Fraud Management & Cybercrime , Ransomware
Ransomware – an Essential Security Awareness Training Topic
Today's cyber threats rely on human interaction, not just technical exploits. Research from Unit 42 shows that more than 75% of ransomware is delivered by email and about 20% through web browsing. Ransomware operators often rely on social engineering—and human nature—to compromise users and launch their attacks. It's critical that every single employee of an organisation understands what ransomware is, how to recognise it, and what actions they can take against these highly disruptive attacks.
What is ransomware?
Ransomware has historically been used as a term to describe a piece of malicious software that facilitates extortion by encrypting and removing access to critical data, until the victim pays a ransom. But in 2023 that has evolved: attackers no longer rely on broad distribution and small ransom amounts. Instead, ransomware gangs now often collaborate with other malware distributors, who provide access to systems already infected with Trojans and loaders for prospecting, reconnaissance, and attack. This approach allows criminals to identify high-value targets with more to lose from disruption and more capacity to pay.
Ransomware typically works by blocking access to a computer system or data, usually by encrypting files. Systems and files remain out of reach until the victim pays the attacker the required ransom. In many cases, the payment demand comes with a deadline. If not met, that ransom can double, or the data can be lost forever, leaked, or even destroyed. In an increasing number of cases, victims are extorted multiple times: first for an encryption key to unlock their data, and then to prevent the attackers from releasing or selling their data, which has also been exfiltrated, online.
Ransomware infections can occur when a user unknowingly downloads the malware onto their computer by opening an email attachment, clicking on an ad, following a link, or even visiting a website that's embedded with malware.
Usually, the attacker requires a ransom payment in cryptocurrency, such as bitcoin, because it's harder to recover. In many cases, the ransom demand comes with a deadline. If the victim doesn't pay in time, the data is gone forever, the ransom increases, or the attackers publish the data. When dealing with a particularly unscrupulous attacker, the victim may pay the ransom and still lose the data.
Ransomware attacks have become more prevalent in recent years—likely because of the opportunity for attackers to profit royally from these incidents. In our own research for the "2022 State of the Phish" report, Proofpoint learned that:
- 78% of organisations saw email-based ransomware attacks in 2021
- 68% of organisations were infected by ransomware
- 58% of infected organisations paid a ransom
Ransomware is a costly, disruptive cyber threat that organisations must address in their security awareness programs. Paying ransoms, while sometimes unavoidable, only encourages attackers to repeat their behaviour—and helps fund the next attack. A better approach is to prevent ransomware from taking hold in the first place. The opportunity to increase user awareness of the ransomware threat is high given that 31% of adult users assessed by Proofpoint said they don't know what ransomware is and about one-third identified it incorrectly.
How users can help to prevent ransomware
Ransomware is a people-centric threat—so users play a significant role in protecting themselves and their organisations from this cyber attack. Attackers are constantly evolving their tactics, so even technical controls and the efforts of IT security teams can't prevent all malware threats from reaching users.
To help users become successful defenders against ransomware, Proofpoint’s "3 Weeks of Cybersecurity Best Practices for ‘23” program can be a first important step. It provides three weeks’ worth of cybersecurity best practices and educational assets which IT security professionals can share inside of their organisations to help people become more knowledgeable about cyber threats so they can:
- Avoid falling for ransomware attacks
- Stay safe when working from home
- Remain vigilant against phishing lures
Here are also some quick dos and don’ts when it comes to Ransomware.
DON'T click on, download attachments from or reply to suspicious emails.
Look carefully for signs that a message might be suspicious. Ask yourself:
- Is this communication normal—and, if not, was I expecting it?
- Is this message from someone I don't know or haven't communicated with before?
- Does the message contain unexpected content?
- Does the sender attempt to create a sense of urgency or fear? (For example: "Click now or we will lock your account.”)
- Does the message ask me to reset my account or enter my credentials?
- Does the sender request that I provide data that's sensitive or not?
- Does the message want me to take some type of action? (For example: "Can you call me?" or "Can you update these details?")
DO understand that not all malicious emails will be overtly suspicious.
Attackers will often use well-known brands or try to make the message appear as if it's coming from someone you know and trust, like your colleague or manager. To avoid missteps, consider:
- Calling or texting your colleague to confirm that they sent the message.
- Using a search engine to navigate to the vendor's website to verify the communication or request originated from that vendor.
DON'T browse suspicious websites or download suspicious applications.
Here are three tips related to this recommendation to provide to users receiving ransomware security awareness education:
- If a website sounds too good to be true—like offering unlimited free music, movies and apps—it probably is and could even be malicious.
- Know that applications, even those found in popular app stores, can still be malicious. Use caution and look for apps from well-known publishers with a high number of downloads.
- Plug-ins for browsers, email or other applications can be just as dangerous as malicious applications. Check with the IT department before downloading and using any plug-ins.
DO report anything suspicious—even if you made a mistake!
It's always best to let the IT or security team know if something went wrong, such as:
- You received a suspicious email that may be a phishing email.
- You received an email that looks like it's from a colleague but seems suspicious or unexpected.
- You accidentally clicked on a link, filled in your credentials, or downloaded an attachment and realised it may be malicious.
- You visited a website that seemed legitimate, but afterward, sensed something wasn't right.
For more tips on Ransomware preparedness, check out the Proofpoint Ransomware Survival Guide.