93% of phishing emails now contain ransomware

The first three months of 2016 saw an unprecedented 789% jump in ransomware, according to a new report from phishing defence firm PhishMe.

The staggering upsurge is thanks to the explosion of ransomware – a malware type that's risen up the ranks to become top dog of the cybercriminal ecosystem in the last couple of years.

The number of phishing emails hit 6.3 million in the first quarter of this year, and on average, 93% of them were found to contain ransomware.

'Thus far in 2016, we have recorded an unprecedented rise in encryption ransomware attacks, and we see no signs of this trend abating. Individuals, small- and medium-sized businesses, hospitals, and global enterprises are all faced with the reality that this is now one of the most favoured cyber criminal enterprises,' said PhishMe CEO and cofounder Rohyt Belani.

Why ransomware? It's become a highly lucrative business model because it requires a minimal start-up cost to carry out, is relatively low risk and the returns are potentially enormous. Hackers write their own code or buy ransomware as a service on the black market, often as part of a suite of other products.

> See also: The rise of ransomware 2.0 – how to fend off the new school of ransomware

Thanks to this there has been a 600% increase in the number of ransomware families in recent years, with strains like Locky, Teslacrypt and the first ransomware to target OS X, KeRanger, making news.

Criminals are also perfecting their targeting techniques – another 2015 trend that has emerged into full fruition in 2016 is threat actors’ use of soft targeting in phishing. In contrast to both broad distribution and the careful targeting of one or two individuals via spear phishing emails, soft targeting focuses on a wider category of individuals based on their role within any organisation anywhere in the world.

Criminals target this subset with content relevant to their role, and these malicious emails are typically accompanied with Microsoft Office documents laden with malware.

Towards the end of 2015, PhishMe’s Research team hinted towards the growing prevalence of JavaScript downloader applications as a malware delivery mechanism. During the first three months of 2016, most notably through its prolific use by the distributors of Locky, this prediction did indeed materialise as expected.

'During the first quarter, JavaScript applications even surpassed Office documents with macro scripts to become the most common malicious file type accompanying phishing emails,' confirms Rohyt. 'JSDropper applications were present in nearly one third of all phishing email analyses performed by PhishMe.'

> See also: The evolution of ransomware: what lies ahead?

Whether threat actors execute encryption ransomware attacks via phishing messages, deliver personalised messages to a functional area of an organisation, combine Dridex or Locky with JSDropper or Office documents with macros for delivery, the impact on the victim n is significant.

Organisations have to expend scarce incident response resources on the clean up effort, manage a potential public relations nightmare, and in some cases even cave in to hacker demands of paying the ransom being demanded.

'As the frequency and magnitude of such phishing attacks increase, the importance of empowering humans to avoid and report them, and giving incident response teams the ability to rapidly react to such reports has never been more acute,' said Rohyt.

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Email & Communications