WHITE PAPER

The Ins and Outs of

Ransomware: How To
Mitigate Email-based Attacks
Table of Contents

Executive Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

An Ominous Threat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

The growing concern among security leaders and practitioners . . . . . . . . . 4

Understanding Ransomware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Top ransomware threat vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Ransomware-as-a-Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

Security With Users at the Center . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Conclusion: Reduce the Risk and Impact of Ransomware . . . . . . . . . . . . . . . . . . 9

2
WHITE PAPER | The Ins and Outs of Ransomware: How To Mitigate Email-based Attacks

Executive Summary
Ransomware is going beyond media hype to become a genuine threat that can pose tremendous risk to organizations in the
form of disruptions to operations, the loss of data through exfiltration and destruction, and costs associated with the response
to and payment of any ransom or extortion. In fact, this past year has seen ransomware demands skyrocket as ransomware
gangs have demanded as much as $50 million in ransom from companies like Acer, Apple, and Accenture.

Ransomware is a complex problem, and guarding against it requires a multilayered security approach that spans numerous
security domains. This paper focuses on email security defenses and best practices that can help organizations protect against
ransomware threats that use email as a primary threat vector (approximately 33% of attacks). However, we caution that there
is more to defending against ransomware than just email security. All organizations should be working to address other threat
vectors and the various tactics, techniques, and procedures (TTP) that today’s ransomware groups and individuals are using.

An Ominous Threat
Ransomware poses an ominous threat for organizations worldwide.

This past year, we saw the further evolution of ransomware. It has been elevated to the big leagues with highly visible attacks
on major companies and critical infrastructure.1 At the beginning of 2021, Acer, Apple, and Accenture faced separate $50 million
ransomware threats. In all three cases, the threat actors had already exfiltrated sensitive information and threatened to release
it to the public. Their ransom became much more like extortion, which created further complexities for the victim organizations.
After all, how can anyone be sure that the threat actor will reliably delete all stolen data if you pay a ransom?

But this isn’t the most alarming aspect of ransomware’s development. The volume of attacks is. According to the 2021
Verizon Data Breach Investigations Report, ransomware’s involvement in successful breaches increased to 10%, more than
doubling from the prior year.2 Separately, Fortinet’s FortiGuard Labs reported a 10.7x increase in ransomware detections
across our sensors between June 2020 and June 2021.3

Detect Ransomware Attacks on Devices (K)

250

Weekly average (June ‘21) = 149,000

Number of Unique Devices (K)

200

150

10x
100

Weekly average (June ‘20) = 14,000 Growth

50

0
July Aug Sep Oct Nov Dec Jan Feb Mar Apr May Jun

Source: Fortinet - July 2021

Figure 1: Prevalence of ransomware-related detections across Fortinet sensors.

3
WHITE PAPER | The Ins and Outs of Ransomware: How To Mitigate Email-based Attacks

Furthermore—and contrary to any general perception—ransomware is a clear and present danger regardless of industry,
not just the healthcare, government, or education sectors. As the data in Figure 2 shows, no industry is immune from
ransomware attacks. As a result, IT and security teams need to review their current strategies around email security and
evaluate the efficacy of their existing solutions.

Ransomware Prevalence (Detections Across Sectors in 1H 2021)

0% 5% 10% 15% 20% 25% 30% 35% 40% 45%

Telco/Carrier
Government
MSSP
Automotive
Manufacturing
Energy and Logistics
Transportation and Logistics
Technology
Aerospace and Defense
Food and Beverage
Healthcare
Agriculture
Construction
Environmental
Banking/Finance/Insurance
Retail/Hospitality
Education
Media/Communications
Consulting
Nonprofit
Legal

Figure 2: Ransomware prevalence by industry.4

Why? It’s likely because ransomware has a shorter time-to-money with few barriers to entry for success, making it attractive
to threat actors compared to other attack types. With ransomware attacks, attackers can see the fruits of their efforts much
more quickly than traditional efforts where data is stolen and sold on the dark web. And arguably, attackers don’t have to be as
sophisticated to launch these kinds of attacks by leveraging Ransomware-as-a-service (RaaS).

RaaS represents a Software-as-a-Service (SaaS) model whereby ransomware developers develop and essentially rent out
their software for other groups and individuals to conduct ransomware attacks. This allows the developers to stick to their core
strength of creating tools while allowing less expert actors to conduct ransomware attacks without having to create the tools
they need. These actors may pay a monthly subscription fee for use of the tools or pay a commission to the tool owners from
any successful attack. In effect, the RaaS provider provides the critical software needed to perpetrate attacks, including user
interfaces for campaign tracking.

The growing concern among security leaders and practitioners

The concerns of security leaders and practitioners reflect the growing reality that ransomware has gone beyond media focus and
hype to having a very real impact on organizations. As the figure below shows, most organizations are worried about ransomware
threats incoming through email above all other categories (polling respondents in the United States and across Europe).

4
WHITE PAPER | The Ins and Outs of Ransomware: How To Mitigate Email-based Attacks

Which of the following threats are you and your business most concerned about?
Volumetric phishing
6.9%
7.2%

Spear phishing (where the threat actor is targeting executives and leaders)
12.3%
13.2%

Malware (not including ransomware)

6.2%
8.6%

Ransomware
41.5%
46.7%

Malicious Links
14.6%
7.9%

Impersonation
8.5%
6.6%

Business Email Compromise

7.7%
7.9%

Europe United States

Figure 3: IT and IT security leaders and practitioners express ransomware concerns.5

Understanding Ransomware
To combat ransomware effectively, organizations must understand how it works, starting from the beginning. However, our focus
will ultimately be on guarding against ransomware gangs and individuals who use email as a vector into and out of organizations.

Top ransomware threat vectors

Ransomware threat vectors can be attributed to three main pathways: email, Remote Desktop Protocol (RDP) tools, and through
software vulnerability exploits. Figure 4 shows data on changing usage patterns across these vectors and shows that threat
actors change their tactics from period to period.

Ransomware Attack Vectors

Percentage of Attacks

Figure 4: Ransomware attack vectors.6

5
WHITE PAPER | The Ins and Outs of Ransomware: How To Mitigate Email-based Attacks

Using email as a threat vector is a means to take advantage of employees inside an organization. After all, email, even
more so than business phone use today, is the easiest way for a bad actor to communicate directly with anyone within an
organization and exploit human behavior. This is one reason why effective email security solutions are critical: to prevent
emails from getting through across an attack surface as broad as the office and remote locations, including the homes
employees work in.

Ransomware-as-a-Service
To effectively guard against ransomware, organizations must clearly understand how gangs and individuals perpetrate their
attacks. The MITRE ATT&CK® taxonomy (or framework) represents an industry-standard approach for understanding the
various TTPs that threat actors use and deploy in their efforts. For example, the graphic below depicts an analysis of how
Sodinokibi ransomware attacks were conducted. In the case of Sodinokibi, researchers have seen attacks spanning all three
major vectors.

MITRE ATT&CKⓇ - Sodinokibi

Resource Initial Privilege Defense

Reconnaissance Execution Persistence
Development Access Escalation Evasion

Obfuscated
External Remote Command Files or Info
Services and Scripting
Interpreter
Masquerading
Drive-by
Compromise
Indicator
Exploit Public- Blocking
facing App

Spear Phishing
Attachment

Inhibit System Supply Chain

Recovery Compromise
Remote Desktop
Protocol (RDP)
Data Encryption

Command Lateral Credential

Impact Exfiltration Collection Discovery
and Control Movement Access

Figure 5: Sodinokibi ransomware attacks mapped to the MITRE ATT&CK framework.7

Meanwhile, ransomware attacks using Avaddon have so far relied on spear phishing through email as a primary threat vector.

6
WHITE PAPER | The Ins and Outs of Ransomware: How To Mitigate Email-based Attacks

MITRE ATT&CKⓇ - Avaddon

Resource Initial Privilege Defense

Reconnaissance Execution Persistence
Development Access Escalation Evasion

Services Account Credential API File Deletion

Spear Phishing
Execution Manipulation Hooking
Modify Registry
Windows Mgmt Process
Instrumentation Injection

Kernel Modules
and Extensions

Reg Run Keys/ Query

Startup Folder Registry Sys Network
Config Discovery
Inhibit System File and Directory
Discovery Peripheral Device
Recovery
Discovery
Non-standard
Virtualization/
Data Encryption Port
Sandbox Evasion

Command Lateral Credential

Impact Exfiltration Collection Discovery
and Control Movement Access

Figure 6: Avaddon ransomware attacks mapped to the MITRE ATT&CK framework.8

The attacks mapped to the MITRE ATT&CK also remind us that the various TTPs
used can’t be prevented, detected, or mitigated by email security solutions alone.
Solving the ransomware problem requires multiple layers of defenses across all
three primary vectors, incorporating people, processes, and technology working in
unison. However, email security cannot be overlooked. And relying on an existing
email security solution without conducting an annual review of its efficacy may
introduce unexpected risk and the potential for loss.
Due to the changes in the
Security With Users at the Center threat landscape in the last
12 to 18 months, Fortinet
There’s no doubt that email security solutions are required to address the sheer recommends IT and IT security
volume of spam and threats a given organization sees each day. However, teams conduct an annual
organizations do need overlapping defenses that further reduce the possibility assessment of the efficacy of
of a successful breach, with these defenses being centered around the user and their current email security tools,
user behavior. This is why many organizations today deploy a blend of security policies, and practices.
awareness training, phishing simulation, and phishing reporting tools.

As for how today’s organizations are pursuing a similar approach to email security,
where there is a focus on human behavior, we again have some insights from our
polling of audiences in Europe and the United States.

7
WHITE PAPER | The Ins and Outs of Ransomware: How To Mitigate Email-based Attacks

Does your organization use any of the following to educate, train, and
test employees on spotting malicious email? (Select all that apply.)

Online Security Awareness Training

40.2%
55.9%

In-person Security Awareness Training

27.1%
27.2%

Phishing Simulation or Testing

32.7%
46.3%

Use a Dedicated Email for Reporting Phishing

20.6%
21.3%

Use a Dedicated Button in Outlook/Email for Reporting Suspicious Email

18.7%
26.5%

We don’t use any of the above today.

23.4%
22.8%

Europe United States

Figure 7: Use of security awareness training and phishing testing.9

As highlighted above, most organizations are pursuing a blend of activities. This likely includes phishing simulation, with 32%
and 46% of respondents in Europe and the U.S. reported using this approach, respectively. Across both regions, we see a
surprising 23% of organizations don’t educate, train, or test employees at all.

Still, today’s threat landscape dictates organizations consider additional protections.

Email Services Proper Usage Policy Web Browsing

Email Security

Browser
Security Awareness Training
Phishing Simulation/Testing Isolation

Suspicious Email Reporting

EDR

Figure 8: Layering security capabilities around human behavior: a concept.

Organizations can further address the risk posed by user behavior through web browser isolation and endpoint detection and
response (EDR). Web browser isolation can be an important extension of security for organizations concerned that employee
browsing behavior may introduce significant risk. Meanwhile, EDR provides an effective defensive layer to monitor anomalous
behavior and activities on endpoints that suggest a malicious threat or actor has broken through email or other defenses.

8
WHITE PAPER | The Ins and Outs of Ransomware: How To Mitigate Email-based Attacks

Recommendations

Security Awareness Training

1 Run a comprehensive and consistent security awareness training program across the company. Content should be short- and
long-form, using multiple formats such as video, posters, email, and other formats. Integrated SAT content can be used as part of a
phishing simulation or testing regimen to reinforce learning.

Phishing Simulation/Testing
2 Perform ongoing phishing testing of employees and users. This testing should be oriented toward learning and training reinforcement
versus purely for performance testing. Be sure to scale up phishing email samples in terms of sophistication and incorporate content
based on aspects of the organization’s operations. For instance, a phishing email can leverage an internal newsletter template used
for alerting employees to various human resources updates. Also, it may be prudent to craft phishing emails specific to select groups
within an organization.

Endpoint Detection and Response

3 Endpoint protection platforms work to prevent threats like ransomware from deploying on employees’ laptops and desktop machines.
EDR solutions work to detect changes, processes, and activities running on an endpoint tied to a malicious threat or actor. If some
malicious activity is suspected, automated response works to isolate the endpoint. At the same time, extensive capture of event
information allows for rapid forensic analysis of the endpoint to determine what has transpired.
As a result, EDR solutions are highly valuable as an additional layer of detection for threats that may have made it through email or
arrived through some other vector to the endpoint. We recommend all organizations utilize EDR across endpoints in their organizations.

Web Browser Isolation

4 For organizations susceptible to risk introduced through employees browsing the internet, IT and IT security teams should investigate
browser isolation solutions for potential adoption.

Conclusion: Reduce the Risk and Impact of Ransomware

It’s clear that the real threat posed by ransomware has gone beyond media attention and hype to having catastrophic
impacts on organizations and supply chains around the world.

Reducing the risk of email-based ransomware threats starts with highly effective email security tools with advanced
capabilities that identify the characteristics of email content and sender/received reputation while also inspecting URLs
and attachments.

Using as many of these security capabilities and technologies as feasible can help reduce the risk of ransomware and
mitigate any negative impacts in the event of an attack.

9
WHITE PAPER | The Ins and Outs of Ransomware: How To Mitigate Email-based Attacks

As a leading cybersecurity company,

Fortinet provides advanced protection for
email, safeguarding your valuable data,
employees, and productivity.

10
WHITE PAPER | The Ins and Outs of Ransomware: How To Mitigate Email-based Attacks

1
“Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound,” Coveware, April 26, 2021.
2
Lawrence Abrams, “Computer giant Acer hit by $50 million ransomware attack,” BleepingComputer, March 19, 2021.
3
Davey Winder, “Ransomware Gang Demands $50 Million For Apple Watch And MacBook Pro Blueprints,” Forbes, April 23, 2021.
4
“2021 Data Breach Investigations Report,” Verizon, 2021.
5
“Global Threat Landscape Report,” Fortinet, August 2021.
6
Ibid.
7
Fortinet data from polling of two separate webinar audiences on 9/16/2021 (Europe) and 7/7/2021 (U.S.).
8
“Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound,” Coveware, April 26, 2021.
9
Based on analysis by Bridewell Consulting, “2021 Ransomware and the Mitre Att&ck Framework,” Bridewell Consulting, May 12, 2021.

www.fortinet.com

Copyright © 2021 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product
or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other
conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser
that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any
such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise
revise this publication without notice, and the most current version of the publication shall be applicable.

October 22, 2021 9:52 AM

1292732-0-0-EN