Key Findings
Email attacks and ransomware linkage
- A survey by Hornetsecurity found that 52.3% of organisations reported that email and phishing attacks were the vector in ransomware incidents. (prnewswire.com)
- Another study by Acronis (“Cyberthreats Report H2 2023”) found a 222% increase in email-based attacks during H2 2023 compared to H2 2022. (Acronis)
- Acronis further found that in H1 2024 email attacks surged 293% compared to H1 2023. (Acronis)
Ransomware escalation
- The Hornetsecurity survey noted that although the number of reported attacks slightly dropped from 21.1% in 2021 to 18.6% in 2024, the severity of each incident increased. (hornetsecurity.com)
- Acronis reported the number of ransomware detections increased by 32% from Q4 2023 to Q1 2024. (Acronis)
Role of AI and evolving tactics
- Acronis highlighted that AI-enhanced phishing attacks affected ~91.1% of organisations in H2 2023. (Acronis)
- Hornetsecurity also reported that 66.9% of respondents said AI had increased their concern about ransomware attacks. (hornetsecurity.com)
Other notable statistics
- Acronis: in Q1 2024, ~1,048 publicly reported ransomware cases (a 23% increase over Q1 2023). (digitalisationworld.com)
- Acronis: Email attacks surged by 47% while email volume increased by 25% in that same period. (SecurityBrief India)
Case Studies / Illustrations
- Small / Medium Businesses (SMBs): Hornetsecurity points out that email/phishing is especially prevalent in SMBs, and when coupled with ransomware the damage is more pronounced — fewer resources, slower recovery, higher relative impact. (prnewswire.com)
- Managed Service Providers (MSPs): Acronis found that MSPs were heavily targeted via email phishing/social engineering to gain a foothold, and then used for broader ransomware campaigns. (Acronis)
- Generative AI-enabled attacks: Phishing emails made with AI tools, deepfake business-email compromise (BEC), more convincing social engineering: Acronis flagged the rise of “AI-enabled malware” and “malicious AI-generated content” as a real driver. (Acronis)
Comments & Interpretations
- The linkage between email security incidents → ransomware infections is becoming stronger. Organisations that suffer a successful email compromise are much more likely to be hit by ransomware.
- The surge in volume of email attacks means more opportunities for attackers; the enhanced severity of ransomware means the stakes are higher–even if some organisations see fewer incidents, when they occur the damage is worse.
- Email remains a primary vector despite many organisations focusing on network/malware defences. This suggests a gap between threat reality and defensive focus.
- The role of AI is two-fold: attackers are using newer tools (AI-generated phishing, smarter social engineering), while defenders need to adopt more advanced detection/response methods.
- The data suggests a shift in required posture: from purely prevention of network intrusion to rapid detection and response, focusing on the email channel, identity/account security, and incident escalation pathways.
Implications for Organisations
What to watch for
- Spam/phishing volumes: With email volume up, monitoring anomalous patterns (e.g., increased inbound linking, unusual sender domains) is key.
- Time to response: The longer an email breach remains undetected the greater the risk of it escalating into ransomware or data exfiltration (supported by related research).
- Identity and account security: Because breaches often start with credentials or compromised email accounts, enforcing MFA, account hygiene, logging/monitoring is critical.
- Supply chain/third-party risk: MSPs and partners are targeted; if they’re breached via email, your organisation may be secondarily affected.
- AI-driven threat awareness: Both defenders and attackers are leveraging AI. Training, phishing simulations, user awareness must evolve accordingly.
Recommendations
- Implement or enhance email security controls: e.g., advanced threat protection (ATP) for email, link-click protection, domain spoofing protection, DMARC/SPF/DKIM.
- Deploy incident response/forensics capability for email compromises: Determine how to rapidly detect and isolate compromised accounts, understand mail flow changes, perform user notification.
- Increase user training with focus on social engineering and email risk — and emphasise the link to ransomware (not just spam).
- Review backup and recovery plans under assumption of ransomware post-email breach; ensure that backups are immutable/disconnected, recovery time acceptable.
- Consider threat intelligence and simulation: Testing for targeted email attacks, especially ones that might leverage generative AI or impersonation.
What’s missing / caveats
- The survey data tends to be global or across many geographies; data specific to UK organisations is less prominently discussed in the sources cited above.
- While email/phishing is cited as the vector for many ransomware incidents, the exact causal chain (email breach → ransomware) is often inferred rather than always definitively proven in public-facing data.
- Organisations that responded to the surveys may have variable visibility into their own incidents (undetected breaches, zero-day mail attacks) — so actual numbers might be higher.
- Metrics such as “average cost of recovery from email-initiated breach + ransomware” vary by region, sector and company size — the public data is still high-level.
- Here are detailed case studies and commentary on the recent survey showing a surge in email-security incidents linked to ransomware.
Case Studies
Case Study 1 — Barracuda Networks / “Email Security Breach Report 2025”
- According to Barracuda’s survey of ~2,000 IT/security decision-makers across North America, EMEA & APAC, 78% of organisations experienced an email security breach in the previous 12 months. (prnewswire.com)
- Of those breached, 71% reported they were also hit with a ransomware incident during that year. (prnewswire.com)
- Organisations that took more than 9 hours to respond to that email breach had a 79% chance of suffering a ransomware incident. (prnewswire.com)
- Cost of remediation: On average US$217,068 per incident. Smaller companies (50-100 employees) averaged ~$1,946 per employee. (prnewswire.com)
- Key obstacles cited: advanced evasion techniques (47%) and lack of automated incident response (44%). (securityboulevard.com)
What this shows: This case underscores that email is not just a nuisance vector – once breached, it frequently catalyses ransomware. Response speed matters hugely.
Key takeaway for organisations: Fast detection & containment of email incidents is essential to avoid ransomware follow-on.
Case Study 2 — Hornetsecurity / “Ransomware Survey 2024”
- Hornetsecurity found that in 2024 52.3% of ransomware incidents used email or phishing as the vector. (prnewswire.com)
- Data loss rates increased: from 17.2% in 2023 to 30.2% in 2024; and 5% of organisations reported complete data loss. (prnewswire.com)
- Those victims paying ransom rose to 16.3% (from 6.9% previous year). (prnewswire.com)
- Two-thirds (66.9%) of respondents said generative AI heightens their fear of ransomware attacks. (hornetsecurity.com)
What this shows: Email + phishing remain the dominant entry point. Attackers are increasingly effective; data loss severity is rising.
Key takeaway: The presence of email-entry ransomware means organisations must treat their email channel as a front-line defence, not just network/endpoint.
Commentary & Insights
1. Email as the ‘first domino’ in the ransomware chain
Both surveys show that email-based incidents often lead into ransomware. Barracuda: 71% of those with email breaches had ransomware. Hornetsecurity: 52.3% of ransomware used email/phishing. This reinforces that email remains the prime vector, and organisations often under-defend it.
2. Response speed is critical
Barracuda’s finding that >9 hour response times equated to 79% ransomware risk is a stark signal: time to containment is a differentiator between just a breach and a full ransomware event.
3. Small/medium vs large organisations
Smaller organisations pay more per employee (~US$1,946 for 50-100 employees) compared to large ones (~US$243 per employee for 1,000-2,000) in Barracuda’s data. Smaller players may have fewer resources/controls and thus higher relative risk.
4. Role of generative AI and advanced techniques
Hornetsecurity flagged that 66.9% of organisations believe AI makes ransomware fear greater. Attackers use more advanced evasion, social engineering, email spoofing, and AI-generated content. This raises the bar for defender detection.
5. Defence gap: detection + automation
Respondents noted obstacles: advanced evasion (47%), lack of automation in incident response (44%). This shows many orgs still rely on manual processes, which is too slow given modern attack speed.
6. Business impact beyond data loss
Barracuda: 41% of organisations said their email breach caused reputational damage or lost business opportunities. This highlights that the impact of email-initiated events is not just technical — there are business consequences.
What to Watch / Practical Implications
- Measure & improve Mean Time to Respond (MTTR) for email-based security incidents. The faster you detect & respond, the lower the downstream ransomware risk.
- Segment email channel risks: identity compromise, phishing, spoofing, malicious attachments — treat them as high risk paths rather than “just spam”.
- Automate detection & response: Email threat volume and sophistication require automated triage and response workflows (e.g., email sandboxing, link-click protection, automated isolation of compromised accounts).
- Integrate email security into broader incident-response playbooks, including ransomware recovery, backup plans and identity/credential hygiene.
- Train users specifically for email–ransomware linkage: Many may think “I clicked a link” is low impact, but the data shows it frequently leads to ransomware.
- Small and medium-sized organisations need extra attention: They tend to carry higher per-employee cost and may lack advanced defences.
- Plan for AI-augmented threats: Ensure email filtering, threat intelligence & user awareness include sophisticated phishing, deep-fake content and social engineering.
- Business continuity & backup readiness: Because email breaches often cascade, ensure backups are secure, tested, and isolated — assume email compromise might precede ransomware.