The CAL Blog

Email is the most common entry point for ransomware attacks

Written by The CAL Team | Apr 19, 2023 10:04:26 PM

By Steve Hallo

Original article can be found here.

In the past 12 months, around three-quarters of organizations reported being hit by a ransomware attack and 38% were hit twice, according to a survey from Barracuda Networks, Inc., which reported email was the starting point for 69% of companies hit by ransomware. For organizations with more than 250 employees, 75% of ransomware attacks were started via email.

As companies leverage more advanced threat protections, hackers have become more reliant on social engineering tactics such as phishing for users’ credentials, Barracuda Networks reported. Comprised accounts then become the channels through which malicious actors use to navigate inside a company’s system undetected.

While email is the most common attack vector overall, it is not the number one threat for every industry, Barracuda reported. For example, attacks hitting the consumer services sector tend to originate from web traffic and web applications.

 “The number of organizations affected by ransomware in 2022 likely reflects the widespread availability of low cost, accessible attack tools through ransomware-as-a-service offerings,” Fleming Shi, chief technology officer at Barracuda, said in a release. “The relatively high proportion of repeat victims suggests that security gaps are not fully addressed after the first incident."
 

‘Are we ready for this?’

While a majority of companies have faced ransomware, more than a quarter don’t feel fully prepared to deal with an attack, Barracuda reported. However, this is an improvement from 2019, when 44% of organizations said they felt unprepared.

Barracuda noted that as an organization becomes larger, it becomes more likely it is to feel unprepared because they have more data to protect and a larger attack surface.

 

Around 17% of companies with 100-249 employees said they felt unprepared to deal with ransomware. Around 30% of companies with 250-499 employees and organizations with 500-999 workers felt ill-prepared, while 35% of companies with 1,000-2,500 employees said they aren’t ready to handle an attack.