The latest report from Rubrik Zero Labs found that 40 percent of all organizations surveyed experienced a successful ransomware attack. 

Imagine working on confidential business files when suddenly they freeze and then disappear. A message pops up: 

“Oops, your files have been encrypted! If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.” 

The message then gives instructions on how—and how much—to pay. It might sound like something out of a movie, but that’s the actual message from the “WannaCry” ransomware attack in 2017. Sounds awful, right? It is.

For ransomware to work, cybercriminals need access to an organization’s systems. One way to get that access is to trick individuals into opening the door for them. That’s where phishing comes in.

Phishing is the first step of many ransomware incidents, and it’s one of the most common ways cybercriminals can trick individuals into handing over sensitive information, like passwords or system credentials. 

According to the Verizon Data Breach Investigations Report, phishing is one of the four main entry points into an organization. And once they get inside, cybercriminals can infect your systems with malware, including ransomware.

Let’s explore what exactly phishing and ransomware are and how they’re related.

Ransomware vs Phishing

What is Phishing?

Cybercriminals need to gain access to confidential data and systems to deploy malware. It may be difficult to imagine that someone might give their password to a stranger, but people do it all the time. Especially if the “stranger” happens to (or appears to) work for your company or a trusted partner.

When cybercriminals leverage feigned documents (e.g., emails, websites, and spreadsheets) to con people into giving up sensitive information, it’s called phishing.  

Phishers frequently pose as reputable institutions with a seemingly valid reason to get you to click. They might tell you that they want to verify your identity or update your information. They often employ a sense of urgency to get you to react quickly—for instance, threatening loss of access to your account. 

Because users are inundated with messages, it’s difficult for them to invest the attention needed to screen each one and determine if it’s truly legitimate. Cybercriminals count on this and use social engineering—manipulating emotions and behaviors—to catch people off guard and convince them to give out confidential information, such as passwords, credit card numbers, or bank account information. 

But phishing doesn’t always involve a user who actively hands over their information. Cybercriminals can use phishing messages to infect a user’s device with malware either by getting them to click on a link, visit a website, or open an attachment. From there, the malware can assist the cybercriminals in stealing information—all without the victim knowing.

Whether the victim actively reveals personal information or it’s stolen with the help of malware, phishing is the line of communication that the cybercriminal casts to get users to take the bait.

What is Ransomware?

Now that we know how ransomware is delivered, let’s take a deeper look at what it is.

Ransomware is malware that encrypts files or data and demands a ransom payment in exchange for decryption. In some cases, particularly if the information encrypted is sensitive information (for instance, medical information, personal addresses, or social security numbers), the cyber attacker will also threaten to release the sensitive data if the ransom isn’t paid, thus upping the stakes. Payments are usually asked for in cryptocurrencies, which makes it difficult for authorities to trace the payment and the attackers.

A ransomware attack has multiple stages. The first step involves gaining access to an organization’s network in some way. This step commonly consists of some form of phishing, though this access can be obtained by other means. After gaining access, malware gets distributed throughout an organization’s system.

At this stage, end users may not notice anything is awry. Systems may continue to run as normal even as the malware spreads. During this time, attackers determine what systems and domains they have access to and attempt to gain access to more parts of the environment.

Next, attackers may attempt to identify and exfiltrate valuable data. Things like login credentials, personal customer or patient information, and intellectual property are all fair game. The more sensitive the data, the more valuable it is to the organization, and therefore the more valuable it is to the attackers.

After the attackers have found what they think is enough sensitive information—or feel like they might be close to getting caught—they’ll start encrypting data so it’s inaccessible to the organization.

Finally, once the files have been encrypted, the attackers will notify the target that they have been infected and demand a high-ticket payment. The ransom note commonly contains instructions on how to pay up in exchange for a decryption key, which can be used to unencrypt your data.

But organizations who pay ransom demands still aren’t guaranteed to get their data back. Rubrik Zero Labs found that 46 percent of organizations recovered half or less of their data after using attacker-provided decryption solutions, and only 16 percent recovered all their data.

Comparing Ransomware and Phishing

The table below outlines the differences between ransomware and phishing.



Extort money from the victim

Obtain sensitive information, such as passwords or credit card numbers


Malware that encrypts files or systems

Social engineering that tricks victims into revealing sensitive information or granting access to private systems


Can cause significant damage to the victim's files or systems

Can result in downtime and loss of productivity or reputation

Can cost significant amounts of money

Can be used to steal credentials

Can be used to deliver malware, including ransomware

How often?

40% of organizations surveyed for Rubrik Zero Labs reported a successful ransomware event.

36% of all data breaches involved phishing.

How to Defend Against Phishing and Ransomware

Knowing how to spot phishing in the wild can go a long way in preventing an attack, including ransomware attacks, from happening. Phishing emails often contain some signs that they’re not what they purport to be, such as:

  • An urgent demand to click or open something 

  • Poor spelling and grammar

  • The link in the email doesn’t match the address you see when you hover over it

Often, a phishing message may appear to come from someone you know. If you suspect that a message that you’re reading is actually a phishing attempt, you can contact the person or company separately to make sure. You should also report the phishing attempt to your organization’s IT and security department. 

Multilayer protection is another way to protect yourself and your organization from attacks. Use strong passwords; change them when prompted; and use multi-factor authentication. But even the best tools, processes, and practices can’t prevent malware from getting in 100 percent of the time, which means that even with the best defense, organizations are still susceptible to malware, including ransomware.

When ransomware strikes, it’s crucial to have a data security solution designed for cyber recovery so your organization can get back to doing business as quickly as possible.

Such a solution should offer immutable backups, which can’t be changed, encrypted, or deleted by any user, including a ransomware attacker. That way, you can feel safe knowing you have access to a clean copy of your data.

You should also look for backup automation so that your backup data is updated regularly with limited manual intervention.

You also need a way to identify and limit who has access to sensitive data, so you can proactively reduce data exposure risk.

Rapid investigation and recovery is another essential feature that helps you quickly discover critical information about the attack and recover your data, allowing you to minimize downtime and get your operations back up and running as quickly as possible. 

Rubrik offers these features and more. Click here to learn how Rubrik works.