Ransomware attacks overwhelmingly target identity. Attackers use the same psychological levers that advertisers and con artists have relied on for ages—urgency, trust, routine, and intimidation—to override people’s better judgment.

Phishing and smishing

The time it takes from a user receiving a phishing email to giving an attacker a foothold averages less than a minute. That efficiency is why 42% of organizations face weekly or daily phishing attempts. Today’s spearphishing attacks are highly sophisticated, using LinkedIn or corporate directories to source personal and organizational details about targets. Attackers can then use genAI to craft convincing phishing emails, often posing as an executive, vendor, or IT help. They might ask for a password reset or include a fake invoice that launches a malicious PowerShell when opened.

Beyond business email compromise (BEC), bad actors use vishing (voice phishing), angler phishing (using fake social media accounts), and adversary-in-the-middle (AiTM) attacks. Smishing (SMS-based phishing) is growing exponentially due to users’ higher trust in text messages and on-the-go mobile habits. A common scenario involves sending “package delivery failure” notifications, where users click on a shortened URL. Since mobile devices often lack robust endpoint protection, this leads to credential theft and malware delivery.

MFA fatigue

MFA fatigue is so insidious because it weaponizes a central aspect of modern security: multi-factor authentication. After stealing credentials through phishing, credential stuffing, or dark web purchase, attackers use this follow-up tactic (also called “push bombing”) to bypass MFA controls. 

The intruder repeatedly tries to log in with the legit credentials, bombarding the real user with MFA push notifications. Users often hit “Approve” out of frustration, accidental touch, or the belief that the system is malfunctioning. Attackers may even call the user, posing as the IT help desk, and instruct them to "approve the request to resolve a sync error." This strategy has led to high-profile breaches at even tech-forward companies like Uber and Cisco.

Excessive privileges

While phishing and MFA fatigue open the door for hackers, excessive privileges give them the means to spread ransomware. In many environments, standard users have permissions that allow them to view or modify sensitive directories that are irrelevant to their daily tasks. If an office administrator has “local admin” rights on their workstation and they click a malicious link, ransomware can disable antivirus software, modify system registries, and harvest credentials from the machine's memory. If that same account has access to network drives or server backups, the ransomware can encrypt the entire company's data in minutes.

Exploiting human error for ransomware attacks is often faster, cheaper, and more reliable than attempting to break through hardened technical systems. Attackers may spend months coding an exploit for a software vulnerability, only to have developers release a patch that neutralizes it. On the other hand, compromising a single user account through simple social engineering can give attackers the keys to move laterally, escalate privileges, and identify high-value data. 

Why is social engineering so effective? Attackers lean on several key psychological traits that muddle rational decision-making:

• Authority: People are culturally conditioned to follow instructions from leadership. A convincing enough impersonation of an executive or law enforcement officer preys on this tendency.

• Urgency/scarcity: The “ticking clock” technique (e.g., “Your account will be deleted in 1 hour unless you verify.”) convinces users to make quick, emotional decisions.

• Fear and intimidation: The threat of negative consequences (data loss, legal action for an “unpaid invoice”) creates a sense of panic.

• Trust and likability: Attackers build rapport by referencing mutual connections found on social media or using familiar branding, making the victim more willing to "help" with a request.

• Social Proof: Messages claiming "90% of your colleagues have already updated their passwords" pressure targets into joining in.   

Often, people are just caught up in their work and personal matters, and are lulled by seemingly routine requests—only realizing their (in retrospect obvious) mistake once it’s too late.

Addressing the human factor in ransomware is the best way to guard against catastrophic attacks. This requires a two-pronged approach: reducing susceptibility to social engineering and minimizing the impact if compromise occurs.

Continuous security awareness training (SAT)

A culture where employees take ownership of their part in cybersecurity is essential to guarding against breaches. With attackers constantly evolving their tactics, annual checkbox training can fall short. Additionally, numerous studies have shown that shorter, ongoing learning sessions are more effective than longer, less frequent lessons. 

Effective SAT is continuous, engaging, and based on real-world threat intelligence. Realistic phishing simulations, immediate feedback, gamification, and microlearning have been shown to keep employees engaged and significantly lower a team’s “phish-prone percentage.” One study found that sustained phishing simulations cut successful compromise rates by half within six months.

Identity behavior monitoring

Modern cybersecurity requires a layered, defense-in-depth approach. Organizations must back up the human firewall with technical controls. Identity threat detection and response (ITDR) focuses on detecting and stopping account-based threats in real time. These tools monitor behaviors for signs of compromise:

• Impossible travel: A user logging in from New York and then from London 30 minutes later.   

• Anomalous geolocation: Access attempts from regions where the company has no presence.

• Unusual privilege requests: A standard user account suddenly attempting to access sensitive administrative directories or create new admin accounts.   

• Shadow admin activity: Detecting the creation of hidden mailbox forwarding rules or unauthorized "rogue apps" in Microsoft 365 environments that allow data exfiltration.   

ITDR can then automatically respond by locking a credential or rolling back malicious changes, before the intruder can escalate privileges.

Enforcing least-privilege access

The principle of least privilege (PoLP) means that users and devices get only the permissions necessary to do their jobs. This limits the amount of damage any one account can do. A Zero Trust architecture puts this principle into practice by requiring strict verification for every access request, regardless of location. This includes:

• Network segmentation: Dividing the network into smaller, isolated zones so an attacker can’t easily move from an infected workstation to a server with sensitive data.   

• Just-in-time access (JIT): Granting elevated permissions to accomplish a specific task for a limited time (e.g., an IT tech getting admin rights for one hour to fix a server).

• Phishing-resistant MFA: Transitioning from SMS codes and push notifications to hardware security keys (FIDO2) that are physically tied to the device. This guards against MFA fatigue and AiTM attacks.

There’s no question that human risk enables ransomware attacks. Huntress provides a dual-layered approach to human risk through Managed Security Awareness Training (SAT) and Managed Identity Threat Detection and Response (ITDR). Learn how Huntress helps guard against ransomware attacks.