Ransomware Attacks: Why Email Is Still the #1 Delivery Method
Adrien Gendre
—June 16, 2022
—5 min read
Ransomware attacks have been on the rise since 2019 and peaked during the pandemic in 2021, when 68 percent of organizations globally reported they had experienced a ransomware attack. In the same year, ransomware payments by victims increased by 70 percent in the US.
While many businesses and government agencies that experience a ransomware attack remain tight-lipped about the cause, many have admitted that infections resulted from employees clicking on phishing emails. In a worldwide survey of MSPs, Statista found that 54 percent of attacks originated from a phishing or spam email.
There are other ways to unleash ransomware, including remotely with RMM software, as was the case with many high-profile attacks on MSPs. But a remote attack requires a level of sophistication that not all hackers possess. This makes phishing the easiest method of delivery and fastest route to payoff.
Phishing emails are easy to create
It doesn’t take a high level of skill to create a phishing email. To create the illusion of legitimacy, hackers mimic a brand’s look and feel by using brand images and logos from the target brand’s website or Google images. To spoof an email address, hackers can easily add their desired display name to any email address, known as display name spoofing. Or they can create a new address that is strikingly similar to a brand’s address, known as a close cousin.
To make things simpler for the hacker, phishing kits can be purchased online. A typical phishing kit includes all the necessary components of a phishing attack, including a fraudulent webpage and tools that both make the webpage appear legitimate and assist in evading detection. Some kits even identify targets, create the phishing email, and collect data. Phishing kits are available as a one-time purchase and as a subscription model known as phishing-as-a-service (PhaaS), which includes a license to use the software for a set time frame, similar to any other SaaS model.
To bypass an email filter, hackers have a host of tools at their disposal—many of them free. Bitly, a URL shortener, can be used to create an email alias of the phishing URL, tricking filters that scan for blacklisted URLs. Another trick is to create a URL redirect from a legitimate URL to a phishing URL. Hackers scan for websites that have open redirects, insert them into phishing emails, and then redirect them to phishing pages after the email has been delivered.
Ransomware kits are cheap and ready to deliver
For around $500, an exploit kit containing malware can be purchased online. This reduces the level of effort for the hacker and makes the attack that much easier to deploy via email. Plus, many kits come with a license—typically three months—so hackers can launch as many attacks as they can manage in that time frame.
Some of the most notorious and damaging malware are available for purchase online. Some, including Robbinhood, the ransomware used in the attacks on the City of Baltimore, are available as ransomware-as-a-service (RaaS).
Like PhaaS, RaaS is a subscription offering that includes everything a hacker needs to launch an attack. Additionally, some services include additional tools unique to ransomware, including dashboards that show real-time reporting of a ransomware attack in motion. Under the RaaS model, the RaaS distributor receives a portion of the ransomware proceeds.
Emotet, the malware used as the launch pad for Ryuk ransomware, is also for sale, after a brief hiatus in 2021. Ryuk is thought to be responsible for the December 2019 ransomware attack on the City of New Orleans. It was delivered via a link in a phishing email, according to city officials, and it cost the city well over the $3 million it currently pays for cyber insurance. Ryuk has since evolved into Conti ransomware, both likely developed by Russian cybercrime gang Wizard Spider.
Social engineering helps hackers craft the perfect email
CEOs and CISOs aren’t likely to fall for a phishing email—with exceptions. However, a new employee who isn’t familiar with a business is more likely to be fooled by phishing. Hackers can easily find information about employees online, especially on social media platforms.
A LinkedIn profile tells a hacker which employees are new or inexperienced. It also reveals an employee's job position and duties, which helps the hacker determine what types of emails the victim might respond to, whether a warning from Microsoft that the Microsoft 365 subscription hasn’t been paid or a notification from a bank saying suspicious activity has been detected. Each is meant to cause alarm and an immediate reaction. Employees that aren’t trained to spot the signs of phishing might not think twice before clicking a phishing link.
Email attachments and shared files deliver the ransomware attack payload
Many email filters don’t scan for links in email attachments—this makes hiding a phishing link in an attachment an easy way of concealing a phishing URL from an email filter. A popular method of delivering ransomware-laden attachments is via invoice phishing. The user believes they’ve received an invoice from a colleague or vendor. A link in the attachment downloads malware at the time of click. In other cases, the ransomware download begins automatically when the attachment is opened, often via macros in Word docs and PDFs or malicious scripts in .zip files.
Another method of launching a ransomware attack is through fake file-sharing notifications, such as SharePoint and OneDrive. The user receives a spoofed email impersonating either a colleague or a file-sharing service. The OneDrive or SharePoint link leads to a document containing the phishing link. In some cases, the link points to a phishing site that delivers the ransomware via drive-by download. In other cases, the link itself delivers the payload.
Sometimes, email is just the beginning
Savvy email users who have been properly trained know how to spot a spoofed email address. It’s not always easy to do, but often there are tell-tale signs, and it makes a phisher’s job that much more difficult. That’s why they’ve resorted to multiphase attacks, which begin with a phishing email and morph into insider attacks that leverage spear phishing.
Once a hacker has company credentials, such as a Microsoft 365 login, they can send internal emails with legitimate accounts and spear phish employees from the inside. Employees believe they’re communicating with colleagues, and sometimes even their managers. This allows a hacker to do more damage than possible when phishing from the outside.
A hacker could be in the system for months without detection, learning about the organization and its processes, gathering intel for future attacks, and carrying out incremental financial transactions that could go unnoticed if the amounts are small. If the hacker eventually decides to progress to ransomware or other malware variants, then the damage is already done.
How to prevent a ransomware attack
Most ransomware attacks begin with a phishing email, making phishing training critical to protecting your business. It will make your staff more diligent and likely to think twice before clicking on links and opening attachments. But we all have moments of weakness, and phishers are counting on us to slip up every once in a while. When that happens, you need technology that looks beyond the obvious signs of phishing, including:
- Following phishing URLs to their final destinations, scanning for shortened links and redirections, and scanning webpages for malicious content.
- Parsing PDFs, Word docs, and .zip files in real-time, examining links hidden in attachments and malicious code that obfuscates ransomware/malware code.
- Scanning shared files, such as SharePoint and OneDrive, for phishing and malware links.
- Analyzing files from services like Evernote and OneNote, for malicious links.
- Identifying remote images and images, logos, and QR codes that are manipulated to make a blacklisted phishing email look like a unique email.
MSPs have become a huge target for ransomware groups looking to infiltrate MSP clients, particularly in the government sector. Growing in sophistication, ransomware must be met with equally sophisticated technologies that are one step ahead of the criminals working to outsmart them.