How Does Ransomware Spread?

Lauryn Cash
Written by Lauryn Cash
News and Commentary /
How Does Ransomware Spread?

Hackers use ransomware, malicious software that encrypts files until a victim pays a ransom (usually in bitcoin) to unlock them. You’ve probably heard about various kinds of ransomware, but what happens after the initial attack phase is what enables ransomware to propagate throughout your entire network.

Ransomware spreads through various means, including phishing emails with malicious links or attachments, portable computers, exposure to public WiFi, and Zero-Day vulnerabilities.

So why are we talking about ransomware again? Because having a thorough understanding of how ransomware spreads is crucial to keeping it at bay.

In this article, we’ll go over 12 common ways that ransomware can spread:

  • Phishing Attacks
  • Remote Desktop Protocol (RDP)
  • MSPs and RMMs
  • Bad Ads
  • Network Propagation
  • Pirated Software
  • Portable Computers and USB Drives
  • Zero-Day/Unpatched Vulnerabilities
  • Public WiFi
  • Pay-For-Install Attacks
  • Network Scanning
  • Drive-By Downloads

1. Phishing Attacks

Hackers use phishing and spear phishing techniques to plant ransomware into a victim’s computer system. Research from 2020 found that 91% of all cyberattacks begin with a phishing email. Hackers often conduct extensive research to create convincing emails that contain dangerous attachments (like ZIP files, PDFs, and spreadsheets) or links to malicious sites.

Cybercriminals carefully design these malicious sites to trick you into installing ransomware which can infiltrate your entire network.

2. Remote Desktop Protocol (RDP)

Remote work popularized virtual desktop infrastructure, or VDI, in 2020. Unfortunately, VDI applications and infrastructure are often on the same server, increasing the chances of ransomware infiltration.

Ransomware often uses Remote Desktop Protocol (RDP) to attack other network nodes. RDP is a communications protocol that enables you to reach different computers over a network connection, allowing ransomware infection to spread laterally.

3. MSPs and RMMs

Remember the SolarWinds hack? While not a ransomware attack, hackers frequently target managed service providers (MSPs) in supply chain attacks that exploit the MSP’s remote monitoring and management (RMM) software.

This kind of attack can enable hackers to deploy ransomware to the MSP’s entire customer base, putting additional pressure on the MSP to pay the ransom.

4. Bad Ads

Malicious advertising, or malvertising, is gaining popularity as a ransomware delivery method.

Hackers purchase legitimate internet ad space and link it to an exploit kit.

When you click the ad, the exploit kit scans your system for information (including your operating system, software, browser details, and more). If a vulnerability is detected, it attempts to install ransomware on your machine.

5. Network Propagation

In the digital version of urban sprawl, network propagation has self-propagating mechanisms that allow ransomware infections to move laterally to other network devices, potentially crippling entire organizations.

6. Pirated Software

Pirated software and software bundled with adware can smuggle in ransomware. Additionally, websites hosting pirated software may be more susceptible to malvertising or drive-by downloads.

Using pirated software may increase ransomware infection risk. Since unlicensed software users don’t receive software updates, they may not receive security patches, increasing the risk of zero-day exploitation by hackers.

7. Portable Computers and USB Drives

Laptops and USB drives are common ransomware delivery risks. Plugging in an infected device can encrypt the local machine and spread ransomware across the network. Train your staff to avoid using USB drives from unknown sources to avoid this risk.

8. Zero-Day/Unpatched Vulnerabilities

Zero-day vulnerabilities are unpatched security vulnerabilities that hackers exploit, even paying for access to weaknesses they can use to target your organization. Zero-day vulnerabilities enable hackers to install ransomware without tricking anyone, making their jobs much easier.

Performing regular patch management ensures that you’re running the most recently released malware protections and security patches, increasing your safety quotient.

9. Public WiFi

Unfortunately, ransomware often hides in plain sight via public WiFi. If you have remote workers who frequently access your network in public (Starbucks, anyone?), you must have strict policies to protect your data and network from the dangers of public WiFi.

Consider prohibiting public WiFi usage altogether, provide secure 4G/5G access, or use VPN services if working in public spaces cannot be avoided.

10. Pay-For-Install Attacks

If you think you’re safe from your employees, you may want to think again. While that may sound harsh, you know what they say about an ounce of prevention.

Cybercriminals have bribed individuals in key positions to install ransomware directly into a computer network via an infected memory stick. Unfortunately, this method bypasses almost any security protocols you’ve put in place. Consider prohibiting USB usage completely, and put it in writing for employees to sign off on.

11. Network Scanning

When you give the devil a foothold, he takes a stronghold. Once attackers identify a vulnerability, they’ll use it to identify other weaknesses they can exploit. These include:

  • ARP scanning: Mapping physical addresses to logical (IP) addresses
  • Vertical scans: Scanning a single IP for multiple ports
  • Horizontal scans: Scanning multiple IPs for a single port
  • Box scanning: Both vertical and horizontal scans
  • Port scanning: Scanning to discover a network’s open doors or weak points

12. Drive-By Downloads

Last but not least, drive-by downloads may be the most disturbing of all. Drive-by downloads occur without your knowledge and even without clicks.

This can happen by:

  • Viewing a website specifically created to host malicious software
  • Visiting a legitimate website with known vulnerabilities that has been injected with malware

Either way, the malicious content scans your device for vulnerabilities and then executes ransomware in the background.


Is your company at risk of a ransomware attack?

This Ransomware Incident Response Blueprint includes ten ready-to-use presentation templates, tools, and strategic guidance from Info-Tech Research Group. Use these resources to assess your organization's maturity for ransomware response and set people, processes, and technologies in place for when (not if) the attack happens.

Create a ransomware incident response plan today.

GET BLUEPRINT

Read This Next