How Hackers Combine Phishing and Ransomware to Attack Your Business

Phishing and ransomware may be separate threats, but hackers combine them in clever ways to increase their chances of success and to cause as much damage as possible.

In case you aren’t clear what these terms mean, let’s spend a second to clear up any confusion.

Phishing is an attempt by malicious actors at deceiving users to hand over sensitive information or install harmful software programs and viruses (also known as malware) on their devices.

Ransomware is a form of malware that encrypts data stored on a device. Hackers will demand payment in return for removing the ransomware and restoring the device to normal.

Ransomware can only be installed when someone either does something maliciously or by mistake. For instance, an employee can install malware by opening a harmful file or by clicking a suspicious link and surrendering login credentials.

In both cases, a phishing email is the most likely method of transmission. There are other ways hackers can infect your business’ IT infrastructure with malware, but email is by far the most common. In fact, 91% of all cybercrimes begin with email, according to PhishMe research.

The Evolving Threat of Ransomware

Ransomware attacks used to be a pain for businesses that didn’t have sufficient disaster recovery plans. As long as you kept regular backups, however, it was fairly simple to restore the old system and remove the malware. There was no need to pay hackers or lose access to your data.

Today’s ransomware attacks are much more malicious.

Attacks have evolved to the point where backups alone aren’t enough. Now when you get hit with a ransomware attack, you won’t even know about it. Instead, the software will run quietly in the background, harvesting any data it considers valuable.

After a period of time (anywhere from a couple of days to a couple of months), the ransomware will reveal itself and encrypt your device. The hackers will then demand payment to unencrypt your device whilst also threatening to release or sell all of the sensitive data they have gathered up to that point.

There is almost nothing you can do to prevent the release of this data. Even if you do pay the ransom, you have no guarantee that the data won’t be released anyway. All you can do is stop it from happening in the first place.

If you are any kind of business that holds sensitive information about clients or customers, these attacks could have severe and wide-ranging implications for your business that include regulatory penalties, fines and lost reputation.

It All Starts With a Phishing Email

There’s little you can do to recover data that has already been stolen, but you can stop ransomware attacks at the source.

If you can stop employees from being tricked by phishing emails or clicking malicious links, you can significantly reduce the majority of ransomware attacks on your business. You will also reduce the amount of other attacks, too. Phishing emails have a very wide risk profile and are designed to exploit any weakness within your company’s security posture. On top of ransomware attacks, malicious actors can also use stolen credentials to change payment details, siphon funds from your bank accounts and send malicious emails to your customers.

Stopping phishing emails is easier said than done, however. The trouble is hackers design these emails in a way that can deceive anyone who isn't aware of the potential threats emails pose.

Phishing emails use several social engineering techniques to trick employees into handing over login details or installing malware on business devices. For one, they mock the design, messaging and email addresses of large, well-known companies like Microsoft, Facebook and eBay.

Secondly, they will be written in a way that encourages the user to take action like requesting they change their password, log back into a platform or download an attachment. Any credentials entered will be stolen. If attachments are downloaded or links are clicked, malware is likely to be installed.

Fight Phishing With Ongoing Training to Remove the Threat of Ransomware

The key to keeping your business safe from ransomware attacks is to stop phishing attempts in their tracks. There are many ways your business can fight these attacks, but we believe one of the most effective ways is through ongoing employee training.

A strong firewall, a secure email account and managed email screening will stop the vast majority phishing emails from getting through, if not all of them. Similarly, multifactor authentication (MFA) can limit the impact of successful phishing attempts by making it harder for attackers to access business accounts. But you’ll never be able to guarantee that one malicious email won’t slip through.

The only surefire way to protect your business is to make sure your employees have a great awareness of these attacks and keep their guard up constantly. Random emails should be met with suspicion as default and employees should be trained not to open any email they distrust.

The problem is that no one believes they will click on malicious links during training sessions where they are primed to notice these attacks. Worse still, employees can become resistant to any further training and much more likely to practice poor email hygiene as a result.

That's why the first step for any business is to assess the size of threat you face and make employees aware of the risks. We recommend businesses do so by undertaking a simulated phishing campaign with all of their employees, tracking who opens each email, who clicks on any links and who downloads attachments.

This isn't a witch hunt or an exercise designed to call employees out. It's about understanding whether there is an existing problem in your businesses, identifying how big that problem, and showing your employees they are more susceptible than they might think.

Once you’ve identified there’s an issue, you’ll want to set up an automated and unobtrusive security awareness training programme that keeps the threat of phishing emails in the forefront of your employees’ minds.

We provide our clients with short, interactive videos complete with quizzes to make sure employees have grasped the key concepts. These training sessions are also trackable, so you can identify which employees are completing training and prove to regulators that you are fulfilling your requirements.

You Are a Target of Phishing Campaigns. We’ll Prove It.

Having reached the end of this article, you are probably in two minds. Either you understand that phishing emails pose a significant risk to your business and are prepared to do something about them, or you don't believe you are at risk. Maybe you're too small to worry about, your employees are too smart or your IT system is already secure.

Many business owners fall into the latter category. If that’s you, we hope the facts below will change your mind:

• Small businesses are a huge target. An FSB survey found that small businesses are subjected to upwards of 10,000 attacks a day.
• Your employees are prone to fall for these emails. KnowBe4’s 2018 Phishing By Industry Benchmarking Report found an average of 27% of employees were at risk of falling for phishing scams.
• Phishing attempts are becoming more common. A 2019 APWG Phishing Activity Trends Report found that phishing attacks have reached their highest level in three years.

Still don’t believe us?

We've worked with dozens of businesses who thought they weren't at risk of attacks and had never been hacked before. Yet time after time, we have been able to find their business credentials for sale on the dark web.

When we ran a search recently for a client we found 127 cases of login credentials for sale online Some of these credentials were still used regularly by the business and were at serious risk of being breached.

Want to take the challenge yourself and discover if your business data is for sale on the dark web? Enter your details into our contact form quoting “Phishing Campaign” or start a conversation with one of our live chat operatives.

Get Peace of Mind for Your Organisation’s Security

If you’re serious about protecting your business from phishing, we are able to create and administer a simulated phishing campaign and provide an ongoing, automated security awareness training programme for your staff. Send us a message or speak to one of our live chat operatives to get started.