How email-based ransomware works and how to prevent attacks

Ransomware has become the largest, most dangerous malware threat to date. It affects individuals, businesses, and governments around the world by holding hard drive data hostage. The cost of ransomware infections was projected to exceed US$5 billion by the end of this year, according to this report from Cybersecurity Ventures. Costs go far beyond dealing directly with a ransomware attack. In many cases, organizations had to reduce or cease operations until the ransomware was removed. Lost business, damage to reputation, and lawsuits further added to the burden of cost for businesses that fell victim to ransomware attacks.

The favorite attack vector for ransomware is email. Before the end of April this year, Cerber ransomware accounted for 90% of all ransomware attacks on computers running Microsoft Windows operating systems.

If you think mobile devices are safe, think again. Android dominates mobile devices, with 83.4% of the global market as of Q1 this year. Like Microsoft Windows, its popularity has made it a target for hackers. Earlier this year, Kaspersky Labs found mobile ransomware attacks against Android mobile devices increased by over 300% in the first quarter of 2017, with no signs of slowing down. It’s of critical importance to keep this in mind while considering how to create a ransomware protection strategy that works for all devices throughout the organization.  

To protect your business against email-based ransomware attacks, there are 7 things you must do:

  1. Check if the email was sent from a legitimate URL
  2. Never fill out a form in an email until after its source is carefully verified
  3. Never click on buttons or links in an email unless it’s from a carefully verified source
  4. Never click on attachments unless it’s from a carefully verified source
  5. Never click anywhere inside the body of an email unless it’s from a carefully verified source
  6. Cultivate vigilance for phishing campaigns
  7. Use software that filters malicious URLs

Sophisticated social engineering efforts have made ransomware the single greatest threat to organizations of all sizes. Read on to learn more about each of these steps to protect your business.  

1. Check if the email was sent from a legitimate URL

A lot of email users don’t realize that they can easily check the URL of any sender simply by looking in the upper left-hand corner of the email. Look at the image below to see where to look in Gmail.


The blue box with dark border shows you the full sender URL by default. Checking the URL is only helpful, however, if you take the time to carefully look at it. The URL in the image above is legitimate and from a trusted source.

To see the difference, here’s an email from a spammer:


If you look inside the red box, you’ll see what looks like a legitimate sender name “Adobe Research”. However, when you look at the email URL, it becomes obvious that this email wasn’t sent by Adobe. While the email handle says ‘adoberesearch’, the URL part is from ‘’, a URL clearly not from Adobe.

The most sophisticated ransomware makes this kind of spam look like amateur work. The most successful ransomware attacks create targeted emails that look like they are from someone you know or an organization you do business with. Reports of emails that look like they were sent from public utilities and large retailers are just two examples of how hackers convince users that an email is legitimate. Earlier this year, a highly successful spam campaign was launched targeting Google Gmail users. The hackers behind it went to great lengths to make it look as legit as possible, even down to the URL. The giveaway was that the URL was preceded by data:text. The Google Doc that appeared to be shared by someone the user knew was actually an image. When clicked, it downloaded malware that immediately grabbed all the contacts in that Gmail user’s account and sent them the same malicious spam email.

When opening an email, get in the habit of checking the sender’s URL. You may also need to educate and train your employees to do the same. It could save you the costs of a ransomware attack.

2. Avoid filling out forms in email

Phishing has been around a long time. A classic type of phishing email is one that looks like it’s from a legitimate source and asks you to fill out a form. It might look like a utility bill or a request to verify your account information for an online retailer. Oftentimes, you’ll be asked for log-in credentials, even a credit card number or social security number. DON’T DO IT. Legitimate organizations stopped this practice back when phishing first became a popular ploy of hackers. Most organizations have policies in place that prevent them from asking for personal information of any kind in an email. Period. If you receive an email from your bank asking you to verify your account information, DO NOT FILL IN THAT INFORMATION. Instead, call your bank and ask them if they sent you an email requesting your account information for verification purposes.

The simplest solution is to never fill out a form in an email.

3. Never click buttons, links, or images in an email

Like the two steps before, you should avoid clicking on anything in an email before you have verified that the email was sent from a legitimate source. Images, buttons, and links can easily be set up to automatically download and install ransomware on your computer. Once you click the link, you can’t stop it. The initial download is often an installer that takes only a second or so to download. Since the download is hidden from your view, you can’t stop it. While you go about your business, the installer quietly downloads and installs the ransomware on your computer. You won’t ever know it’s there, until you let your PC sit long enough to go to sleep or you shut your computer down. Once you see the ransomware page, it’s too late – your files have been encrypted until you pay up.

Take the time to double-check the sender’s URL before you click on anything in an email. It could save you a lot of headache and money.

Try our comprehensive Phishing Protection service with Advanced Threat Defense to protect your entire organization from spam, malware and phishing scams.


4. Never click anywhere in the body of an email

One of the more nefarious versions of ransomware to be unleashed on unsuspecting email users is one where an image that looks like a form takes up the body of the email. When you click anywhere inside the email, the ransomware download is triggered. You don’t have to fill anything out, click on a button or link, because the entire email body is rigged.

Once again, the best protection is to look at the sender’s URL to verify if it’s from a legitimate source.

5. Don’t download attachments

This whole ‘don’t do it’ list may seem a bit redundant, and in a way, it is. However, each of these “don’ts” are exactly what people do to trigger a ransomware attack. Attachments are no different. In fact, the rigged Google Doc example from earlier is a perfect example of how sophisticated email attacks have become. That wasn’t ransomware, per se, but one can easily see a ransomware exploit using the same attack vector.

Attachments are the perennial favorite of malicious email campaigns because people tend to download them. Microsoft Word files are a favorite, but the file can be of any type. When you download an attachment from an unverified sender, you are inviting your computer to be attacked with ransomware. It’s that simple. To prevent an attack, don’t download any attachments.

What makes ransomware such a huge danger is that, once a single PC on a network is infected, every vulnerable computer on that network will be infected. Today’s ransomware is built to infect a single computer then exploit vulnerabilities in Windows operating systems and software to gain access to other computers. When they find a vulnerable PC, they attack it, encrypting all its files. This can cripple a business within a few hours, disrupting operations in a way that can make disaster recovery difficult.

6. Learn how phishing campaigns work

To protect your organization against phishing campaigns and the crippling effects of a ransomware attack, learn all you can about how they work. Better yet, educate and train everyone in your organization on phishing. Teach them what it is, how it works, and why it’s so dangerous. Provide positive incentives to encourage vigilant behavior and safe email practices.

7. Use URL filtering to protect against ransomware attacks

DuoCircle’s new product, Link Click Protector, compares URLs in real time with 6 different URL reputation databases to determine if they’re malicious. The way this works is, immediately after the user clicks a link, it is intercepted by our URL filter and checked against those databases. When a malicious link is detected, the user is warned. To go to the URL, the user has to acknowledge the risk and accept it before being allowed to continue on to the malicious website.

We offer a comprehensive Phishing Protection service with Advanced Threat Defense to protect your entire organization from spam, malware and phishing scams.


The best protection against ransomware: Vigilance + LCP

It’s easy to get in a rush and do things without really thinking about them, including reading your email. Checking email is a habit, really, one we do with little thought. This is the key vulnerability that makes email-based attacks successful. We’re in a hurry, we’re tired, and we’re distracted. It’s incredibly easy to open an email and do what it says without thinking. Here at DuoCircle, we understand this. That’s why we created the Link Click Protection product. It looks out for you and all email users throughout your organization. When used with our other email protection software options, such as our advanced spam filter, LCP provides the kind of email protection you need for your business. You can invest thousands of dollars in training programs that may or may not improve safe email practices of your employees or you can take advantage of the many benefits of LCP at a price that will look great on your balance sheet.  

Try a 30 day free trial of our comprehensive Phishing Protection service with Advanced Threat Defense to protect your entire organization from spam, malware and phishing scams.

Pin It on Pinterest

Share This