Can ransomware spread from one computer to another?

by
Can ransomware spread from one computer to another

Ransomware is a type of malicious software or malware that encrypts files on a device and demands payment in order to decrypt them. There has been a major rise in ransomware attacks in recent years, causing significant financial losses and disruption. A key question surrounding ransomware is whether it can spread from an infected device to other computers on a network.

What is ransomware?

Ransomware is a form of malware that locks or encrypts files on a device, rendering them inaccessible to the user. The attacker demands a ransom payment, usually in cryptocurrency like Bitcoin, in exchange for the decryption key to unlock the files. If the ransom is not paid, the files remain encrypted and inaccessible.

Some common examples of ransomware strains include:

  • CryptoLocker
  • WannaCry
  • Ryuk
  • REvil

Ransomware often spreads through phishing emails containing malicious attachments or links. Once executed on a device, the ransomware encrypts files and displays a ransom demand. Payment is typically demanded within a short timeframe before files are permanently deleted.

How does ransomware infect a computer?

There are several common infection vectors through which ransomware can gain access to a computer or network:

  • Email phishing – Malicious email attachments or links that download and install ransomware when opened or clicked on.
  • Drive-by downloads – Visiting compromised websites that automatically download and install ransomware.
  • Remote Desktop Protocol (RDP) – Brute forcing weak RDP credentials to gain access and execute ransomware remotely.
  • Software vulnerabilities – Exploiting unpatched software vulnerabilities to install ransomware.
  • Infected external devices – Plugging in a USB or external hard drive with ransomware malware.

Once installed, the ransomware runs automated encryption routines to lock files. It then displays a ransom note demanding payment for decryption. Payment timelines are usually short, creating urgency for victims.

Can ransomware spread from computer to computer?

Ransomware code is designed to encrypt files on the infected device, but not necessarily spread automatically to other computers. However, some ransomware variants have worm-like features that allow them to self-propagate across networks.

There are a few ways ransomware can potentially spread from one infected computer to other devices and systems:

  • Network sharing – Some ransomware maps network shares and encrypts files on those shared folders or drives.
  • Mapped drives – Ransomware encrypts files not just on the local system, but also mapped network drives.
  • Network propagation – Wormable ransomware with spreading capabilities to infect other devices on the LAN.
  • Shared external drives – External drives plugged between multiple computers can pass ransomware infection.

However, most ransomware lacks automatic spreading capability and relies on user execution to infect additional computers. Proactive controls like network segmentation can limit lateral movement risk.

Can ransomware spread over WiFi?

Ransomware code itself does not spread directly over WiFi like a computer virus or worm. However, WiFi provides an infection vector that can allow ransomware execution and lateral movement on networked systems:

  • An attacker can use WiFi to gain initial access to a computer or the network.
  • Once one system is compromised, shared network folders and drives can be encrypted.
  • Plugging an infected USB drive into additional computers on WiFi can spread ransomware.
  • Spear phishing emails can be sent internally over WiFi targeting more victims.

While ransomware does not spread via WiFi independently, WiFi connectivity enables other propagation mechanisms. Wireless networks should be properly secured and monitored to detect threats.

How does ransomware affect other computers on a network?

When ransomware compromises one computer on a network, it can have implications for other systems and files:

  • Shared file encryption – Network shared folders and drives mapped to the infected computer may have files encrypted.
  • Wormable threats – Ransomware variants with worm-like features can actively propagate using vulnerabilities.
  • Lateral movement – Credentials or accounts compromised on one system may enable attackers to move laterally.
  • DoS from encryption – High encryption activity can degrade network performance or cause denial of service.

Proper network segmentation, limiting share permissions, and prompt ransomware detection and response on indexed systems can help minimize the blast radius from any single infection.

Best practices to prevent ransomware spread

Here are some best practices organizations can implement to prevent or limit ransomware spread across a network:

  • Network segmentation – Split networks into zones and restrict lateral communication between high and low trust zones.
  • Account restrictions – Limit account privileges and disable macros, scripts, and unneeded features.
  • Updated antivirus – Use next-gen antivirus with ransomware behavioral monitoring capability.
  • Email security – Filter email attachments, block phishing links, and consider outgoing email filtering.
  • Backups – Maintain offline, immutable backups to recover encrypted files if needed.
  • Network monitoring – Monitor network traffic for signs of ransomware communication patterns.
  • Vulnerability management – Patch software promptly and monitor systems for unpatched CVEs attackers can exploit to install ransomware.
  • User education – Train employees to identify and report potential phishing emails or suspicious behavior.

A defense-in-depth security posture across endpoints, email, network, servers, cloud instances, and backups is key to limiting ransomware impact.

Case Study: NotPetya ransomware outbreak

One of the most infamous examples of ransomware rapidly spreading through networks is the June 2017 NotPetya attack. While initially believed to be ransomware, NotPetya was later assessed as a destructive wiper used to damage systems.

NotPetya first infected computers via a compromised software update from an accounting software vendor. Once executed, it used Windows management tools and a stolen NSA exploit named EternalBlue to rapidly spread across networks. Within hours, NotPetya had infected major global companies including Maersk, FedEx, and pharma giant Merck.

Damages from NotPetya were estimated between $10 billion and $15 billion globally. The worm-like behavior enabled broad internal compromise across interconnected corporate networks. Segmentation could have limited spread.

The NotPetya attack demonstrated the potential for even a single ransomware point of infection to result in compromise of an entire corporate network. Modern ransomware like Ryuk continue to use vulnerable management tools and lateral movement to expand infections after the initial breach.

Lessons learned from NotPetya

The NotPetya outbreak provided several key lessons for ransomware defense:

  • Software supply chain security is critical as upstream compromise enables broad downstream infections.
  • Wormable malware can spread exponentially if segmentation controls are lacking.
  • Admin tools like Powershell and WMI must be locked down as they are commonly abused by ransomware strains.
  • Proper network monitoring and behavioral analysis could have detected abnormal encrypted traffic and worm-like spread.
  • Prompt vulnerability patching and legacy OS upgrade is essential to limit exploitability by worms.

How to stop ransomware from spreading

Here are important measures organizations should take to stop or contain ransomware spread:

  • Subnet segmentation – Break networks into separate zones with firewalls, access controls and monitoring between segments.
  • Privileged access management – Limit excessive user privileges and ensure admin activities are logged.
  • Domain controller protection – Secure DCs from compromise as they are prime targets.
  • Disable macros – Block Office macros, scripts and executables which are common infection vectors.
  • Sandbox attachments – Detach and execute email attachments in a sandbox to check for malware.
  • Web filtering – Block access to known malicious sites used for malware delivery.
  • OS and software patching – Eliminate vulnerabilities ransomware often exploits to spread.

Quick ransomware detection and response capabilities are also necessary to contain infections before they spread widely across networks. Ransomware resilient backup systems support recovery if encryption does occur.

Conclusion

While ransomware itself does not automatically spread across networks like a computer worm, some variants have worm-like features that enable broader propagation. Ransomware relies on users executing malicious code, vulnerabilities, credential abuse, and lateral movement to spread beyond the initial point of infection.

Strict controls like network microsegmentation, hardened system configurations, email security, and prompt patching are required to restrict ransomware blast radius. Rapid detection and response when ransomware is spotted also limits spread. Backups support recovery if ransomware does proliferate through a network.

With the surge in ransomware attacks, organizations must assume compromise will occur and architect defenses to limit spread and business disruption. Planning and testing incident response plans for ransomware is critical to minimize overall impact.