“I was told to buy a software or lose my computer. I ignored it”: A study of ransomware

Camelia Simoiu, Christopher Gates, Joseph Bonneau, Sharad Goel

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

Ransomware has received considerable news coverage in recent years, in part due to several attacks against high-profile corporate targets. Little is known, however, about the prevalence and characteristics of ransomware attacks on the general population, what proportion of users pay, or how users perceive risks and respond to attacks. Using a detailed survey of a representative sample of 1,180 American adults, we estimate that 2%-3% of respondents were affected over a 1-year period between 2016 and 2017. The average payment amount demanded was $530 and only a small fraction of affected users (about 4% of those affected) reported paying. Perhaps surprisingly, cryptocurrencies were typically only one of several payment options, suggesting that they may not be a primary driver of ransomware attacks. We conclude our analysis by developing a simple proof-of-concept method for risk-assessment based on self-reported security habits.

Original languageEnglish (US)
Title of host publicationProceedings of the 15th Symposium on Usable Privacy and Security, SOUPS 2019
PublisherUSENIX Association
Pages155-174
Number of pages20
ISBN (Electronic)9781939133052
StatePublished - Jan 1 2019
Event15th Symposium on Usable Privacy and Security, SOUPS 2019 - Santa Clara, United States
Duration: Aug 12 2019Aug 13 2019

Publication series

NameProceedings of the 15th Symposium on Usable Privacy and Security, SOUPS 2019

Conference

Conference15th Symposium on Usable Privacy and Security, SOUPS 2019
CountryUnited States
CitySanta Clara
Period8/12/198/13/19

Fingerprint

Risk assessment
Malware
Electronic money

ASJC Scopus subject areas

  • Computer Networks and Communications
  • Safety, Risk, Reliability and Quality

Cite this

Simoiu, C., Gates, C., Bonneau, J., & Goel, S. (2019). “I was told to buy a software or lose my computer. I ignored it”: A study of ransomware. In Proceedings of the 15th Symposium on Usable Privacy and Security, SOUPS 2019 (pp. 155-174). (Proceedings of the 15th Symposium on Usable Privacy and Security, SOUPS 2019). USENIX Association.

“I was told to buy a software or lose my computer. I ignored it” : A study of ransomware. / Simoiu, Camelia; Gates, Christopher; Bonneau, Joseph; Goel, Sharad.

Proceedings of the 15th Symposium on Usable Privacy and Security, SOUPS 2019. USENIX Association, 2019. p. 155-174 (Proceedings of the 15th Symposium on Usable Privacy and Security, SOUPS 2019).

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Simoiu, C, Gates, C, Bonneau, J & Goel, S 2019, “I was told to buy a software or lose my computer. I ignored it”: A study of ransomware. in Proceedings of the 15th Symposium on Usable Privacy and Security, SOUPS 2019. Proceedings of the 15th Symposium on Usable Privacy and Security, SOUPS 2019, USENIX Association, pp. 155-174, 15th Symposium on Usable Privacy and Security, SOUPS 2019, Santa Clara, United States, 8/12/19.
Simoiu C, Gates C, Bonneau J, Goel S. “I was told to buy a software or lose my computer. I ignored it”: A study of ransomware. In Proceedings of the 15th Symposium on Usable Privacy and Security, SOUPS 2019. USENIX Association. 2019. p. 155-174. (Proceedings of the 15th Symposium on Usable Privacy and Security, SOUPS 2019).
Simoiu, Camelia ; Gates, Christopher ; Bonneau, Joseph ; Goel, Sharad. / “I was told to buy a software or lose my computer. I ignored it” : A study of ransomware. Proceedings of the 15th Symposium on Usable Privacy and Security, SOUPS 2019. USENIX Association, 2019. pp. 155-174 (Proceedings of the 15th Symposium on Usable Privacy and Security, SOUPS 2019).
@inproceedings{1fabe52946d64c80918148ecdcab45b1,
title = "“I was told to buy a software or lose my computer. I ignored it”: A study of ransomware",
abstract = "Ransomware has received considerable news coverage in recent years, in part due to several attacks against high-profile corporate targets. Little is known, however, about the prevalence and characteristics of ransomware attacks on the general population, what proportion of users pay, or how users perceive risks and respond to attacks. Using a detailed survey of a representative sample of 1,180 American adults, we estimate that 2{\%}-3{\%} of respondents were affected over a 1-year period between 2016 and 2017. The average payment amount demanded was $530 and only a small fraction of affected users (about 4{\%} of those affected) reported paying. Perhaps surprisingly, cryptocurrencies were typically only one of several payment options, suggesting that they may not be a primary driver of ransomware attacks. We conclude our analysis by developing a simple proof-of-concept method for risk-assessment based on self-reported security habits.",
author = "Camelia Simoiu and Christopher Gates and Joseph Bonneau and Sharad Goel",
year = "2019",
month = "1",
day = "1",
language = "English (US)",
series = "Proceedings of the 15th Symposium on Usable Privacy and Security, SOUPS 2019",
publisher = "USENIX Association",
pages = "155--174",
booktitle = "Proceedings of the 15th Symposium on Usable Privacy and Security, SOUPS 2019",

}

TY - GEN

T1 - “I was told to buy a software or lose my computer. I ignored it”

T2 - A study of ransomware

AU - Simoiu, Camelia

AU - Gates, Christopher

AU - Bonneau, Joseph

AU - Goel, Sharad

PY - 2019/1/1

Y1 - 2019/1/1

N2 - Ransomware has received considerable news coverage in recent years, in part due to several attacks against high-profile corporate targets. Little is known, however, about the prevalence and characteristics of ransomware attacks on the general population, what proportion of users pay, or how users perceive risks and respond to attacks. Using a detailed survey of a representative sample of 1,180 American adults, we estimate that 2%-3% of respondents were affected over a 1-year period between 2016 and 2017. The average payment amount demanded was $530 and only a small fraction of affected users (about 4% of those affected) reported paying. Perhaps surprisingly, cryptocurrencies were typically only one of several payment options, suggesting that they may not be a primary driver of ransomware attacks. We conclude our analysis by developing a simple proof-of-concept method for risk-assessment based on self-reported security habits.

AB - Ransomware has received considerable news coverage in recent years, in part due to several attacks against high-profile corporate targets. Little is known, however, about the prevalence and characteristics of ransomware attacks on the general population, what proportion of users pay, or how users perceive risks and respond to attacks. Using a detailed survey of a representative sample of 1,180 American adults, we estimate that 2%-3% of respondents were affected over a 1-year period between 2016 and 2017. The average payment amount demanded was $530 and only a small fraction of affected users (about 4% of those affected) reported paying. Perhaps surprisingly, cryptocurrencies were typically only one of several payment options, suggesting that they may not be a primary driver of ransomware attacks. We conclude our analysis by developing a simple proof-of-concept method for risk-assessment based on self-reported security habits.

UR - http://www.scopus.com/inward/record.url?scp=85076087964&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=85076087964&partnerID=8YFLogxK

M3 - Conference contribution

AN - SCOPUS:85076087964

T3 - Proceedings of the 15th Symposium on Usable Privacy and Security, SOUPS 2019

SP - 155

EP - 174

BT - Proceedings of the 15th Symposium on Usable Privacy and Security, SOUPS 2019

PB - USENIX Association

ER -