Can ransomware spread through router?

Routers play a critical role in connecting devices in a home or business network to the internet. As such, routers can potentially be exploited by cybercriminals to spread malware like ransomware across networks. In this article, we’ll examine whether ransomware can spread through routers and how routers can be secured against such attacks.

What is ransomware?

Ransomware is a type of malicious software or malware designed to deny access to a computer system or data until a ransom is paid. It works by encrypting files on a device and demanding payment to decrypt them and restore access. Some common examples of ransomware include WannaCry, CryptoLocker, and Ryuk.

Ransomware typically spreads through phishing emails, infected software apps, compromised websites, and drive-by downloads. The ransom amounts vary greatly, from several hundred to thousands of dollars, which are generally demanded in cryptocurrency to maintain anonymity.

Once installed, ransomware can spread laterally within networks to infect more computers. This internal propagation is a major risk for businesses in particular.

Can routers get infected by ransomware?

Routers connect networks to the internet, control traffic flow, and direct data packets to the correct devices. Most consumer-grade routers do not run complex operating systems that are vulnerable to ransomware. However, routers from some manufacturers or designed for business use may be at risk.

In general, routers are less likely than computers and servers to be infected with ransomware directly. But routers can still be compromised indirectly in the following ways:

  • Weak passwords – If a router has a weak or default password, attackers can log in remotely and reconfigure it to distribute malware.
  • Unpatched firmware – Outdated router firmware contains security flaws that could let hackers gain control.
  • DNS hacking – By altering a router’s DNS settings, attackers can redirect traffic to malicious sites.
  • Malicious ads – Some ads on unsecured websites exploit browser vulnerabilities to spread malware to the router.
  • Router bots – Bots like Moose and MrBlack can infect thousands of routers to steal data or mount DDoS attacks.

Though not common, there are some instances of ransomware directly hijacking routers. For example, the VPNFilter malware compromised over 500,000 routers, while the PDoS and PureLocker ransomware strains have also attacked routers.

Can routers transmit ransomware to other devices?

Even if routers are not infected themselves, they can still play a role in spreading ransomware to other devices on the network in several ways:

Traffic redirection

By compromising the router, hackers can change DNS settings to point connected devices to malicious sites hosting ransomware downloads. Or they may alter firewall rules to allow ransomware traffic through.

Evil twin WiFi networks

Routers can broadcast fraudulent “evil twin” WiFi networks cloned from legitimate hotspots. Users who connect unwittingly to such networks can end up downloading ransomware.

LAN-based worms

Worms like WannaCry exploit vulnerabilities to spread laterally once inside a network. Since the router manages LAN traffic, it can facilitate this movement.

Man-in-the-middle attacks

By positioning themselves between the router and internet, attackers can covertly inject ransomware into legitimate traffic headed to devices.

Zero-day exploits

Unknown zero-day router flaws can be leveraged to compromise routers and push ransomware downloads before vendors can issue security patches.

So in essence, while not always directly infected themselves, routers can still enable ransomware transmission through: malicious redirection, WiFi spoofing, unsecured LANs, hijacked traffic, and unpatched weaknesses.

Notable router-based ransomware attacks

Some examples of ransomware outbreaks that involved router-level infections include:

Satori botnet

In 2017, this Mirai variant infected over 280,000 routers by exploiting a firmware flaw. It converted the routers into bots that could distribute ransomware.


Linked to Russian state-sponsored hackers in 2018, this malware hijacked 500,000 routers to steal data and deliver ransomware payloads.

SOHOpeless routers

Multiple consumer-grade router models were found vulnerable to remote exploits in 2020 that could allow ransomware installation.

Sophos firewalls

Firewall OS vulnerabilities in 2020 allowed WastedLocker ransomware to breach corporate networks via compromised Sophos firewalls.

These examples highlight how ransomware groups actively target routers as distribution points into other networked devices and systems.

How can routers spread ransomware across networks?

Once compromised, routers can spread ransomware payloads further across networks through the following approaches:

ARP spoofing

By poisoning the ARP cache, ransomware forces traffic to route through the infected router to inject malware.

Pop-up portals

Routers can redirect connected users to malicious captive portals that download ransomware disguised as software updates.

Domain spoofing

Fake internal domains can be configured on the router so ransomware downloads appear to come from trusted servers.

Removable media

Routers with USB ports can spread ransomware to directly connected removable drives, which then carry the infection to other devices.

WiFi hotspots

By forcing the router to create ransomware-broadcasting public WiFi hotspots, attackers can snare nearby users.

With their central network position and ability to manipulate traffic, routers provide ideal platforms for ransomware operators to infect other hosts.

Router security best practices

The following router security measures can reduce the risk of ransomware infection and lateral spread:

  • Update firmware regularly
  • Change default credentials
  • Disable remote administration
  • Turn off unused services
  • Use firewalls to block malicious sites
  • Isolate guest networks
  • Set up intrusion detection
  • Enable email alerts
  • Create backups

Enterprise and ISP-grade routers offer more advanced options like deep packet inspection, anomaly detection, and mandatory access controls to limit ransomware propagation.

Specialized ransomware protection

Along with general router security, specialized protections are required to defend against ransomware transmission:

  • IP reputation filtering – Block traffic from known ransomware IP addresses.
  • Payload analysis – Deep packet inspection to detect ransomware signatures and behaviors.
  • DNS filtering – Block access to ransomware command and control servers.
  • Proxy defense – Managed secure web gateways to filter out ransomware.
  • Endpoint detection – Monitor endpoints to identify ransomware infections originating from the router.

Enterprises should also segregate router management interfaces on separate network segments to prevent lateral ransomware movement.


To summarize, routers are less vulnerable to direct ransomware infection compared to computers and servers. However, routers can still play an instrumental role in the spread of ransomware across networks if compromised:

  • Weak router passwords and unpatched firmware can allow remote router access for hackers to reconfigure and distribute malware.
  • By changing DNS, firewall rules, broadcasting fake networks, and manipulating traffic, ransomware can be transmitted to other networked devices.
  • Malware strains like VPNFilter demonstrate how hundreds of thousands of routers have been hijacked specifically to enable ransomware attacks.

Practicing strong router security hygiene, isolating management interfaces, and deploying specialized protections are critical to contain ransomware outbreaks. While not always directly infected, routers can serve as key vectors spreading ransomware through networks if left unsecured.