the victim to pay the ransom demand).
As such, the main aims of our research were to
investigate a range of ransomware splash screens
and to address the fundamental research question of
whether the design of a ransomware splash screen has
any impact on a victim’s willingness to pay. In turn,
this information can be used by security researchers
and Law Enforcement Agencies to devise ways to per-
suade ransomware victims not to pay the ransom.
To achieve these aims, we carried out a user study
involving an eye tracker and specially selected ran-
somware splash screens. The set up of our experiment
would present a series of splash screens to each partic-
ipant while their eye activities were being monitored
using an eye tracker. Eye-tracking is an established
method to understand where individuals are directing
their attention when processing information and mak-
ing decisions (Orquin and Loose, 2013). The partic-
ipants were then asked whether they would be will-
ing to pay the ransom demand based on the splash
screen they just saw. Their answers were then corre-
lated with the eye tracking data to see whether there
were any specific characteristics in the splash screen
interface that would have positive (or negative effect)
on the participants’ willingness to pay.
Contributions. Our key contributions are the insights
into common types of ransomware splash screens and
the suggestion of potential factors that may affect the
likeliness of a victim to pay the ransom demand. The
results from this research can then be used to see
where security efforts may be spent to mitigate the
threats of ransomware, or even to devise psychologi-
cal countermeasures to discourage victims to pay.
2 RELATED WORK
The process of ransomware infection can be typically
broken down into the three stages of infecting the tar-
get, removing functionality or access to data and fi-
nally displaying ransom note (Gazet, 2010). A more
detailed analysis of ransomware deployment stages
(Hull et al., 2019) sees that ransomware’s behaviour
may be:
• stealthy (it tries to stay undetected while it pre-
pares the groundwork for the attack). Typical op-
erations in this stage include fingerprinting the tar-
get device, exploring the possibility of propaga-
tion to other systems in the network.
• suspicious (it starts performing operations that
damage the victim’s device, but it likely is still
undetected by the victim). This includes the pro-
cess of encrypting valuable data on the victim’s
device, and locking functionality of the device.
• obvious (it announces its presence to its victim).
At this stage, a ransom note will be displayed, and
in some cases, destructive actions may also start.
This paper focuses on the obvious stage of ran-
somware deployment. In particular, we would like
to investigate the effectiveness of ransomware splash
screens in persuading victims to pay. We hope that by
understanding the cyber psychology of these splash
screens, more appropriate countermeasures can be
created to discourage ransomware victims to pay.
Current development in ransomware defence has
primarily focused on detection methods aimed to pre-
vent users from infection before the loss of func-
tionality stage. Majority of antivirus software uses
signature-based techniques in which known malicious
code is assigned a signature by dissembling the binary
(Mathur and Hiranwal, 2013). When the antivirus ex-
amines any new or existing binary on the machine, it
will look to see if this signature is present and if so,
block the execution where possible.
Unfortunately, the creation rate of malware of-
ten exceeds the creation of known signatures, result-
ing in machines still being vulnerable to infection.
Behaviour-based techniques are designed to analyse
a wide range of parameters and determine if any of
them start to respond in a way that resembles known
infection behaviour (Mathur and Hiranwal, 2013).
Kharraz et al. (Kharaz et al., 2016) introduced a ran-
somware detection and classification system called
“Unveil”, which identifies ransomware by tracking
changes made on artificial environment. An alterna-
tive approach by Sgandurra et al. (Sgandurra et al.,
2016) proposed an automated program called “El-
deRan” which uses machine learning to classify mali-
cious samples based on dynamic analysis of their be-
haviour. Key behavioural features are then mapped in
order to enable detection of new variants.
At the other end of the ransomware life cycle,
Huang et al. tracked Bitcoin ransom payments from
victims, to the cash-out by the ransomware opera-
tors. Their analysis found out that 16 million USD
has been extorted from 20,000 victims over 2 years
period (Huang et al., 2018).
Game theoretic models examining whether to pay
the ransom (or not) are presented by Cartwright et al.
in (Cartwright et al., 2018). It compares ransomware
to a crime of kidnapping, whereby a criminal takes
control of a victim’s device in expectation of some fi-
nancial gain. The paper dissects various aspects, from
criminal’s incentives to return files, to the challenges
faced by the victim on deciding whether to pay or not,
due to incomplete information, and even whether the
victim should or should not bargain with the criminal.
Designs of ransomware splash screens – whether
Using Eyetracker to Find Ways to Mitigate Ransomware
449