The terms ransomware and social engineering are sometimes used interchangeably, particularly in news articles about major ransomware attacks.
The confusion is understandable: Many bad actors use social engineering techniques to distribute malicious software. However, social engineering is an attack vector, not a type of malware.
Here’s why the distinction is important — and to protect your organization from common social engineering tactics.
What is social engineering in cybersecurity?
Social engineering refers to any tactic intended to deceive or manipulate a human victim. Some common examples include:
- Direct phishing, a process in which a bad actor pretends to be someone else. In a recent incident, MGM Grand’s systems were allegedly compromised by an attacker who called an MGM employee while posing as a member of the IT staff. The attacker (again, allegedly) simply asked for their login credentials.
- Indirect phishing, in which a bad actor uses “wide-net” phishing techniques. For example, the attacker could send an email to every member of an organization with an attachment that contains malware.
- Baiting, in which the attacker presents the victim with some sort of promise. For example, the attacker may leave a USB drive with malware in the target organization’s parking lot — with the assumption that an employee will be curious enough to plug the drive into a company computer.
- Scareware, in which the attacker attempts to trick the victim into believing that their computer is already compromised with malware. The victim is told to click on a link or download remote viewing software, at which point the attacker can access sensitive data.
Social engineering tactics have always played a major role in malware distribution, but with the rise of ransomware, groups have refined their tactics.
Related: 4 Common Ransomware Attack Vectors
Why do ransomware groups use social engineering?
Simply put, social engineering works. The end user is usually the weakest link in an organization’s IT security — and since many ransomware variants are relatively easy to identify and eliminate with antivirus software, bad actors frequently need user credentials to begin their attacks.
The Cybersecurity & Infrastructure Security Agency (CISA) recommends that organizations take a cautious, multifaceted approach to limit their vulnerability:
- Train employees to be suspicious of phone calls, messages, emails, and visits from individuals asking about employees or other internal information.
- If an individual requests internal information, verify their identity before providing that information.
- Pay attention to URLs when following hyperlinks in emails.
- Never open email attachments from unrecognized sources. Double-check the identity of the sender before opening attachment from known sources — the attacker may “spoof” the identity of another employee or manager to trick victims into opening links.
- Limit access to mission-critical systems. Do not provide administrator credentials unless they’re absolutely necessary.
- Maintain up-to-date antivirus software, email filters, and firewalls.
- Implement (and enforce) multi-factor authentication (MFA).
- Tell employees to report suspicious contact. This is especially important during holidays, natural disasters (such as floods or hurricanes), and in other situations where bad actors may take advantage of the circumstances to plan an attack.
Related: Is Your Enterprise Prepared for a Ransomware Attack?
Responding to a Ransomware Incident
Even with fairly decent security controls, social engineering tactics can allow attackers to access key systems and distribute malware payloads.
It’s important to remember that many groups wait for weeks or months to activate those payloads. “Dormant” ransomware can infect backup systems and archives, reducing organizational resiliency when the ransomware activates.
We strongly recommend building a ransomware recovery strategy before an incident occurs. A successful strategy mitigates the potential impact of an attack by creating quarantined backups (or “golden copies” of key systems), monitoring the dark web for stolen user credentials, and regularly auditing security controls.
Datarecovery.com can help your organization create a long-term, sustainable plan for ransomware mitigation. With solutions for ransomware data recovery, penetration (PEN) testing, data loss analysis, and dark web monitoring, we provide comprehensive resources for organizations of all sizes.
To learn more, call 1-800-237-4200 and speak with a ransomware expert or schedule a consultation online.
