Skip to main content

Social Engineering Tactics Behind Ransomware

By July 14, 2021No Comments

What do you think about when you hear the word “ransomware?” Perhaps a group of impostors operating out of a clandestine location comes to mind. Maybe you also visualize them furiously typing away as they effortlessly gain access to their target’s system. Indeed, movies depict similar scenes. However, the truth is that ransomware attacks usually involve not only technical skills but also social engineering skills. CSO Online defines ransomware as “a form of malware that encrypts a victim’s files. The attacker then demands a ransom from the victim to restore access to the data upon payment.”

When successful, ransomware attacks can have detrimental effects not only on a corporation but also on the people that rely on their services. Notably, we see such an example with the recent Colonial Pipeline attack. This attack disrupted fuel distribution, impacting many businesses and individuals on the east coast of the United States. Additionally, the CEO paid the cybercriminals nearly $5 million in ransom to regain control of the company’s computer systems.

Often, social engineering tactics behind ransomware attacks play a significant role in their success. Let’s consider a couple of ways in which ransomware attacks use social engineering tactics.

Vishing

Vishing, or voice phishing, is a form of attack in which cybercriminals contact an organization’s employees via telephone. They have two goals. First, to gain information, and second, to manipulate the target into taking an action that could compromise the security of their company.

Prior to a vishing attack, the caller may have already researched proprietary company information. The cybercriminal could now easily pretend to be a colleague from the target company’s IT department and ask the employee to visit a specific website to perform an update. The caller may also call posing as a customer who needs help and may sound desperate. Compliance, helpfulness, and urgency are used to elicit emotions that can suspend critical thinking. During a vishing attack, the caller may obtain information such as employees’ full names, emails and system passwords as well as vendor names. Once cybercriminals have acquired such information, they can craft very realistic phishing emails that will also employ tactics to influence their target into taking an action that could be detrimental to the security of their organization.

Phishing

Phishing is described as the “practice of sending emails appearing to be from reputable sources with the goal of influencing or gaining personal information.” In fact, it is the number one delivery vehicle for ransomware according to Statista.

Cybercriminals usually craft phishing emails to look like official corporate communication. In addition, cybercriminals may also use “commercial” and “customer” phishing templates. The phishing emails are designed to elicit a response or a “click” from the receiver by including messages that evoke emotions such as fear, greed and curiosity. Phishing emails are also created to look legitimate, making them difficult to detect. By appealing to the target’s emotions, a phishing email can trick the target into taking an action that puts their company at risk.

Be Proactive

Ransomware attacks are effective not just because of expert coding, but also because cybercriminals prey on their target’s emotions to influence them to take actions that may compromise their organization’s security. These attacks can cost companies great financial and reputable loss. In view of this, how can you protect your business from the social engineering tactics behind ransomware? Be proactive! Educating and training employees can actively help stop malware from infiltrating the organization’s system.

At Social-Engineer, our services focus on the tactics hostile attackers use to influence and manipulate people via phishing, vishing, and impersonation. Some of these services include:

  • SE Vishing Service (SEVS) is a fully-managed, human approach — no robocalling. With this service, we deploy a team of professionally trained and certified social engineers. These social engineers use dynamic pretexts to elicit critical data from your employees on an ongoing basis.
  • Instant Vishing Education Service (IVES) sends employees customized training and test results. We also provide resources to improve their awareness of the threat vector.
  • SE Phishing Service (SEPS) is a fully-managed program that measures and tracks how your employees respond to email phishing attacks.
  • Through the use of our patented process to construct messaging on varying levels of sophistication, employees will demonstrate their ability to recognize and report fraudulent emails.

For more information about our services visit our website http://www.www.social-engineer.com/services/ . Be proactive, educate yourself and your employees, stay safe.

Sources
https://www.csoonline.com/article/3236183/what-is-ransomware-how-it-works-and-how-to-remove-it.html
https://www.cnn.com/2021/06/04/politics/colonial-pipeline-ransomware-attack-password/index.html
http://www.www.social-engineer.com/are-your-employees-trained-to-withstand-vishing-attacks-2/
https://www.social-engineer.org/framework/attack-vectors/phishing-attacks-2/
https://www.social-engineer.org/social-engineering/emotions-used-in-human-hacking/

Image
https://www.nakivo.com/blog/best-ways-recover-ransomware/

Tags:

Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
Security Assessment Case Study
Learn more about the importance of a Social Engineering Risk Assessment.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
What Makes Us Different
At Social-Engineer, we pride ourselves on what we do and how we do it. We are a security services provider, focusing on four primary attack vectors. This case study will go through how we can protect your company and what makes us different.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Woman vs Machine
Technology is providing new, more innovative ways to enhance our world. Scientists are constantly developing smarter, faster and more intelligent machines, systems and robots. There is no doubt that each of these has evolved beyond their clockwork origins.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
Vishing and Phishing Must Be Ongoing to Be Effective
Most companies have a security awareness program in one form or another. If they don’t, it should be on the short list of programs to start as soon as possible. In our experience, many of these programs take the form of computer-based training.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
A Case Study in Vishing
Vishing (voice-based phishing) has been a problem for quite a long time. There are many vendors in the marketplace that offer vishing services. However they tend to use robo-callers or call centers for large volume engagements. If they are using trained humans to make calls, it is likely in very low numbers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
Benefits of a Social-Engineering Risk Assessment Engagement
Your company is important. Indeed, the data you hold for your clients or employees is very valuable and attackers seek to capitalize on that data any way they can. This is where a Social Engineering Risk Assessment (SERA) engagement can help uncover possible vulnerability to attackers.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now
The Business Value of the Social-Engineer Phishing Service
Cybercriminals are targeting the human element of organizations. Additionally, they are developing techniques to use an organization’s employees as the first point of entry. According to the 2021 Verizon DBIR report, of the 3,841 security breaches reported using social engineering, phishing was the key vector for over 80% of them.
Download Now