Does phishing include ransomware?

The term you're looking for here is social engineering. This is an umbrella term that describes any attempt to get a person to perform a particular action - particularly one that benefits the social engineer over the victim.

Phishing is a specific type of social engineering that is generally used to mean tricking a user into giving away sensitive information, but the terminology is not so rigid that the average security professional would frown upon you using "phishing" to refer to tricking a user into installing ransomware.


"Phishing" is attempting to catch something, hence the name. Most often the "something" in question is credentials, but it can be any number of things (money, source code or other secrets, direct access to a computer system via some means that bypasses the normal need for credentials, etc.). Ransomware is, of course, generally an attempt to extort money, but the acquisition of money is rather downstream of the ransomware installation (compared to, e.g., obtaining somebody's payment card or bank info).

Phishing is the most commonly discussed form of online social engineering, and as such, most things that social engineering are used for, if initiated over a computer and especially over email or similar, get termed phishing. (This is similar to the way that approximately all malware gets termed a "virus", even though malware that infects files on the host system to spread copies of itself is actually quite rare now, because software viruses were the well-known example of malware for some years.)

By strict definition, I would say that getting a victim to install ransomware does not count as phishing (a remote-access backdoor would be a more plausible case). However, if I were to ask somebody "how did your network get infected with this ransomware?" and they answered "an admin got phished"... I would have further questions, but I would understand them to be saying "an admin fell for a fraudulent communication, probably an email, and took actions enabling the malware to be installed". It wouldn't be clear whether the attacker had directly gained access to the network or simply tricked the victim into installing the malware, or what (if any) harms or data exposures there might be beyond the ransomware (of course, ransomware can also contain backdoors or other nastiness), but it wouldn't be incomprehensible or totally uninformative.

Whether you want to use this term in your situation probably depends on the audience. Language, of course, shifts over time, and not uniformly across a population. For some people, the strict definition would be what you should always use, and thus you might say something like "Targeted social engineering attack via spoofed email sent to the admin, resulting in the installation of an update package that was actually a Trojan ransomware installer". Or you might just say "spear-phishing attack on the admin linking to the installer". Or something else.


Language evolves.

Historically, no, emails with malicious attachments or code were not considered "phishing". Phishing was about gathering information from the victim.

But, as with all technology, lines blurred, attack techniques blended, and the desire to clearly communicate won out. Now, all "bad" emails are described as "phishing". I don't think that this evolution has been done mindfully or thoughtfully, but it is how the word is being used right now.