Ransomware can sneak into an organization by simple deception.
Often referred to as social engineering, hackers often look for cracks in the human shield at organizations.
This lets the attackers in the door, allowing them to gain higher “privileges” – or a higher level of security access – in a computer network; the key to carrying out a ransomware attack.
“Social engineering attacks can be executed to escalate privilege and gain more sensitive information and access over a series of attacks,” Alethe Denis, social engineering expert and consultant for Critical Insight, told Fox Business.
Most cyberattacks – about 70 percent – are related to email phishing, Denis said. Phishing emails – which appear to come from a trusted source – are a simple but effective form of social engineering.
A more sophisticated approach involves a “well-thought-out and formally planned attack that has one or more social engineering elements,” Denis said, adding that this kind of ransomware attack might, for example, target the oil and gas sector.
This approach may employ the gathering of seemingly innocuous information via a phone call, email or text message.
“While some of us think that we would be able to defend against these things, all of us are actually very much susceptible to these types of attacks,” Denis explains in a recent video on the topic.
Attackers can essentially turn somebody in an organization into an unwitting insider.
“[Attackers are] going to hedge bets on using helpful employees whose job function is to be helpful, perform customer service or otherwise be receptive to requests and handle requests – those types of roles within your company are going to be targeted,” Denis says in the video.
Denis gives one example of a company issuing a press release about their most recent charitable-giving campaign in which they mention a specific charity and a specific dollar amount that the campaign raised.
“The attacker would be able to then learn the name of the charity, the amount of money that was raised through the campaign and incorporate these into their development of a solid phish [email],” she says in the video.
“They could use logos of the charity … to pose as a representative from the charity and then incentivize the company to … engage with the email based on the fact that they promise some kind of recognition. Either an award or some kind of collaborative marketing effort to bring attention to this campaign,” Denis says in the video.
Social media is also a favorite target.
“Social media is a bad actor’s best friend and houses an immense amount of data that can be leveraged against businesses,” Denis told Fox Business.
The larger point is, once the attacker gets a foothold, ransomware unfolds over a series of attacks, “resulting in a series of smaller compromises and finally one larger compromise to a company’s data or systems,” Denis said.
Though the final attack is the one that makes the news, the first stages of an attack are part of “an onion with many layers and take thoughtful time and planning.”