The EMPHASIS ransomware project

EPSRC cross-disciplinary research project in “Human Dimensions of Cyber Security”

£916K, mid 2017-mid 2019

Disciplines: Computer Science, Criminology, Psychology, Economics, Law

Universities: Kent (Hernandez-Castro, Arief), Leeds (Wall), De Montfort (Boiten, Hadlington, Cartwright), Newcastle (McGough), City (Chen), Coventry (Stepanova)

Partners: BT, NCA, DSTL, GMP, Flinders University (Goldsmith), Adelaide )Brewer), Dun Laoghaire IAD (Kirwan), TU Delft (van Eeten).

The central topic is the threat of ransomware. Essential features of this are:

  • a fast-developing threat with high impact – since the WannaCry attack in May 2017 it is evident that this can extend to critical national infrastructure;
  • technological potential for further evolution and sophistication;
  • a “business model” which relies on psychological influencing of victims;
  • high levels of organization and potential high gains for criminals involved.

This project sets out to answer the following questions:

  • Why is ransomware so effective as a crime and why are so many people falling victim to it?
  • Who is carrying out ransomware attacks?
  • How can police agencies be assisted?
  • What interventions are required to mitigate the impacts of ransomware?

In order to do so, the project gathers data

  • from Law Enforcement Agencies,
  • from technical support services and CERTs,
  • through surveys of the general public and SMEs,
  • through interviews with stakeholders,

which will be analysed using script analysis, behavioural analysis, and other profiling techniques, leading to narratives regarding the criminals, the victims, and the typical ransomware scenario. Economical and behavioural models of ransomware will then be constructed and used to improve ransomware mitigation and advice, as well as support for law enforcement.

We aim to advance the knowledge and understanding of ransomware:

  • From the economic point of view: how ransomware works as a business operation, what are the critical parameters for its success, where the weak points are and how we can use them to evaluate their associated risks and threat levels and limit their profitability.
  • From the technological point of view: the strengths and weaknesses of ransomware “in the wild”, varieties and families, how it can be disrupted, and how it might develop in the future.
  • From the psychological and criminological points of view: profiles of ransomware cybercriminals and their organisation, and ransomware victims.

With this knowledge, we aim to bolster society’s resistance against ransomware: Prevent its success, Pursue the criminals, Protect potential victims, and Prepare organisations and citizens against potential attacks.

[1] http://www.csoonline.com/article/3050403/security/denial-syndrome-consumers-don-t-think-they-ll-get-hacked.html#tk.twt_cso

[2] National Strategic Assessment of Serious and Organised Crime 2015 http://www.nationalcrimeagency.gov.uk/publications/560-national-strategic-assessment-of-serious-and-organised-crime-2015/file

[3] How did the WannaCry ransomworm spread? https://blog.malwarebytes.com/cybercrime/2017/05/how-did-wannacry-ransomworm-spread/