Addressing the root causes

4 mins read

Phishing-driven ransomware attacks are soaring and more must be done to stop them, according to Al Lakhani.

Credit: Bits and Splits -

Every week the news is littered with stories about organisations being hit with ransomware attacks. The issue is getting worse, too, with malicious ransomware attacks on IT systems and business accounts skyrocketing – globally, 73% of businesses were targeted in 2023, up from 55% in 2018.

Here’s a worrying stat: by 2031, experts predict that ransomware will target a business, consumer or device every two seconds, exhorting $265 billion a year out of the victims. 

But amidst the eye-watering figures for how much organisations shell out to ransomware criminals we should not lose sight of the fundamental causes of these attacks: phishing and compromised credentials. 

How do ransomware attacks work?

In the main, ransomware attacks transpire when a hacker’s malware penetrates a user’s IT system and encrypts their data to block them from accessing their device or the files stored within it. The attackers then offer the user or business a loaded deal: hand over a large amount of money, or your access and data are gone for good.

So, let’s rewind to step one. How do the hackers get into an organisation’s IT system in the first place? There are four main routes that criminals use to carry out their attacks.

Password-based attacks

By exploiting weak or stolen credentials, cybercriminals can access accounts or IT systems by posing as legitimate users. Then, they implant the malware. A notable example of an attack of this kind was when Colonial Pipeline’s networks were breached, leading to an emergency declaration in 17 US states with fuel shortages and price hikes at the forefront. 


Users are lured into clicking on malicious links or downloading infected attachments, which allows malware to infiltrate their devices. For example, the Wizard Spider cybercrime group developed Ryuk ransomware, which encrypts data on an infected system until a ransom is paid. To date, the group has forced many notable organisations, including school districts and radio stations, into paying substantial sums.

Vulnerabilities in the software

This allows hackers to penetrate a victim’s system by circumventing unpatched or out-of-date software. Last year, one of the world’s largest banks, the Commercial Bank of China, was reportedly forced to pay a large ransom when its Citrix products were hacked due to a vulnerability labelled the ‘Citrix Bleed’. When a new patch was announced to mend a weakness that had been located, bad actors could scrutinise the patch update and exploit those flaws to infiltrate devices that weren’t yet updated.

Backdoor tactics

Hackers construct a malicious way to enter a business’ IT system and implant malware in order to extract a ransom. A prominent example of this type of attack occurred in 2020 when the US company SolarWinds had malicious code implanted into its Orion Platform through an open backdoor. It ended up costing the company around $40 million.

Backing the wrong horse

Those are the routes in. But what about the defences against these attacks?

Frustratingly, many organisations continue to rely on first-generation Multi-Factor Authentication (MFA), attempting to prevent phishing-driven ransomware attacks by adding layers of authentication like one-time passwords (OTPs), push notifications and QR codes. 

There is one huge problem with this method. All these solutions require multiple devices that function autonomously, which actually gives bad actors more opportunities to intercept or steal credentials. Using methods such as Adversary in the Middle Attacks (AiTM), criminals can get hold of users’ authentication tokens and then access and implant malware in a business’ system.

That’s not even the end of it. The majority of MFA typically centralises the storage of credentials in a database. For criminals, this means a single point of vulnerability. If they haven’t managed to capture your OTP, then they can just breach the central database and access your credentials that way. 

So, what do you end up with? Chiefly, it is a large ransom and a severe hit to both your operations and reputation. Don’t believe me, ask the British Library which saw its main catalogue, with more than 36 million records, impacted by a cyber-attack that resulted in the British Library's website being down for almost a month at the end of 2023. The Rhysida ransomware group claimed to be behind the attack and the library also had to confirm that some employee data had also been leaked in the attack.

So, how many more organisations must suffer these types of breaches before IT departments and cybersecurity professionals finally start to tackle the underlying causes of ransomware attacks?

Defeating the risk of ransomware

The best place to start is with a change of attitude. Organisations need to be forward-thinking and apply next-gen MFA. The new generation of solutions deliver all the additional layers of security required, just without the phishable factors I have mentioned.

These solutions are built on transitive trust – the premise being that access to a trusted service (i.e., a domain that has been integrated with the identity provider) is only granted to a trusted device. This device has to be registered to the system and verified by its Trusted Platform Module (TPM) chip and prove it is under the control of a trusted user identified by biometrics or a secure PIN. 

Crucially, there’s no centralised database. All credentials are stored locally inside the TPM, meaning criminals have nothing to steal remotely. They would need to physically take both the trusted device and the user’s PIN in order to implant a malware programme into that system. This completely removes the danger of a phishing-driven or password-based ransomware attack.

But again, it all starts with a change of mindset. Organisations cannot act like sheep by following the herd and continuing to invest in the same old solutions that fail to shield the crucial attack vectors that criminals target. 

Ultimately, organisations must prioritise prevention over detection. Addressing the root causes of a breach by embracing cybersecurity solutions built on identity-proofing and transitive trust is the only way to defend against the ugly, costly and increasingly prevalent threat of ransomware attacks.

Author details: Al Lakhani is CEO of IDEE