Ransomware with Scam Calls

In 2025, cybercriminals are shifting tactics—replacing email links with phone lines. Scam calls are now a leading entry point for ransomware attacks. These voice-based scams, often disguised as IT support, manipulate employees into granting remote access, allowing attackers to quickly penetrate networks and deploy ransomware.

This technique bypasses traditional security filters and leverages human trust as the weakest link. Recent incidents in healthcare and legal sectors show just how effective—and damaging—this method has become.

In this blog, we’ll unpack how these attacks work, why they succeed, and how the Keepnet Human Risk Management Platform helps you identify vulnerabilities, simulate threats, and build a resilient security culture across your organization.

Understanding the Rise of Ransomware with Scam Calls in 2025

In recent months, attackers have increasingly used scam calls as the first step in executing ransomware campaigns. These calls, often disguised as internal IT support or third-party service providers, are crafted to pressure employees into downloading remote access tools like AnyDesk or Zoho Assist.

Once access is granted, cybercriminals quietly infiltrate systems, exfiltrate sensitive data, and deploy ransomware—all without triggering typical security alerts. This tactic allows them to bypass email filters and endpoint protections by directly targeting the human element.

The surge in voice-driven attacks reflects a strategic shift from exploiting software to exploiting trust. As these tactics become more common, organizations must strengthen their frontline defenses—not only with technology, but with continuous human risk monitoring and awareness.

The New Face of Cybercrime: Combining Social Engineering with Malware

Scam calls have become more than just an entry tactic—they’re now central to how attackers deliver and execute ransomware. These interactions are carefully scripted to build trust, using detailed company knowledge and familiar language to disarm targets.

Once an attacker is on a call, the goal isn't just access—it's control over decision-making. Victims may be persuaded to bypass internal policies, disable security tools, or unknowingly participate in the compromise. From there, malware deployment becomes almost incidental—enabled by the employee’s actions.

This integration of psychological manipulation with malware execution marks a shift in how ransomware is delivered: not just through technology, but through people. It demands a defense model that goes beyond technical controls and includes continuous assessment of human risk, behavioral baselines, and escalation patterns.

For deeper insights into how attackers are using emerging technologies to enhance social engineering, explore the Keepnet article: How Hackers Use Agentic AI to Advance Social Engineering.

How Ransomware with Scam Calls Works

Scam-call-enabled ransomware attacks follow a deliberate, step-by-step process that combines psychological manipulation with technical exploitation. Here's how these attacks typically unfold.

Step 1: Initial Contact

The attacker initiates a phone call, pretending to be from the company’s IT department, a known vendor, or technical support. They often spoof a trusted phone number and reference internal details to sound legitimate.

Their goal is to sound calm and authoritative to quickly gain the employee’s trust and reduce suspicion.

Step 2: Establishing Urgency

The caller claims there is a critical issue, such as a system vulnerability, billing error, or suspicious activity, that must be resolved immediately. They apply pressure by warning of service disruptions, account lockouts, or security risks if action isn’t taken. This manufactured urgency is designed to bypass the employee’s usual caution and push them to comply without verifying the request.

Step 3: Gaining Access

The attacker instructs the employee to download and install remote access software such as AnyDesk, Zoho Assist, or ConnectWise ScreenConnect. They walk the victim through each step, including how to bypass security prompts or internal restrictions. Once the software is installed, the attacker gains full remote control of the device—often with administrative privileges—without raising immediate suspicion.

Step 4: Infiltration

With remote access established, the attacker begins exploring the compromised system, including internal files, shared drives, and connected network resources. They search for sensitive data, administrative credentials, and system vulnerabilities. In many cases, the attacker moves laterally across the network to access additional machines and gather more control before deploying the ransomware.

Step 5: Data Exfiltration

Before triggering the ransomware, the attacker quietly copies sensitive data using tools like WinSCP or Rclone, which are commonly used by IT teams and therefore less likely to raise alarms. This data theft often goes unnoticed in real time. The stolen files—such as customer information, financial records, legal documents, and login credentials—are later used to pressure the organization during ransom negotiations.

Step 6: Ransomware Deployment

After identifying critical systems and data, the attacker activates the ransomware to encrypt files and block user access. The organization is then presented with a ransom demand, typically asking for payment in cryptocurrency in exchange for decryption keys. The ransom note is delivered through desktop text files, pop-up messages, or email instructions—often accompanied by threats to leak stolen data if payment isn’t made.

Step 7: Escalation via Phone

After deploying the ransomware, attackers often place follow-up calls, pretending to offer support or resolution. These calls are used to escalate pressure—threatening to leak stolen data or prolong system outages if the ransom isn’t paid quickly. In some cases, they impersonate law enforcement or legal representatives to further intimidate and rush the victim into compliance.

This attack sequence shows how easily technical defenses can be bypassed when employee behavior is exploited—highlighting the importance of security training, phishing simulation, and human risk visibility.

To learn how to defend against follow-up scam calls and other ransomware tactics, read Keepnet’s guide: How to Protect Against Ransomware? Ransomware Defense 2025.

Why These Scams Are Effective

These scams succeed because they mimic routine IT requests and rely on employees acting quickly without questioning legitimacy. Attackers use professional language and urgency to make their calls seem credible, exploiting familiarity with phone-based support.

What makes them especially dangerous is the lack of clear verification protocols for phone interactions in many organizations. Without a standard way to confirm identities or escalate suspicious requests, employees are left to trust their instincts—something attackers are trained to manipulate. This gap in process—not technology—is what makes voice-based scams so effective.

High-Risk Targets and Industries

Not all organizations face the same level of risk when it comes to ransomware attacks involving scam calls. Attackers tend to focus on industries where service disruption, data exposure, or operational downtime carries immediate consequences—raising the likelihood of a fast ransom payment.

The table below outlines which sectors are most frequently targeted, why they’re vulnerable, and what attackers exploit to increase their success rate.

Table 1: Top Targets of Scam-Call Ransomware Attacks

Legal and Financial Consequences of Inaction

Failing to respond effectively to scam-call ransomware attacks can lead to severe financial, legal, and reputational fallout. The consequences extend beyond the immediate ransom demand and can significantly disrupt an organization’s long-term stability.

• High Financial Losses: The average cost of a data breach in 2024 is $4.88 million, encompassing ransom payments, system recovery, forensic investigations, and business downtime.
• Regulatory Fines: Non-compliance with data protection laws can result in substantial penalties. As of March 2025, GDPR fines across Europe have totaled approximately €5.65 billion, reflecting a significant increase in enforcement actions. (Source)
• Legal Liability: Organizations may face lawsuits from customers, partners, or shareholders whose data or operations were affected.
• Reputational Damage: Public trust is difficult to rebuild after a breach, especially when sensitive data is involved.
• Insurance Impact: Insurers may deny claims or increase premiums if proper security controls weren’t in place.
• Operational Disruption: Extended downtime can cripple essential functions, leading to lost productivity and revenue.

Proactive preparation—including employee security training, scam-call simulations, and human risk monitoring—is essential to mitigate these risks and safeguard the business from long-term damage.

Real Cases: How Scam Calls Escalated Ransomware Attacks

Recent ransomware incidents have shown how scam calls aren’t just a secondary tactic—they are a primary method attackers use to gain access and escalate pressure. By impersonating trusted personnel and creating urgency over the phone, attackers bypass technical defenses and directly exploit human behavior.

The following real cases illustrate how this approach was used in two high-profile breaches—demonstrating the serious consequences of combining phone-based deception with ransomware.

Kettering Health's 2025 Ransomware Attack

In May 2025, Kettering Health, a major healthcare provider in Ohio, experienced a ransomware attack that caused a systemwide outage across 14 hospitals and 120 facilities. Elective procedures were canceled, and internal systems were heavily disrupted.

The attack, linked to the Nefarious Mantis group, was followed by scam calls to patients requesting credit card payments. While the connection between the attack and the calls remains unconfirmed, Kettering suspended all billing outreach as a precaution.

Experts warned that the breach likely exposed sensitive patient data, raising risks of identity theft and fraud. This case illustrates how scam calls can intensify the fallout of ransomware attacks, compounding operational and reputational damage. (Source)

Silent Ransom Group Targets Law Firms (FBI Warning, May 2025)

In May 2025, the FBI warned U.S. law firms about a growing ransomware threat from Silent Ransom Group (SRG)—also known as Luna Moth. The group uses phishing emails and fake IT support calls to gain access to legal networks and steal sensitive data.

Their campaigns often start with fake subscription notices prompting victims to call a provided number. On the call, attackers impersonate IT staff and guide employees to install remote access tools like AnyDesk or Zoho Assist. SRG then exfiltrates files using tools such as WinSCP and Rclone, followed by ransom notes and scam calls to pressure firms into paying.

Law firms are targeted for their confidential client data and high reputational stakes. The group’s use of legitimate software and voice-based deception makes detection challenging, prompting the FBI to urge stronger verification protocols and immediate reporting of any ransom-related contact. (Source)

How Keepnet Helps You Prevent Ransomware with Scam Calls

Keepnet’s Extended Human Risk Management Platform empowers organizations to build a resilient security culture by addressing the human layer of cybersecurity. Through AI-driven simulations, adaptive training, and automated response, Keepnet helps eliminate employee-driven threats, insider risks, and social engineering—including those delivered through scam calls.

It offers everything needed to reduce exposure to scam-call ransomware and strengthen human defenses across the organization.

• Phishing Simulation Tools: Run realistic scam call and phishing simulations using Phishing Simulator, Vishing, Callback Phishing, and Smishing Simulator with 6,000+ customizable templates.
• Security Awareness Training: Deliver personalized, AI-driven Security Awareness Training through concise modules, visual materials, and real-life scenarios to improve user recognition of social engineering tactics.
• Automation: Use Incident Responder to detect, analyze, and contain email-based threats 48.6x faster, reducing risk when phishing and scam calls are used together.
• Analytics: Use outcome-driven metrics such as phishing click-through rate, incident count, reporting rate, training completion, and time to detect and respond to measure and reduce human risk.
• Threat Intelligence: Leverage Threat Intelligence and Threat Sharing to stay ahead of evolving attacker tactics and collaborate across the cybersecurity community.

Explore the Keepnet Human Risk Management Platform to assess human risk, simulate threats, and drive measurable improvements in your organization’s security posture.

Emerging Threats: AI and Multi-Channel Scam Tactics

Scam-call ransomware campaigns are rapidly evolving, driven by advancements in AI and a shift toward multi-channel attack strategies. Threat actors now blend phone calls with phishing emails, SMS (smishing), QR codes (quishing), and fake browser alerts to increase reach and bypass traditional defenses.

AI is being used to generate convincing voices, craft personalized scripts, and adapt in real time—making scam calls more believable and harder to detect. Some attackers even use deepfake audio to impersonate executives or IT staff.

This layered approach overwhelms users with various forms of deception, increasing the likelihood of a breach. Organizations must prepare their teams to recognize and respond to these coordinated attacks through adaptive training and realistic simulations.

To learn how security leaders are managing these risks while enabling innovation, read the Keepnet article: How Security Leaders Mitigate Generative AI Risks While Encouraging Innovation.

Building a Cyber-Resilient Culture

Defending against ransomware attacks delivered through scam calls requires more than technical tools—it demands a shift in culture. Organizations must recognize that human behavior is the most targeted entry point and treat it as a core security priority.

By combining adaptive training, realistic phishing simulations, and outcome-driven risk monitoring, companies can build awareness, reinforce safe behaviors, and reduce exposure to social engineering tactics. Leadership must support continuous learning and ensure that every employee understands their role in cyber defense.

To develop a practical, organization-wide approach to security culture, explore Keepnet’s guide on Building a Security-Conscious Corporate Culture.

Further Reading on Ransomware

If you're committed to defending your organization from today’s most dangerous cyber threats, these in-depth guides from Keepnet will sharpen your understanding and readiness. Each blog post is packed with real-world insights and practical advice—perfect for CISOs, IT leaders, and awareness trainers looking to stay ahead of ransomware.

• What is Ransomware? How Does It Work?: A beginner-friendly guide explaining how ransomware spreads, infects systems, and executes attacks—from initial breach to ransom payment. Ideal for training new IT staff and awareness program leads.
• What Is Hive Ransomware?: Explore how Hive ransomware operates, its typical entry points, and how to defend against it using phishing simulations. Learn to train your team with real-world attack scenarios.
• Conti Ransomware Was Released by the CSA: Explore why Conti ransomware poses a severe threat—due to its speed, stealth, and data-wiping capabilities. This blog post details how to detect early-stage behaviors and stop attacks before they spread.
• What is Zeppelin Ransomware?: Learn how Zeppelin targets healthcare systems, its infection techniques, and the layered defense strategies that best protect against this ransomware family.
• What is Petya Ransomware?: Petya rewrites system boot records, causing severe disruption. This blog breaks down its mechanics and why it's still a critical case study for ransomware resilience today.
• Global Impact of Bad Rabbit Ransomware: Bad Rabbit used fake software updates to infiltrate networks. Learn how it spread rapidly and how you can train employees to spot similar social engineering traps with Keepnet’s tools.
• Ransomware in 2025: Lessons from Locky & Modern Defense Strategies: This blog reflects on Locky’s legacy and explores how AI and quantum-resilient variants are changing the game. Includes practical steps to future-proof your defenses.
• Ransomware Attacks Rise Again: What’s Fueling the Surge?: Uncover the root causes of the 2025 ransomware spike. Featuring Lockbit and Hiveleaks, this article shows how training and proactive controls can reduce your exposure.
• Why SMEs Are Prime Targets for Ransomware & How to Protect Against It: SMEs often lack advanced defenses, making them easy targets. This guide explains why and offers affordable risk reduction strategies tailored for smaller organizations.
• How to Protect Your Business Against Ransomware?: A practical playbook covering backups, anti-ransomware tools, employee training, and phishing simulations. Start here to build or refine your ransomware defense plan.
• Advanced’s Ransomware Attack Impacts NHS: A detailed breakdown of how a ransomware attack on Advanced disrupted NHS systems. Learn what went wrong, how they recovered, and what healthcare providers can do to prevent similar breaches.