A new report reveals some of the economic and psychological factors involved in ransomware attacks. Researchers at Imperva, a data security company, studied several samples of the CryptoWall 3.0 ransomware and followed the money trail of ransom payments. CryptoWall 3.0 is the latest version of the popular malware which encrypts all or most of the data on a victim’s computer and demands that ransom is paid to the perpetrator to recover the encrypted content. 

One notable aspect of the research is that the malware changes the price of the ransom based on the user’s location. “As part of the initial communication process, it sends HTTP GET request to the ip-addr.es/ site, which retrieves the machine’s public IP address (the address is displayed in the ransom note). The CryptoWall conducts geolocation observations of the victim’s computer through its IP address.” It then adjusts the ransom amount based on the country of origin: a victim of the ransomware in the United States is asked to pay the equivalent of $700 USD in Bitcoin, while victims in Russia and Mexico are asked to pay $500 USD. Does correlating ransom to income levels in the victim’s area increase the amount of users willing to pay?

The research also points to the psychological factors in such ransomware attacks. The samples of CryptoWall 3.0 used in the research displayed a countdown timer urging the victim to pay the ransom before time runs out and the ransom amount doubles. Such implied urgency is a psychological tactic often used in sales scenarios: potential customers are prompted to purchase products because of limited-time sales offers or a scarcity of products in stock. Home computers affected by ransomware typically contain photos, videos and other digital keepsakes the sentimental value of which could be deemed invaluable. Combined with the aforementioned countdown timer, the methodology of the ransomware could be seen as exploiting a number of psychological factors to manipulate users into paying. 

The samples of ransomware studied in the report amounted to a total of $337,607 USD in ransom paid out to the perpetrators in Bitcoin. That amount is significant considering the report covers a period of approximately five months. The researchers note that the amount listed is from an ongoing malware campaign and will likely increase.