What is the Relationship Between Ransomware and Phishing?

Ransomware and phishing are usually put in two separate categories when cyberattack methodologies are discussed. However, ransomware operators are increasingly leveraging phishing tactics to deploy their malicious payloads, and the potential for compromise is exponentiating as a result.  

Ransomware and Phishing - a match made in heaven 

Phishing is the number one delivery vehicle for ransomware, states risk management firm Deloitte. Industry sources agree, and phishing was identified as the primary vehicle for ransomware in Coveware’s Q4 2020 Quarterly Ransomware Report. It beat out RDP (Remote Desktop Protocol) as the top initial attack vector, once the remote work avalanche of 2020 died down, and has since moved up as the fastest way to get malicious code in front of an organization. 

In a recent survey, it was revealed that a staggering 78% of organizations experienced one or more ransomware attacks in 2021, 68% of which stated that the attack originated from a direct email payload, second-stage malware delivery, or similar cause. And, IBM’s Cyber Resilient Organization Study noted the top three causes of ransomware that year as social media (19%), malicious websites (22%), and phishing (45%).  

The logic? Phishing emails are easy to send and lure the unsuspecting victim in with minimal awareness of an attack. The carefully crafted device of a social engineering scheme, the emails are customized to specific targets and appear to be from legitimate, even familiar, senders. Faced with unmanageable email volumes, even many once-careful users fail to scrutinize incoming mail and note small changes that would otherwise be suspicious red flags. Once the victim opens an email from their “bank” or “internet service provider” and confirms a few account details – or even just clicks into the malicious fake site – the payload detonates and the work of stealing and/or encrypting sensitive data begins. Once this work is completed, users are locked out and a ransom note appears.   

Phishing on Social Media 

While popularly exploited on email servers, phishing attacks are not confined to inboxes. One of the rising vectors, as noted by the IBM study, is social media. Collaboration tools like Teams and Slack are prime grooming places for establishing trust and exploiting “coworkers”. Online spaces like LinkedIn are particularly vulnerable to facilitating attacks; as platforms built for connecting with strangers, they encourage direct messages which often contain links to shared professional interests. Many of those links are credible – some are not.  Unfortunately, with ransomware one click is all it takes.  

Ransomware operators also glean the personal information shared on social networking sites to craft a more custom-built attack. The authenticity and believability of many of the messages - “Hey Don, it was great talking to you at DEF CON. Here’s that link I was telling you about” - can fool even the most savvy. And, as Deloitte states, “many users are simply not sufficiently skeptical when it comes to receiving requests to do things like transfer funds, open attachments, or provide sensitive information.”  

Unfortunately, users don’t even have to engage to be at risk. A ransomware tool discovered in 2016 scraped the social media accounts of its victims to create personalized campaigns, ironically threatening to see its users in court if the ransom was not paid. Security researchers similarly noted Facebook-centered ransomware activity, allowing attackers to embed malicious code into uploaded image files which a misconfiguration then forced users to download.  

AI-Powered Ransomware 

The one saving grace is that customizing ransomware phishing attacks is time-consuming work. It requires human effort and insight and is difficult to scale. However, Artificial Intelligence could close the gap that makes even that automatable before long. "We have already seen [ransomware groups] hire pen testers to break into networks to figure out how to deploy ransomware. The next step will be that they will start hiring ML and AI experts to automate their malware campaigns," said cybersecurity expert Mikko Hyppönen. Mark Driver, a research vice president at Gartner, says this could mean an even greater acceleration of attacks. "It's not worth their effort if it takes them hours and hours to do it manually,” he explains. “But if they can automate it, absolutely." The bottom line? “It's terrifying.” 

The danger is not only AI-powered ransomware models, but AI-driven deepfakes that can impersonate legitimate sources and make phishing attempts that much more convincing. Reported cases of face- and voice- altering AI technology increased by 13% last year, and 66% of surveyed cybersecurity professionals reported seeing one in the past twelve months. Deepfakes in cyberattacks aren't coming, they're already here. 

Prevent Phishing Attacks and Ransomware 

One industry report noted that the number of ransomware attacks doubled year-over-year in 2021, and we are reminded that nearly 80% of organizations experienced at least one attack. This makes for very dire predictions. However, the best defense is a good offense and several offensive strategies exist for mitigating ransomware attacks.  

Criminals aren’t the only ones who can hire pen testers. Probing your environment for weak spots is one of the best ways to stress test your environment before attackers can take advantage of vulnerabilities. Given the fact that 82% of breaches are attributable to the “human element” – a healthy portion of error included – it’s next to inevitable that despite an organization’s best efforts, a phishing attempt will succeed sometime. When it does, malware will infiltrate the network looking for systems to exploit and data to exfiltrate. Red teaming, attack simulation, and black box fuzzing allow your team to see what’s possible to attackers before they do.  

Email security and anti-phishing measures need to be combined with an offensive security strategy for the best defense-in-depth approach. Together, they focus on preventing ransomware payloads from detonating and harming your network.