Cybercriminals continue to focus on compromising people, according to Proofpoint's 2022 State of the Phish report. Pictured: Workers prepare a presentation of advanced email on March 5, 2012, in Hanover, Germany. (Photo by Sean Gallup/Getty Images)

Proofpoint on Tuesday released research that said 78% of organizations saw an email-based ransomware attack in 2021, while 77% faced business email compromise (BEC) attacks.

In its 2022 State of the Phish report, Proofpoint found that cybercriminals continue to focus on compromising people as opposed to gaining access to systems through technical vulnerabilities.

“Email remains the favored attack method for cyber criminals, so there’s clear value in building a culture of security, said Alan Lefort, senior vice president and general manager of security awareness training at Proofpoint. “In this evolving threat landscape and as work-from-anywhere becomes commonplace, it’s critical that organizations empower their people and support their efforts to learn and apply new cyber skills, both at work and at home.”

Phishing has become one of the most common methods of ransomware infiltration into an environment, said Matthew Warner, co-founder and CTO at Blumira. Warner said some ransomware groups will brute force public RDP servers or exploit vulnerabilities such as Exchange with ProxyShell or VMWare Horizon with Log4j to gain initial access, but this requires additional tooling and targeting.

“It has been long proven — and the Proofpoint numbers reinforce this fact — that if attackers hit an organization enough times with phishing emails, they will succeed,” Warner said. “Then, it’s only a matter of whether the attackers can pass weaponized documents through the email, or convince the victim to download and execute a payload. In the grand scheme of defensive security, ransomware derived from phishing has become just another tool for attackers. If threat actors can send phishing emails while also scanning for known-vulnerable services and credential stuffing, the chance of success greatly increases.” 

Chris Clements, vice president of solutions architecture at Cerberus Sentinel, said it’s not that 78% of the 600 study respondents suffered a full-blown ransomware attack: it’s that they observed phishing emails that attempted to launch a ransomware attack. 

“Considering that, it seems to me that the 78% number is surprisingly low,” Clements said. “I would expect that over the course of a year, an organization of any size is likely to receive a phishing email attempting to introduce ransomware.  It’s possible that the respondents did in fact all receive ransomware focused phishing attempts, but they were either not noticed or blocked by spam filtering or antivirus controls that the participants weren’t aware of."