deploy security measures to protect them, data and IT systems can be protected by duplication. It’s not only cheaper, but also more practical.

The perpetrators could of course threaten to publicise sensitive data they hold to ransom, but this is technically ‘extortionware’ rather than ransomware.

How companies avoid becoming ransomware victims

Ransomware attacks aren’t over when your systems get infected and locked down. When you launch your response and recovery, the attack is almost always still taking place, and you might have to shift strategies on the fly.

As any military commander will tell you, ‘plans rarely survive first contact with the enemy’. This means that if you only have a single response plan, without the means to deviate from it, your opponent will quickly learn what it is and overcome it. In short, you will become a victim.

Obviously, it’s essential to have a solid backup strategy and business continuity and disaster recovery arrangements in place. But your response won’t succeed unless you also have the crisis leadership skills and knowledge to adapt your response in real time. You must lead your organization through the complex, uncertain, and unstable environment that’s created by a large-scale ransomware attack.

How do you stop ransomware?

There’s no single solution to the ransomware problem. However, organizations that are most successful at managing the associated risks have taken advantage of features that data and IT systems offer to back up and protect their data, while recognizing that much can be done to safeguard their people from becoming targets.

By understanding the psychology behind ransomware and how it affects your employees, you can sidestep the risk of ransomware and avoid becoming the next victim.

The author

Dr. Sandra Bell, Head of Resilience, Sungard Availability Services.

Want news and features emailed to you?

Signup to our free newsletters and never miss a story.

A website you can trust

The entire Continuity Central website is scanned daily by Sucuri to ensure that no malware exists within the site. This means that you can browse with complete confidence.

Business continuity?

Business continuity can be defined as 'the processes, procedures, decisions and activities to ensure that an organization can continue to function through an operational interruption'. Read more about the basics of business continuity here.

Get the latest news and information sent to you by email

Continuity Central provides a number of free newsletters which are distributed by email. To subscribe click here.