Just Released: Advanced Multi-Channel Security with Microsoft 365 Email  Protection

Executive Summary

A Ransomware attack is a sophisticated form of malware attack that looms as a serious and costly threat to virtually every enterprise organization, regardless of size or vertical. Ransomware attacks can put critical data at risk of theft or destruction while rendering IT systems inoperable. Enterprise ransomware attacks have been increasing in volume and sophistication for years, and detecting ransomware on the network is becoming more difficult.

It can sometimes feel like we are living in a Ransomware pandemic. Recent years have shown how ransomware affects businesses and the breadth of the devastation it can cause. In 2021, the average ransomware attack on businesses is $1.85 million. Organizations hit by ransomware suffered untold losses in business disruption, being effectively disabled on average for about 19 days. Ransomware caused at least $11.5 billion in damages in 2019 and increased to $20 billion in 2020. 

While email-based spear phishing has long been a favorite vector of ransomware attackers, attacks are increasingly occurring on social media accounts, mobile chat, and digital collaboration applications. In other words, the way we are all working today puts us at greater risk than ever; social media apps like Facebook, collaboration apps such as Microsoft Teams, Slack, and Zoom, and messaging apps like WeChat and Telegram have quickly become embedded in today’s brands and business relationships. These apps take our employees, even executives, into shadowy places beyond the usual scope of enterprise data management.

Cloud Apps We Protect

zoom logo

Ransomware is such an issue because the 15-year history of this threat has seen various nefarious forces coalesce.

  • Email gateways are overwhelmed because of huge, botnet-driven campaigns, polymorphic malware, and URLs escaping attachment detection techniques.

  • The explosion in third party cloud apps, used by every enterprise and individual on earth, has dramatically expanded the threat surface. There are far more attack vectors than there were even a couple of years ago. Phishing attacks (the main source of ransomware attacks) are now about far more than just email.

  • Social digital defenses are relatively weak compared to the $3 billion email security industry. Simply put, cybercriminals have a higher probability of success in these applications. 

  • The increased accessibility of technologies for encryption and malware development has lowered the bar to entry. Building ransomware is cheaper than ever before. As a result, far more cybercriminals are experimenting with ransomware than ever before. 

  • Encryption technologies have continued to improve. With modern ransomware, once the encryption of a hard drive or a set of files takes place, it can be near impossible to perform the de-encryption without purchasing the key from the attacker.

  • Organizations are more interconnected than ever before. A single ransomware trojan can flow like poison through an entire organization in the space of days or even hours.

  • There is no honor amongst malware thieves: With ransomware, victims who do pay are frequently targeted again.

Social media apps have become ripe targets for ransomware attackers. Even the tools and solutions designed to enable communication and collaboration in and around organizations have expanded the threat surface. 

From malicious payloads delivered through links and personal messages that convince or scare unsuspecting victims into wiring resources into a bogus account, to GIFs that steal sensitive information just by being viewed, a ransomware attack can look like anything. And often, the victims don’t realize they’ve already been infected until it’s too late.

Some of the most common social media applications that have experienced malware- and ransomware-related issues are:




Slack is another collaboration platform that boasts a solid number of individual and business adopters. Because of that, attackers have taken to creating malware that infects Slack to compromise the users of this application. Recently, bad actors have been leveraging Slack’s chat capabilities to trick users into opening malicious payloads and deploying various remote-access trojans (RATs) and info-stealers, according to reports.

In fact, in May 2021, a ransomware attack infiltrated the Colonial Pipeline network in a double-extortion scheme perpetrated by the DarkSide ransomware group. The damage? Nearly 100Gb of data stolen, and a closed down pipeline that affected the entire US continent, especially the Mid-Atlantic region. And according to FireEye, the attackers may have exploited Slack API to communicate with the C2 server and carry out the attack.

Beside its susceptibility to malware, Slack has other vulnerabilities, too. Securing the platform for business can be a great challenge to companies without the right security and compliance solutions.




Even before Zoom’s meteoric rise in adoption due to the COVID-19 pandemic, the platform has had its share of ransomware incidents. Today, it’s one of the platforms that have continuously allowed people to reconnect with each other, especially during the pandemic lockdowns. However, Zoom ransomware threats still exist and the need for security measures against them is real. Companies using this type of collaboration tool should create a security and compliance policy specific to the threats they open themselves up to when using them. Read here for our Zoom security best practices list.


Asset 1xxxhdpiMicrosoft Office 365 and Teams


Microsoft’s expanded suite of technology solutions include Office 365 and Teams, which come with their own vulnerabilities. In 2016, a ransomware exploiting Office 365, called Cerber, exploited millions of the platform's users. Then in 2021, train operations company Merseyrail experienced a Lockbit ransomware attack due to a compromise in their Microsoft Office 365 account.

Microsoft Teams is no exception. With its growing adaptation among enterprises and business, bad actors have found opportunities to exploit the platform with malware that targets Teams. Case in point: the FakeUpdates malware campaign that infected Teams accounts in 2020. If businesses want to protect themselves from ransomware that infects their Microsoft instances, they should leverage enhanced enterprise visibility and security solutions.




Being the largest professional network online, LinkedIn has experienced its fair share of cyberattacks and data breaches. And while the website is not the reason for the vulnerabilities themselves, malware, ransomware, and phishing campaigns that infect LinkedIn users still make the rounds because of bad actors abusing the platform.

Case in point: in April 2021, attackers launched a phishing campaign in an attempt to trick professionals into opening a .zip file that had malware which downloads a backdoor into the users’ computer, allowing attackers access and ways to install malicious software. A few months before that, in January, malicious actors used the platform’s contact requests functionality to install ZeuS, a data theft malware, onto their victims’ computers. The Lazarus Group recently exploited the LinkedIn attack surface to gain access to engineers on LinkedIn.


Asset 2xxxhdpiFacebook (and Messenger)


Finding ransomware on Facebook is pretty common. Even on its companion app, Facebook Messenger, spreading malware is not a new thing. It’s not surprising then that questions like “how to fix malware on Facebook” or “how to remove malware on my Facebook account” are common search queries for Google.

Recently, another Facebook Messenger malware has seen increased activity. Dubbed the Messenger Virus, the recent iteration of this malware contains a profile picture, the name of the recipient, an active link, and emojis, and often comes with titles like “Is this you?” or “XXX video”, anything that might capture the account owners’ attention. Facebook’s help desk suggests these actions on how to deal with a Facebook ransomware attack. It is very likely Facebook vulnerabilities played a part in the MosaicLoader malware campaigns that are currently spreading around the world.




Boasting over 500 million monthly active users and massive engagement rates, Telegram earned much praise due to its ability to host large groups (up to 200,000 users) and large file sizes (up to 1.5 GB). Moreover, its messenger security is a cut above the rest, earning its title as one of the most secure messaging apps in the world.

Yet hackers have found a way to embed Telegram’s code inside a remote-access trojan (RAT) called ToxicEye. That enables bad actors to control computers infected with said malware via a hacker-operated Telegram messaging account. Companies planning to secure Telegram for business use should then deploy a robust cybersecurity system that protects their systems from this new threat.

There are three main vectors that ransomware can get inside a device or system. The most common methods are:

  1. Email Phishing.
    Most ransomware attacks in history have started through phishing emails. These emails trick users into opening a malicious attachment or clicking a malicious URL. Opening the attachment or clicking the link activates the ransomware, which then proceeds to infect the recipient’s computer or device and potentially spreads throughout the entire IT infrastructure.

    While emails are common deployment systems for most cyberattacks, many people still fall for it. Malicious emails are highly effective, especially when they appear to be from legitimate contacts and parties the recipient trusts. Part of the scammer’s sophisticated approach is to craft convincing emails that contain authentic-looking email addresses, logos, and other elements like specific text types and tone of the message.

  2. Social Media Phishing.
    Ransomware attacks caused by social media malware – rather than email – make up an increasing proportion of overall attacks. In 2019, Facebook experienced a massive 176% year-on-year growth in phishing URLs, many of which contained ransomware.

    Social media ransomware attacks mimic their email counterpart: bad actors send malicious links via direct message. Usually, these links spoof a real login page and steal credentials. Phishing links sent via direct message tend to be opened even more than those sent over email, as people are generally wiser to email threats, but tend to open messages without thinking.

  3. Exploit Kits.
    Exploit kits are automated programs used by attackers to exploit known vulnerabilities within systems or applications. A user will visit a certain website or and/or use a certain piece of software, and the exploit kit will silently download ransomware onto the user’s device and execute it. Certain pieces of software, such as Adobe Flash and Oracle Java, are known to contain vulnerabilities. The computing community attempts to track these in a reference list of Common Vulnerabilities and Exposures (CVE), but bad actors can often be a step ahead.

    WannaCry infected people via the Eternal Blue exploit. The most devastating piece of ransomware in history used a Microsoft exploit stolen from the National Security Agency (NSA).

One might also wonder which type of device is the top target for ransomware incidents. The answer? All of them.

True, ransomware attacks frequently happen on desktops and laptops because, historically, they’re often delivered through email. However, as bad actors have adapted to the boom of social media, and the proliferation of mobile chat and digital collaboration apps, every device is now susceptible - including smartphones, tablets, even smart watches.

All forms of ransomware attacks restrict access to files or data that are valuable to the user, and then demand payment in order to recover that access. Within this overall approach, the question remains: how many types of ransomware are there? There are seven broad categories.




The most popular form of ransomware, and extremely damaging, crypto-malware gets inside a system and encrypts all the files and data contained within. Access is impossible without the malefactor’s decryption key.




Once executed, scareware automatically locks a user’s computer and displays a message claiming that it has detected a virus or an error. The scareware instructs the victim to pay a specific amount to “fix” the issue. Some forms of scareware don’t technically encrypt files, but flood the screen with pop-up messages that make using the system impossible.




Rather than encrypting select files, lockers lock victims out of their systems completely, preventing them from accessing anything. Locker-based attacks include a screen display that tells the victim the ransom demand, and often includes a countdown timer, intended to induce panic and force victims to pay without attempting to find another solution.




This type of ransomware claims and encrypts a certain sort of data. It then threatens to release victims’ personal (in the case of an individual) or sensitive (in the case of a business) data to specific parties or the general public. Victims of doxware/leakware are driven to pay the ransom for fear of highly private data being exposed.


Suspicious_Dark-1RaaS (Ransomware as a Service)


For parties that want to initiate ransomware attacks but don’t have the time, the tools, and/or the expertise, the cybercriminal market has a solution. People can reach out to a professional hacker to do the job for them. This hacker will carry out the attack, and receive a portion of the ransom reward in exchange for their services. These people, often referred to as “affiliates”, allow ransomware developers to focus on their products while they concentrate on infecting more people and generating more revenue. In order for the affiliate model to work, the developers generate specific code within the ransomware to their affiliates, with a unique identifier embedded within. This code splits the ransom payout between the developer with the unique ID and the affiliate that infected the victim.




For most ransomware attackers, extortion is now “big business”. According to Recorded Future, attackers and their affiliates carry out extortion by threatening to release exfiltrated files unless a victim pays a ransom. This is partly due to the fact that extortion cases garner media attention, something many cybercriminals crave. Publicity aids the sales of these Ransomware-as-a-Service (RaaS) offerings, but what’s more enticing to these criminals is the seemingly lucrative payout. In fact, in Russia, the average payout per infected host is about $300 against 30 ransomware payouts a month. One ransomware group called DarkSide even has an affiliate program where payouts to affiliates can range from 75-90% of the total ransom, depending on how successful the attack was.


Marketing_Dark-1Big Game Hunting


This is a targeted, complex, low-volume, high-return form of ransomware attack. The attacker gains entry, makes lateral movements to observe the network, then gains access to exfiltrate files and deploy the ransomware. Big game hunters are patient. It typically takes days for an attacker to understand the network, gain the proper access, and deploy.

The spear-phishing techniques deployed on email and social applications are very similar in nature and involve an element of social engineering to enable the initial compromise to succeed. The attacker can often perform their target recon on the app itself (e.g. LinkedIn) and then simply make a connection request to the target to begin establishing the trust relationship. In fact, the more connections the attacker makes within the organization, the greater the sense of trust that is established.

At this point, the attacker is in an excellent position to launch the attack by sending a malware-laced attachment or link to the targeted victim, under the pretext of a legitimate purpose. For example, cyber criminals might adopt the guise of a recruiter, and after penetrating the organization with a multiplicity of connection requests, may now send a malware-laced file link under the cover of a job description. Once the victim clicks through on the document, the host device can be compromised with a first stage malware payload.


In an enterprise attack, this would only be the first stage and would unlikely contain ransomware per se. The longer term objective would be to effect lateral movement for long-term persistence and to establish command and control for data exfiltration and finally ransomware deployment.

Given the nature of these “Big Game Hunting” scenarios where ransomware is often delivered as part of a multi-stage attack process,  and may occur on any one of several attack surfaces, it is important to coordinate defensive counter-measures across all of these vectors. For example, detecting a malware attack on a social media app could also be an indication of a broader attack front across multiple attack surfaces such as email and remote access management tools.

On the whole, ransomware attacks are frighteningly successful. The malware and the techniques are constantly evolving, and once encryption takes place, it can be tough to reverse. The reality is that, hit with a sophisticated ransomware attack, most enterprises pay.

For this reason, the absolute best course of action against ransomware is proactive defenses combined with constant data backup. Some best practices on how to mitigate ransomware incidents include:

  1. Back Up and Test Restoring.
    The most important part of a ransomware security strategy is the use of regular data backups. Enterprises should perform these as often as possible, and they should be combined with backup and restore drills. Both processes are important; restore drills are the only way to know if a backup plan is a good one. If a team can restore from a very recent backup, then they put themselves in a position where they might not need to pay to get data back.

  2. Gain Powers of Detection.
    The malicious links and attachments that are the main source of ransomware attacks can arrive through multiple routes. Not only email, but social media messages, collaboration tools, and any other cloud apps. Proper digital risk protection tools can proactively monitor all digital communications and immediately detect and quarantine potentially problematic links, attachments and URLs. Traditional antivirus software isn’t enough here; enterprises need next-gen solutions leveraging machine learning to detect both known and unknown forms of ransomware.

  3. Educate Employees On Cybersecurity Best Practices.
    A study by Kaspersky revealed that almost half of employees don't know how to respond to ransomware attacks. All employees should gain a basic understanding of what ransomware is, how it usually arrives, and what the warning signs are. They should know who to report suspicions to, and what to do in the event that their actions trigger the execution of ransomware.

  4. Constantly Update And Patch Operating Systems And Software.
    Attackers work relentlessly to discover vulnerabilities that can be exploited. Avoiding ransomware requires IT professionals to be equally rigorous in return. CVEs are always being patched. By constantly updating systems and patching software, enterprises significantly reduce their exposure to vulnerabilities.

  5. Incorporate Digital Risk Protection Into the Core of Cybersecurity Efforts.
    To keep up with the growing and ever-changing threat of ransomware, enterprises need to invest in digital risk protection tools that provide full threat intelligence. This way, IT teams can automatically identify, assess, and proactively respond to threats, and stop any ransomware spread before it begins.

  6. Monitor Endpoints for IOAs (Indicators of Attack).
    A dedicated set of cybersecurity solutions offer endpoint detection and response (EDR). These solutions can closely monitor activities across all endpoints, and capture raw events deemed suspicious. These solutions can deliver unhindered environment visibility for proactive threat recognition and response at the endpoint level.

When it comes to ransomware, avoiding becoming a victim is better than cure. Reducing the risk of ransomware incidents should be a priority for many businesses. However, should an organization be unfortunate enough and fall prey to ransomware, the following steps should be followed:

  1. Remove The Device From The Network.
    Ransomware on one device is bad, but ransomware proliferating through a network of devices is catastrophic. Employees should be trained to immediately disconnect their device from the network if they see a ransomware demand displayed on their screen. They should also do the same if they observe anything peculiar, such as an inability to access their own files. Employees must not attempt to restart the device; it should be sent immediately to the IT department.

  2. Notify Law Enforcement.
    Ransomware is a crime. Theft and extortion rolled into one make it a law enforcement concern. Organizations should all default to immediately contacting the police cybercrime department, should they fall victim to a ransomware attack.

  3. Use Digital Risk Protection to Establish The Scope of Attack.
    In the wake of a ransomware attack, security teams need to gather as much intelligence as they can, as fast as they can. This will help both internal IT teams and law enforcement agencies formulate a response. Enterprises should strive to figure out the nature of the attack: who is behind it, what tools they used, who they targeted and why. Answering such questions can help your IT managers and network administrators figure out the extent of the attack and protect networks from future attacks.

  4. Consult with Stakeholders to Develop the Proper Response.
    Enterprises suffering a bad ransomware attack need to answer a host of questions: Can they afford to lose access to the targeted files, either because they have been backed up, or because they are not of the highest priority? Can the organization afford the ransom? Is there any room for negotiation? All stakeholders, from shareholders to legal counsel, should be consulted.

  5. Get the Post-Mortem Right.
    The best way to resist a ransomware threat is to have learnt from the last one. After an attack, enterprises should task their IT technicians, network administrators, and cybersecurity teams with a thorough review of the breach. A meticulous assessment of an organization's infrastructure, practices, and processes is required to discover flaws in security, and reinforce an enterprise against existing and future threats.

Fortunately, more companies are becoming smart enough to not give in to the threat of ransomware. As of Q4 of 2020, the average ransom payment is down by 34% ($154,108) from $233,817 in 2020’s Q3.

The dramatic decline can be attributed to the recent instances of malware attacks where, instead of being deleted, the stolen data is released publicly, even when the affected organization or individual pays. Now, more victims of cyber extortion are saying “no” to ransom payments, and are becoming smarter in their cybersecurity efforts by creating backups of their data and following best practices.

Hopefully, moving forward, more companies will proactively secure their data by following the best practices stated above and continue to resist being strong-armed by ransomware attackers. When cyber extortion loses its profitability, organizations win.



With proper communication risk protection, organizations can detect and nullify ransomware threats before they become an issue. The SafeGuard Cyber platform can keep pace with the scale and velocity of modern digital communications, and detect phishing links and other indicators of ransomware attacks across the full suite of cloud applications. Threats are instantly flagged and quarantined before an unsuspecting human target clicks on anything dangerous.

Secure Human Connections

Ready to see how SafeGuard Cyber secures modern communication apps wherever they exist?