Security awareness

3 sales best practices used in ransomware (and what we can learn from them)

June 7, 2021 by Patrick Mallory

As with every opportunistic salesman, the cybercriminals behind one of the fastest growing online scams and cyber attacks, ransomware, are willing to do whatever it takes to maximize their return — even if that comes in the form of extorted personal or corporate money.

Unfortunately for victims of ransomware attacks, the tactics that cybercriminals are employing are working exceptionally well, providing them with a good return on their investment. In fact, in 2020 alone, the average ransom demand was $178,000 (up from $84,000 in 2019), with about 25 percent of victims making payments to the hackers. 

However, while the increases in bounties were quite remarkable, the number of ransomware attacks actually decreased in 2020. While some may argue that this could be due to increased security controls and awareness by potential victims, the rise in bounties could point to something else: more sophisticated attackers.

So what makes these attackers more sophisticated? Here are three best practices typically reserved for sales departments increasingly employed in ransomware attacks.

The sales best practices used in ransomware attacks

1. Using market research and microtargeting

Typically reserved for precisely targeting ads or cold calls to buyers of a certain profile or pension for a particular sales pitch, the criminals behind ransomware are increasingly researching their targets before they launch their attack.

Instead of just relying on chance, cybercriminals are finding that this investment and preparation pays off in a higher chance of success for a victim to click a link, download a file, or pass a message on. In practice, this means:

  • Using message language, images and pitch structures that match their message and intended audience
  • Using message delivery methods that make it more likely for the targeting to read and act on the message (such as SMS text messages, social media messages, email, messages with attachments and more)
  • Building rapport (which now occurs in about 70 percent of phishing emails) throughout several messages that fit a certain profile to build trust (such as career or networking via LinkedIn or social engagement via Instagram)
  • Sending attempt in otherwise innocuous methods, such as Zoom meeting invites

This research also comes into play in who the cybercriminals decide to send the message to, helping them to refine their message recipients to those who are also more likely to have the money to pay in ransom. In fact, according to one study, 30 percent of phishing messages were opened when only about 15 percent of typical sales emails are opened.

2. Leveraging social engineering and the power of peer pressure

Limited edition models. One-time only sales. Exclusive coupon or product releases. All of these sales tactics make recipients more likely to act on emotion before their logic kicks in and helps them make a more informed decision. 

The creators behind ransomware attacks also use these powers of social engineering and peer pressure to encourage their victims to overlook some of the obvious defects in their message and take action. 

For example, cybercriminals have:

  • Embedded malicious links within termination emails sent from human resources during the early phases of the COVID-19 pandemic
  • Used fear of blackmail (now one in 10 messages, according to one study) or the direction of a boss or executive
  • Faked that they were a brand or another domain to get a users attention (which make up about 83% of spear-phishing attacks) or to trick them into providing credentials, such as through fake Skype portals

Unfortunately for personal and corporate victims of these attacks, cybercriminals continue to take advantage of the fake items that over 90% of breaches involve their victims, directly or indirectly, usually through their own human error. And with techniques like these, it is no wonder why the percentage is so high.

3. Professionalizing their approach

Finally, these cybercriminals are getting more professional with their ransomware interactions, demonstrating just how much of a big business this is becoming. There have even been indications that groups of cybercriminals are selling their services to those looking to threaten others.

Either as a part of their services or on their behalf, studies have found that the vast majority of cybercriminals behind ransomware attacks follow through on their word and decrypt the data after they receive their bounty. One study, for example, found that about 58% of victims pay the ransom and only 1% of the groups behind the attack do not actually follow through with their promise to decrypt. These groups even offer customer service support backed by their team and, in some cases, offer to negotiate on the ransom itself.

How your organization can fight back

With the professionalization of ransomware, more sophisticated tactics, and an increasing incentive to perform the attack, how can you and your organization fight back?

Here are some recommendations that your organization can implement to help reduce your risk and decrease the impact of a ransomware attack:

1. Enhance your training

First, do not approach your security training as just a “check in the box.” Use these training opportunities to educate your staff on the attacks, the methods to get their attention and how they should react and respond to unusual emails, text messages and phone calls.

Take this training to the next level by sharing examples of well-formed phishing emails to show their sophistication and by tailoring your training for users based on their role or access to certain types of data.

2. Upgrade your security tools

Ransomware often takes advantage of known vulnerabilities in your technology ecosystem to take hold and encrypt your data. For example, the WannaCry malware behind the global ransomware campaign took advantage of a widely-known SMB protocol.

In addition to investing in robust vulnerability and patch management programs, take your security controls to the next level with tools like:

  • Data loss prevention systems that scan emails for the presence of sensitive data and flag it
  • Phishing campaigns that test your organization’s susceptibility to falling for the messages
  • Enhanced firewalls, antivirus and email applications that perform deep package inspection of web and email traffic for unusual or signatured malicious behavior
  • End-point and server heuristics that can identify unusual API calls, processing demands or other unusual behavior

3. Update your incident response training

While the above tools and techniques may assist in blocking an attack, ransomware can still strike. 

Therefore, make sure your organization is not one of the 77% of organizations that do not have incident response plans in place. If you do, make sure it is regularly updated to reflect the nature of your operations, that your automated data backup protocols are working properly, and that it is regularly reviewed and simulated so your staff know what to do when it matters.

Protecting against ransomware

Ransomware attacks are likely not going anywhere anytime soon, especially given how profitable they have become. However, by taking the time to better understand the techniques, tactics and personalities used by the cybercriminals, you can better prepare your organization and help to minimize your probability of falling victim. 

Because, as each ransomware attack is thwarted, we are one step closer to lowering the incentives that drive them and increasing the safety of everyone’s data.



90 percent of data breaches are caused by human error, techradar

Average Click and Read Rates for Campaign Messages, Campaign Monitor

Hackers Exploit Urgency, Personalization in Phishing Attacks, Health IT Security

Phishing Facts, Phishing Box

Ransomware Attacks Fracture Between Enterprise and Ransomware-as-a-Service in Q2 as Demands Increase, Coveware

How hackers are using COVID-19 to find new phishing victims, Security Magazine

The State of Ransomware 2020, Sophos

Successful Ransomware Infections Surge to Record in 2020 as Victims Grow More Willing to Pay, Research Shows, Security Boulevard 

IBM Study: More Than Half of Organizations with Cybersecurity Incident Response Plans Fail to Test Them, IBM

Posted: June 7, 2021
Patrick Mallory
View Profile

Patrick’s background includes cyber risk services consulting experience with Deloitte Consulting and time as an Assistant IT Director for the City of Raleigh. Patrick also has earned the OSCP, CISSP, CISM, and Security+ certifications, holds Master's Degrees in Information Security and Public Management from Carnegie Mellon University, and assists with graduate level teaching in an information security program. Patrick enjoys staying on top of the latest in IT and cybersecurity news and sharing these updates to help others reach their business and public service goals.