Ransomware is more than three decades old but remains one of today's most disruptive types of cyber attack.
This category of malware—which gets its name from the payment it demands after locking away victims' files— can be traced back to 1989, when an evolutionary biologist unleashed the "AIDS virus" via floppy disk in a scheme to extort funds from AIDS researchers in 90 countries. Recipients were instructed to mail their payments—which the attacker referred to as "licensing fees"—to a P.O. box in Panama. Once payment was received, a decryption key would be mailed back to the users. The attacker profited little from this escapade and was eventually arrested.
Since then, ransomware attacks have greatly evolved. They are often sophisticated campaigns with far-reaching impacts and multimillion-dollar payouts. Ransomware attacks can also have devastating consequences when they target critical infrastructure and services, like healthcare, law enforcement and energy—as they increasingly do. This threat type is also considered a national security issue, as many attackers are associated with or bankrolled by nation-state threat actors. In fact, victims of ransomware in the United States are encouraged to report ransomware incidents to the U.S. government.
Ransomware attacks have become more prevalent in recent years—likely because of the opportunity for attackers to profit royally from these incidents. Research from Palo Alto Networks Unit 42 found that the average ransom demand rose 144% in 2021 to $2.2 million, and the average payment increased 78% to $541,010.
And in our own research for the "2022 State of the Phish" report, Proofpoint learned that:
- 78% of organisations saw email-based ransomware attacks in 2021
- 68% of organisations were infected by ransomware
- 58% of infected organisations paid a ransom
Ransomware is a costly, disruptive cyber threat that organisations must address in their security awareness programs. Paying ransoms, while sometimes unavoidable, only encourages attackers to repeat their behaviour—and helps fund the next attack. A better approach is to prevent ransomware from taking hold in the first place. The opportunity to increase user awareness of the ransomware threat is high given that 31% of adult users assessed by Proofpoint said they don't know what ransomware is and about one-third identified it incorrectly. (See the results of this assessment in our "2022 State of the Phish" report.)
About this series
Today's cyber threats rely on human interaction, not just technical exploits. In fact, research for Verizon's 2022 "Data Breach Investigations Report" found that 82% of data breaches involve the human element. As the report states, this reality "puts the person square in the centre of the security estate." Attackers use social engineering to trick people into clicking unsafe URLs, opening malicious attachments, entering their credentials, sending sensitive data, transferring funds and more.
This is the fifth instalment in our six-part blog series covering topics that all organisations should address in the security awareness training they provide to users during Cybersecurity Awareness Month in October—and all year-round. Here are the security awareness training topics this series covers:
4. Social media
6. Insider risk
Research from Unit 42 shows that more than 75% of ransomware is delivered by email and about 20% through web browsing. Ransomware operators often rely on social engineering—and human nature—to compromise users and launch their attacks. It's critical that your users understand what ransomware is, how to recognise it and what actions they can take against these highly disruptive attacks.
What is ransomware?
Ransomware is essentially a tool that enables extortion. It's a type of malicious software (malware) that locks away critical data, usually by encrypting it, until the victim pays a ransom fee to the attacker.
Ransomware infections can occur when a user unknowingly downloads the malware onto their computer by opening an email attachment, clicking on an ad, following a link, or even visiting a website that's embedded with malware.
Usually, the attacker requires a ransom payment in cryptocurrency, such as bitcoin, because it's hard to trace. In many cases, the ransom demand comes with a deadline. If the victim doesn't pay in time, the data is gone forever, the ransom increases or the attackers publish the data. When dealing with a particularly unscrupulous attacker, the victim may pay the ransom and still lose the data.
How users can help to prevent ransomware: do's and don'ts
Ransomware is a people-centric threat—so users play a significant role in protecting themselves and their organisations from this cyber attack. Attackers are constantly evolving their tactics, so even technical controls and the efforts of IT security teams can't prevent all malware threats from reaching users.
To help users become successful defenders against ransomware, make these essential do's and don'ts part of your security awareness training on this critical topic:
DON'T click on, download attachments from or reply to suspicious emails.
Look carefully for signs that a message might be suspicious. Ask yourself:
- Is this communication normal—and, if not, was I expecting it?
- Is this message from someone I don't know or haven't communicated with before?
- Does the message contain unexpected content?
- Does the sender attempt to create a sense of urgency or fear? (For example: "Click now or we will lock your account.”)
- Does the message ask me to reset my account or enter my credentials?
- Does the sender request that I provide data that's sensitive or not?
- Does the message want me to take some type of action? (For example: "Can you call me?" or "Can you update these details?")
DO understand that not all malicious emails will be overtly suspicious.
Attackers will often use well-known brands or try to make the message appear as if it's coming from someone you know and trust, like your colleague or manager. To avoid missteps, consider:
- Calling or texting your colleague to confirm that they sent the message.
- Using a search engine to navigate to the vendor's website to verify the communication or request originated from that vendor.
DON'T browse suspicious websites or download suspicious applications.
Here are three tips related to this recommendation to provide to users receiving ransomware security awareness education:
- If a website sounds too good to be true—like offering unlimited free music, movies and apps—it probably is and could even be malicious.
- Know that applications, even those found in popular app stores, can still be malicious. Use caution and look for apps from well-known publishers with a high number of downloads.
- Plug-ins for browsers, email or other applications can be just as dangerous as malicious applications. Check with the IT department before downloading and using any plug-ins.
DO report anything suspicious—even if you made a mistake!
It's always best to let the IT or security team know if something went wrong, such as:
- You received a suspicious email that may be a phishing email.
- You received an email that looks like it's from a colleague but seems suspicious or unexpected.
- You accidentally clicked on a link, filled in your credentials, or downloaded an attachment and realised it may be malicious.
- You visited a website that seemed legitimate, but afterwards, sensed something wasn't right.
Coming soon: a look at insider risk
The next and final blog post in our security awareness training topic series will help you educate your users about the risk of insider threats. You'll learn about types of insider threats, insider threat behaviour patterns, what constitutes an insider threat (and what doesn't), and more.
Meanwhile, for more information on the ransomware security awareness training topic, visit the Ransomware Hub from Proofpoint, where you'll find free research and resources, including our Ransomware Survival Guide, to help stop ransomware, reduce risk and protect users.