How do you prevent ransomware attacks that start with a simple email click?

Imagine this: You’re in the CRM team at a service organization. Just as you are about to log off after a long day at work, you receive an email with the subject line

“Salary revision–please acknowledge.”

Out of curiosity, you open the email. It appears to be from HR, with a genuine-looking Google Drive or OneDrive link asking you to download a document to read the updated salary revision. Expecting news of a salary hike, you click the link without verifying the authenticity of the sender.

Within minutes, the CRM database connected across your organization's network gets encrypted. Employees are suddenly unable to access customer data. A ransom note appears on every desktop:

“Your customer database is locked. Pay $100,000 in Bitcoin to restore access.”

This is how easy it is to fall victim to a ransomware attack, through a phishing email that preys on human weakness.

The consequences of ransomware attacks

When an organization faces a ransomware attack, it faces the following:

A heavy ransom payment: Organizations attacked by these ransomware attacks are asked to pay a huge amount of money, mostly as Bitcoin, to get their resources decrypted. According to the SOPHOS's "The State of Ransomware 2024" report, the average payment has increased five-fold over the last year, from $400,000 to $2 million.

Service downtime: Critical systems like hospitals, education, and banks should never have downtime. But unfortunately, when a ransomware attack happens, even these critical systems get locked out of service for hours or even days. According to Veeam's 2023 Data Protection Trends Report, victims experience an average downtime of 21 days.

Data loss: Large volumes of data grown over years of business are at risk of being exposed or lost during a ransomware attack. Even after paying the ransom, there is no guarantee that all of the data will be restored or that it hasn’t been copied already and sold on the dark web.

Legal trouble: When customer confidentiality and privacy are compromised, organizations may face serious legal consequences under data protection and cybersecurity laws. These includes GDPR (EU), DPDP Act (India), CCPA (California), HIPAA (US healthcare), and more. Organizations are required to report any security breaches to authorities and affected customers within strict deadlines. They may also be subject to heavy fines for data breaches. They may also face legal cases sued by customers for failing to protect their data.

Reputation damage: Beyond all of these damages, a ransomware attack can deal a huge blow to an organization’s brand image and credibility. Clients, partners, even employees may lose trust. Regaining trust in the organization will become a monumental task.

Why does email remain the top entry point for ransomware?

According to SpyCloud’s 2024 Malware and Ransomware Defense Report, among the various entry points for ransomware attacks—such as Remote Desktop Protocol (RDP) vulnerabilities, outdated software, and malicious websites—phishing and socially engineered emails remain the most common method used by attackers to gain initial access.

Email is the easiest and most common way ransomware gets into organizations because it exploits human vulnerability more than technology. Phishing emails are cheap to send and can be delivered in bulk. Nowadays, attackers also make use of AI tools to craft convincing emails that trick people into clicking malicious links or downloading infected attachments.

Most organizations rely on email as the primary channel for official and confidential communication, which gives attackers a wide attack surface. On top of that, many small and mid-sized businesses lack strong email security tools or consistent employee training, making them especially vulnerable. That’s why phishing remains the leading method for ransomware delivery.

Because inboxes often contain the most sensitive and confidential information, stealing someone's email credentials can give attackers easy access to the organization's entire network.

Medusa ransomware attack (2021 to present)

Medusa is a ransomware-as-a-service (RaaS) variant first identified in June 2021. According to a detailed advisory by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released in March 2025 (CISA, AA25-071A), Medusa ransomware has impacted over 300 victims from a variety of critical infrastructure sectors. Affected industries include medical, education, legal, insurance, technology, and manufacturing.

Medusa developers typically recruit initial access brokers (IABs) in cybercriminal forums and marketplaces to obtain access to potential victims. Medusa IABs are known to make use of common techniques, such as:

• Phishing campaigns as a primary method for stealing victims credentials.
• Exploitation of unpatched software vulnerabilities through Common Vulnerabilities and Exposures (CVEs).

Medusa employs a double extortion model, in which they encrypt victim data and threaten to publicly release exfiltrated data if a ransom is not paid.

How can ransomware attacks be prevented?

According to the SpyCloud's 2024 Malware and Ransomware Defence Report, 70% of ransomware attacks begin with a well-crafted phishing email. But there is good news: With a combined and multi-layered approach, these ransomware attacks can be prevented or minimized.

1. Mandate multifactor authentication (MFA)

Ransomware attacks like Medusa, which began with attackers logging into the network using stolen credentials, might have been prevented if MFA had been in place. MFA provides an extra layer of security beyond just a password. Organizations should mandate the use of MFA to protect account access. Even if credentials are stolen, MFA can help block unauthorized entry and prevent attackers from gaining control.

2. Implement a strong and secure password and software policy

Employees who fall prey to phishing emails may have reused the same passwords across multiple platforms, giving attackers access to sensitive systems. Attackers often use a technique called credential stuffing, in which stolen credentials from one breach are used to attempt logins across other systems.

Implementing a strong and secure password policy across the organization is essential. When combined with MFA, such a policy makes it significantly harder for attackers to gain unauthorized access using stolen credentials.

A secure software policy that ensures only approved, updated, and secure applications are used across all systems. This will reduce the attack surface and enforce regular updates and patches, preventing attackers from exploiting vulnerabilities. It also prevents employees from downloading suspicious or unverified tools from the internet, which may be bundled with malware.

3. Develop an incident response strategy

Organizations should develop a scalable and practical incident response strategy that clearly outlines the roles and responsibilities of every team member, as well as the communication protocols to be followed during and after a ransomware attack.

4. Implement a data backup and recovery plan

Organizations should have a data backup plan that follows the 3:2:1 backup rule, keeping three copies of the data, on two different storage media, with one copy offsite. It’s preferable that the on-site storage locations are physically apart, and the off-site option is a cloud storage platform.

Ensure that the backup is periodically updated. Perform regular test backups to ensure that the data can be restored when needed. Organizations can take a further step in securing the backup data by encrypting it to prevent unauthorized access. They can also make the backup immutable to protect against ransomware.

5. Train your team

Humans are the weakest link in cybersecurity because they’re vulnerable, especially when emotionally targeted, and often unpredictable.

• Educating your team about possible cybersecurity threats, their risks, and how to identify them is one of the most important actions an organization can take. Assess their cybersecurity awareness levels by conducting phishing simulations from time to time.
• Encourage your team to report any suspicious activity or incidents they’ve noticed or faced. This practice builds trust and helps everyone take more cautious steps to prevent attacks in the future.
• Create a culture of security within your organization. This means promoting shared responsibility for cybersecurity and making it a priority for everyone, no matter their role.

6. Employ advanced email security gateway

Because email remains one of the most trusted means of communication, it also serves as the main entry vector through which ransomware attacks start. To enable strict monitoring and filtering of all incoming and outgoing emails, organizations should employ email security solutions.

Advanced email security solutions provide protection against email-based threats such as spam, phishing, ransomware, malware, and Business Email Compromise (BEC). They also offer advanced features such as content filtering, Data Loss Prevention (DLP), attachment and URL sandboxing, quarantine, and user reporting.

Wrapping up

One click on a malicious email, triggered by curiosity, urgency, or a moment of carelessness, is all it takes for a ransomware attack to take control of an organization’s network, IT, and data assets. The consequences can be serious, such as heavy ransom demands with customer data held hostage, reputational damage, loss of trust, and even legal penalties.

But here’s the assuring part: Ransomware attacks are preventable.

With the right practices like multifactor authentication, secure email gateways, regular data backups, continuous employee training, and strong password and software policies, organizations can prevent these attacks to a large extent.

eProtect is a cloud-based email security and archiving solution that provides an additional layer of security for email accounts. The solution offers advanced threat detection mechanisms that can secure on-premise and cloud email accounts from evolving email threats. eProtect is the security solution powering Zoho Mail, a platform trusted by millions of users.