Proofpoint closes acquisition of Tessian.

Request a demo
Request a demo
Request a demo
Request a demo
Request a demo

What the Ransomware Pandemic Tells Us About the Evolution of Spear Phishing Attacks

Tessian • Thursday, January 6th 2022
What the Ransomware Pandemic Tells Us About the Evolution of Spear Phishing Attacks

Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.

Over the last several years, the cybercriminal economy has undergone a sea change in maturity and sophistication. And it’s not going to slow down any time soon. Looking at the numbers:


  • The cost of cybercrime damages, currently in the $6 trillion range, is expected to reach $10.5 trillion by 2025 – a +350% increase from 2015
  • The average cost of a cybersecurity breach escalated to $4.24 million in 2021 – up almost 10% year-over-year.
  • By 2025 the lucrative nature of cybercrime will be 10x greater than all other illicit activities combined
  • Ransomware is proving to be particularly problematic, with ransomware damages exceeding $20 billion for 2021 – a 57x fold increase from 2015
  • 2021 also saw the largest ransomware payment yet, by insurer CNA for a sum of $40 million to regain access to their data and information systems
  • The past 12 months have been equally tough for the cyber insurance industry, with claims up by 500% YoY – and ransomware responsible for 75% of those claims

As a consequence, cyber insurance premiums are now in record territory, witnessing 75% to 100% increases over the past 12 months  – with some of the leading insurers now excluding coverage for nation-state cyber attacks.


The bottom line: the threat paradigm has evolved, and ransomware is the biggest challenge security leaders face.

Ransomware as organized cybercrime


The increasing sophistication of ransomware attacks (both in target acquisition and attack execution) points to a new level of maturity. Cybercriminals are displaying a level of sophistication akin to organized criminal groups. What compounds the challenge is a sizable share of these organized criminal groups have nation-state backing.


Recent trends point to increasing commercialization of offerings available on the dark web, with Ransomware-as-a-Service (RaaS) available for as little as $40 per month. Russian-linked cybercrime groups REvil and DarkSide have been particularly active on the RaaS front – with REvil being taken offline twice by law enforcement in 2021. 

Cybercriminals generally fall into two categories:


  1. The purely criminal enterprise, either composed of solo or group actors that are loosely organized acting on their own initiative or available for hire. Motivations are primarily for financial gain.
  2. The organized cyber criminal gangs that are often transnational in scope, and often it is these groups that benefit from implicit or explicit nation-state support. Motivations for attacking include financial gain and /or political reasons (espionage and sabotage). These groups do not focus exclusively on deploying ransomware but continually adapt, seek and develop new exploit methods. Also commonly referred to as advanced persistent threat actors (APT), well known examples include the Russian state-linked Fancy Bear (APT 28) and Cozy Bear (APT 29), or the China-state linked Wekby (APT 18), Emissary Panda (APT27) and Wicked Panda (APT 41). Other countries linked to APT groups include Iran, North Korea (Lazarus Group) (APT 38) and Vietnam.

All threat actors deserve attention, but the APT actors and their association with ransomware attacks are of particular concern. APTs pose the greatest threat to companies and countries alike due to their advanced capabilities and degree of state sanction with which they operate. Industries like manufacturing, financial services, healthcare, and critical infrastructure, as well as countries around the world continue to be targeted.


APTs are often driven by a mandate of either financial gain, Intellectual Property and data theft, which can include industrial or state espionage – evident in the recent Chinese linked APT data harvesting campaigns. Additional motivations can include nation-state sabotage, either accidental as we saw in the Colonial Pipeline hack, or orchestrated such as the Russian-linked critical infrastructure destabilization campaigns in the Ukraine. 

The actions of ransomware campaigns can have devastating financial and other consequences including:


  • Financial costs associated with the ransomware payment – declared ransomware payments in the US totalled $590 million from January to June 2021
  • Cost of disruption damage – the damages associated with the NotPetya ransomware attack are estimated to be +$10 billion 
  • Reputation damage – unquantifiable 
  • Catastrophic data loss events resulting in significant business harm or business failure –  FEMA indicates a +90% probability of business failure for a data recovery effort that takes longer than 5 days.

The importance of hardening your email defensive capability

One particular threat vector of concern is the targeting of employees via email through advanced and persistent social engineering campaigns, often driven by APT actors. And legacy email security solutions built for the on-premise world of email exchange servers, and relying on manual, static and rule-based security methodologies, offer rudimentary protection at best.

This helps explain why email continues to be the number one threat vector. With the average organization experiencing a click through rate of 30% on simulated phishing exercises, it’s of no surprise that 96% of phishing attempts are delivered via email. The odds are certainly in the bad actors’ favor.


This explains why phishing via email remains the number one delivery mechanism for ransomware – accounting for 54% of successful attacks.


The types of phishing attacks that are most devastating center on advanced spear phishing and business email compromise (BEC). Targeted at senior personnel in an organization, these attacks deploy a range of impersonation methods – also referred to as whaling or C-suite impersonation attacks.


Senior personnel are targeted due to the significant administrative privileges these email accounts carry. Once an attacker has successfully compromised an employee’s email account, the mean time for deploying the ransomware and demanding a ransom ranges from 12 to 76 hours. For small companies the incident usually plays out over 2 to 4 days, with larger enterprises this can take several weeks.


The fallibility of employees to phishing attacks, combined with legacy email security solutions built for an on-premise world, go some way in explaining why damages associated with cyber attacks are expected to increase exponentially in the coming months, especially with hybrid-working here to stay.

What the pandemic means for enterprise cybersecurity 


The dramatic shift to a hybrid and remote operating model as a result of the pandemic has proved a boon for cybercriminals, with ransomware attacks being particularly rewarding. Even the “average” person is worried about cybercrime, with Americans saying it’s the crime they’re most worried about in 2021.


Security leaders are, too, with 69% saying they think ransomware attacks will be a greater concern in a hybrid work place. 


Enterprises with significant on-premise footprints and associated legacy IT infrastructure have been particularly vulnerable to cyber attacks. Attack surface risk increased exponentially overnight, with employees logging into corporate networks from poorly secured home networks, and often on personal devices. The telemetry that on-premise cybersecurity tools provided was, and has been, severely curtailed. These legacy tools were built for a world of securing networks, endpoints and devices.


The pandemic set new parameters of where cyber risk could manifest and revealed a need for a new approach to cybersecurity – an approach that addresses cyber risk as it manifests, in real-time, regardless of network, endpoint or device. 


Integrated cloud email security for the post perimeter new order


It is for these reasons that 75% of cybersecurity leaders believe legacy email security approaches and tools are no longer adequate for the current threatscape. This is also why 58% of cybersecurity leaders are investing in behavioral intelligence enabled email security solutions. Only by securing an organization’s most important asset – its employees – will the risk of a cyber attack, including ransomware be mitigated.


Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprize.


Key features include:


  • Advanced Spear Phishing Protection
  • Advanced Attachment and URL Protection  
  • Internal Impersonation & CEO Fraud
  • Advanced Spoof Detection
  • Counterparty & Vendor Impersonation 
  • Brand Impersonation
  • External Account Takeover 
  • Invoice Fraud
  • Bulk Remediation
  • Automated Quarantine 
  • Threat Intelligence
  • Insider Threat Management
  • Accidental & Malicious DLP


Want to learn more? See how Tessian prevents ransomware attacks, watch a product overview video, download our platform architecture whitepaper, or book a demo