Understanding the Connection between Ransomware and Email

ransomware on computer

Email is one of the most common delivery vectors employed by ransomware attackers today. Deloitte went so far as to specifically label phishing emails as “the number one delivery vehicle for ransomware,” nothing that “the main purpose of most phishing emails today is to deliver, directly or indirectly, some form of ransomware.” Acknowledging this pronouncement, it’s a small wonder how nearly half of companies that reported phishing attacks ultimately experienced a ransomware infection, as reported by Cybersecurity Dive.

Such a finding raises an important question: why is email so prevalent in ransomware attacks? What is it about phishing emails that make them a preferred ransomware delivery vector?

Phishing – One of the Most Common Social Engineering Attacks

The answer has to do with what phishing campaigns are and aren’t. Email-based attacks are not technical in the way that other campaigns are. Some might incorporate technical elements like macro code that exploits a software vulnerability into their attack chain. But even then, most email attacks don’t execute their malicious functionality as soon as they reach an employee’s inbox. Instead, they often require recipients to interact with the email messages and/or their attachments in some way.

Such is the nature of social engineering attacks, malicious activity which requires human input. Social engineering is designed to prey upon human weakness, not leverage exploit code and/or cracking techniques. In that sense, technical controls aren’t as effective if a digital attacker can gain entry to an authorized user’s inbox, as an example.

Malicious actors know this, which is why they turn to social engineering tactics so often—and not just for email-based campaigns. In its 2021 Data Breach Investigations Report, Verizon Enterprise found that social engineering was the most widely used pattern in data breaches and the third-most widely used pattern in security incidents over the course of 2020. Consistent with that finding, the security firm observed that 85% of data breaches involved a human element.

Even so, email is a special kind of social engineering given its prevalence among attackers. Each user has an email account, a reality which makes them a target. That explains why phishing attacks accounted for the most of the 2020 data breaches involving social engineering, noted Verizon Enterprise, with business email compromise (BEC) scams not far behind.

So, Why Is Ransomware an Effective Form of Social Engineering?

Ransomware is unlike other forms of malware in that it doesn’t hide forever. By design, it reveals itself at some point, and it relies upon all the feelings that go along with discovery—fear, disbelief, and urgency, to name a few—to motivate victims to pay. Data encryption and theft are not enough on their own. A ransomware attack isn’t successful unless those responsible get paid, and no one will get paid unless they have some sort of interaction with the victim.

Using email to deliver a digital threat as socially charged as ransomware is therefore only fitting. In 2020, the Zix | AppRiver team witnessed ransomware actors leveraging email as their delivery vector for several campaigns. One such operation made news in June for using the promise of a fake photo to trick recipients into infecting themselves with Avaddon ransomware, for instance.

Defending Against an Email-Borne Ransomware Attack

Organizations can use security awareness training to cultivate their employees’ familiarity with phishing attacks. But they can’t train them on every lure that they might encounter in an email attack. That’s why it’s in organizations’ interest to invest in an email security solution that’s capable of scanning incoming messages for malware signatures and other threat indicators, all while allowing legitimate correspondence to reach its intended destination.

Learn how the email threat protection tools of Zix | AppRiver can help organizations stay safe against an email-borne ransomware attack.