Ransomware Attacks via email: How do they work, and how to stop them?
Ransomware email attacks are getting more sophisticated and dangerous all the time, but a surprising number of attacks still leverage email phishing schemes. In fact, phishing is still the most common ransomware attack vector.
The continuing danger of ransomware email phishing attacks means it’s worth taking some time learning how they work, and what you can do about it. One of the reasons phishing attacks are so dangerous is because there is often no way to defend against them with cyber defenses. Phishing attacks exploit human error, so the best defense is good education.
What is ransomware email phishing?
Email phishing is when a hacker tries to trick you into giving them access to your system. This almost always involves deception of some kind.
This deception will usually involve impersonating a trusted person or company, offering something that you want, or trying to scare you.
This almost always involves getting the victim to click a malicious link or open an attachment. In the early days, these attachments were usually .exe files, but now they can even be hidden in .pdf or .doc files too.
Clicking the link or opening the extension may install malware on your system in some cases, or in other cases it may trick you into entering login credentials at a fake website.
Once the hackers steal your account credentials or install malware on your system, they can work toward getting more and more control over your network. If the attack is not stopped in time, and if internal security measures fail, this can end in a catastrophic ransomware attack.
Types of email phishing
There are many kinds of email phishing, and hackers are developing new methods all the time. Here are a few of the more common types.
- Government impersonation. In government impersonation attacks, the hacker pretends to be some kind of a government agency demanding information or asking you to pay a fine. This type of attack is usually targeted at individuals— often making claims that they have been caught looking at underage pornography. They may also claim that you are eligible to receive some kind of government benefits.
- Imitating a friend, family member or colleague. This type of email phishing can be one of the most dangerous. Sometimes hackers can gain access to the email account of a trusted person close to the target. They may observe the writing style and communications for days or weeks so that they can send an email which seems like an ordinary email you would get from them. With the victim’s guard down, they can more easily convince them to click a malicious link or open an attachment.
- Impersonating a company or bank. Phishing emails will often impersonate a company that you trust. It could be an online service or a bank sending an alert about your account being compromised or about an unauthorized withdrawal. It might include a link which looks very similar to the company’s real URL, with only a small difference in spelling. In some cases, the website might look exactly like the company’s website, and contain a form asking for information or a login screen. When you fill out the form, malware is installed on your device, or your credentials are stolen.
- Variants of the Nigerian prince scam. Many phishing scams will try to attract you with the claim that you can get something valuable. The classic scam emails from a Nigerian prince who needs your help to unlock a safe filled with gold are the original example of this. Other variants might include an email claiming you won a contest and are eligible to receive a new iPhone for free, or anything else that sounds too good to be true.
What is “spear phishing?”
Classic phishing attacks are often used to spread viruses, and they work by spamming a huge number of emails to random recipients. If a hacker or scammer delivers emails to 100,000 people, it’s likely that a few of them will fall for it, no matter how obvious it seems.
“Spear phishing” is much more targeted and harder to detect. Spear phishing may sometimes involve “man in the middle” attacks. For example, if you are expecting an email from your boss, the hacker could intercept the actual email, add a malicious attachment, and then forward a slightly modified version with instructions to check the attachment.
Phases of ransomware email phishing
The anatomy of more complex ransomare attacks have multiple phases. At first, attackers might gain access through a careless action by an employee. Once inside the network, they may gain access to other accounts, and then use them to conduct additional phishing attacks and gain access to higher level credentials.
It’s not an exaggeration to say “trust no one” when it comes to email phishing.
How to prevent email phishing
The most important thing for preventing email phishing is education. If employees have strong awareness of how phishing works and what it looks like, they are much less likely to fall into traps.
This may involve training employees, and this training should be tailored according to certain types of employees. For example, everyone who is hooked up to a network should have some level of training, but employees who have higher access levels or spend more time on the network than others should receive additional training.
Anti-phishing software can be helpful. Programs like Ironscales or Microsoft Defender can help to detect many phishing emails, but they are not 100% effective. Hackers are constantly developing ways around cybersecurity software, so it’s not possible to rely completely on technology.
Finally, it’s important to have good anti-phishing practices in place and ensure these are followed closely. This includes
- Strong separation of devices used at work and at home,
- Exercising caution with pop ups.
- Double checking URLs.
- Keeping browser updated.
- Verifying personally with colleagues before opening attachments.
- Using email encryption for internal emails.
- Whitelisting websites needed for work and require extra authorization for accessing other URLs.
- Using strong passwords.
A company that implements these measures will be a much tougher nut to crack for ransomware threat actors.