• Carl

Ransomware Attacks: Why Email Is Still the #1 Delivery Method

Updated: Feb 3, 2020

Ransomware attacks made a major comeback in 2019, but unlike previous years, hackers made the switch from enterprise targets to SMBs. According to Datto, one in five SMBs were hit with a ransomware attack in 2019. Attacks on US state and local governments hit an all-time high, with 144 cyberattacks recorded throughout the year.

While many officials remain tight-lipped about the origin of attacks, many have admitted that the ransomware infections resulted from employees clicking on phishing emails. In a worldwide survey of MSPs, Statista found that 67 percent of ransomware attacks originated from a phishing or spam email.

There are other ways to unleash ransomware, including remotely, as was the case with many high-profile attacks on MSPs in 2019. But a remote attack requires a level of sophistication that not all hackers possess. This makes phishing the easiest method of delivery, and man does it pay off.

Phishing emails are easy to create

It doesn’t take a high level of skill to create a phishing email. To create the illusion of legitimacy, hackers mimic a brand’s look and feel by using brand images and logos from the target brand’s website or Google images. To spoof an email address, hackers can easily add their desired display name to any email address, known as display name spoofing. Or they can create a new address that is strikingly similar to a brand’s address, known as a close cousin.

To make things simpler for the hacker, phishing kits can be purchased online. A typical phishing kit includes all the necessary components of a phishing attack, including a fraudulent webpage and tools that both make the webpage appear legitimate and assist in evading detection. Some kits even identify targets, create the phishing email, and collect data. Phishing kits are available as a one-time purchase and as a subscription model known as phishing-as-a-service (PhaaS), which includes a license to use the software for a set time frame, similar to any other SaaS model.

To bypass an email filter, hackers have a host of tools at their disposal—many of them free. Bitly, a URL shortener, can be used to create an email alias of the phishing URL, tricking filters that scan for blacklisted URLs. Another trick is to create a URL redirect from a legitimate URL to a phishing URL. Hackers scan for websites that have open redirects, insert them into phishing emails, and then redirect them to phishing pages after the email has been delivered.

Ransomware kits are cheap and ready to deliver

For around $500, an exploit kit containing malware can be purchased online. This reduces the level of effort for the hacker and makes the attack that much easier to deploy via email. Plus, many kits come with a license—typically three months—so hackers can launch as many attacks as they can manage in that time frame.

Some of the most notorious and damaging malware are available for purchase online. Some, including Robbinhood, the ransomware used in the attacks on the City of Baltimore, are available as ransomware-as-a-service (RaaS).

Like PhaaS, RaaS is a subscription offering that includes everything a hacker needs to launch an attack. Additionally, some services include additional tools unique to ransomware, including dashboards that show real-time reporting of attacks in motion. Under the RaaS model, the RaaS distributor receives a portion of the ransomware proceeds.

Emotet, the malware used as the launch pad for Ryuk ransomware, is also for sale. Ryuk is thought to be responsible for the December 2019 ransomware attack on the City of New Orleans. It was delivered via a link in a phishing email, according to city officials, and it will cost the city well over the $3 million it currently pays for cyber insurance. Baltimore will spend an estimated $18 million to pay for damages and lost revenue associated with the Robbinhood ransomware attack.

Social engineering helps hackers craft the perfect email