Ransomware is a type of malicious software that encrypts files on a device or network, preventing users from accessing them. Attackers demand ransom payments in cryptocurrency to provide decryption keys and restore access. As ransomware attacks have increased in frequency and severity in recent years, understanding how ransomware spreads is critical to defending against it.
Key Takeaways
- Ransomware can spread through networks via exploits or by taking advantage of weak security practices.
- Wormable ransomware strains like WannaCry and NotPetya are able to self-propagate across networks.
- More targeted ransomware is often spread through phishing emails and social engineering.
- Strong segmentation, access controls and cybersecurity awareness can help limit ransomware spread.
How does ransomware infect devices initially?
Ransomware most commonly begins with an initial infection of an endpoint device like a desktop computer, laptop, or server. Typically, ransomware arrives through:
- Phishing emails – Malicious emails with infected attachments or links to malware are a prime vector for ransomware. Users are tricked into downloading or opening files that install the ransomware.
- Drive-by downloads – Visiting compromised websites can trigger automatic malware downloads that don’t require any user interaction.
- Software vulnerabilities – Unpatched weaknesses in operating systems and applications can be exploited to install ransomware.
- Brute force attacks – Attackers gain access to networks through compromised credentials obtained via password guessing or brute force tools.
Once ransomware establishes an initial foothold on one device connected to a network, the infection can potentially spread further through the network if not contained.
Can ransomware spread across networks?
Whether ransomware is able to move laterally across a network depends on a few key factors:
- Wormability – Some ransomware strains like WannaCry and NotPetya contain worm-like functionality allowing them to self-propagate across networks by exploiting vulnerabilities. Others spread through stolen credentials.
- Network access – The network permissions granted to the compromised account or process influence how far ransomware can spread. Overly permissive access enables wider infection.
- Security controls – Effective internal security measures like firewalls, access controls and network segmentation can limit ransomware spread.
Wormable ransomware strains
WannaCry and NotPetya are two well-known examples of ransomware with worm-like capabilities. These strains can spread automatically through a network by exploiting weaknesses rather than requiring manual attacker intervention.
WannaCry, which caused significant global disruption in 2017, uses a Windows SMB exploit called EternalBlue to infect other unpatched machines on the same network. NotPetya, which spread rapidly the same year, uses asupply chain attack combined with the EternalBlue exploit and stolen administrator credentials to propagate.
While patches exist for EternalBlue and other exploits used by wormable ransomware, keeping systems fully updated remains a challenge for many organizations. Prompt patching and limiting unnecessary SMB connections can help guard against this attack vector.
Credential access and lateral movement
If the initial ransomware compromise gains administrative or high-level permissions, the malware can take advantage of these privileges to infect a wider number of systems on the network.
Brute forcing or password spraying with stolen credential dumps can also allow ransomware to expand its impact. Attackers may disable security tools or expand permissions to facilitate infection of additional high-value endpoints.
Implementing the principle of least privilege and enabling multi-factor authentication makes lateral ransomware movement more difficult.
Targeted ransomware
In more targeted ransomware campaigns, attackers carefully select, compromise and move laterally across networks manually to infect high-value assets. These targeted attacks rely less on automatic propagation of the ransomware itself.
Phishing emails and social engineering tailored for key personnel enable attackers to gain an initial foothold and then pivot internally. This manual lateral movement is akin to a cyberespionage campaign, allowing ransomware to be deployed on critical assets for maximum impact.
Strict controls on remote access combined with heightened employee awareness of social engineering can help defend against targeted ransomware spread.
How can organizations limit ransomware spread across networks?
The most effective ways for organizations to contain ransomware spreading across their networks include:
- Network segmentation – Splitting the network into smaller segments with firewalls and access controls prevents ransomware from moving unchecked between different sections.
- Least privilege access – Only provide user and service accounts the minimum permissions necessary to function. This restricts damage from compromised accounts.
- Proactive patching – Rapidly deploying patches and fixes for known exploits removes vulnerabilities ransomware can take advantage of.
- Endpoint detection – Endpoint detection and response (EDR) tools can spot ransomware behavior and cut off infections before they spread widely.
- Backups – Maintaining recent, isolated backups makes it possible to restore encrypted data without paying the ransom.
- User education – Training staff to recognize phishing attempts and other social engineering reduces ransomware’s initial entry point.
Network segmentation
Dividing networks into smaller segments separated by security controls makes it harder for ransomware to infect the entire network by limiting lateral pathways for propagation. This containment strategy is especially important for slowing wormable ransomware strains.
Critical assets like databases and file shares should be placed in separate network zones with restricted access. Any legacy systems that can’t be patched should also be segmented.
Least privilege and role-based access
Limiting unnecessary user and service permissions through principals like least privilege and role-based access reduces the damage if an account or service is compromised by ransomware. Rights should only be granted if required for a specific business function.
Administrative privileges provide the most control for ransomware to spread and should be tightly restricted. Multi-factor authentication adds another layer of security for admin and other high-privilege accounts.
Patching and vulnerability management
Wormable ransomware often relies on exploiting known unpatched vulnerabilities to propagate across networks. Regular patching, especially for internet-facing services, eliminates many of these weaknesses.
A mature vulnerability management program that actively scans for security gaps and deploys patches promptly will minimize the attack surface for ransomware spread.
Endpoint detection and response
Advanced EDR tools leverage machine learning and behavioral analysis to rapidly detect ransomware infections before they can spread widely across networks.
By alerting security teams in real time and halting suspicious activity, EDR systems can isolate infections before ransomware compromises large numbers of endpoints or inflicts major damage.
Secure backups
Maintaining recent backups of critical data that are stored offline and immutable makes it possible to restore encrypted files after a ransomware attack without paying the ransom. This backup hygiene is key to recovering from significant infections.
Backups should be regularly tested to verify recoverability. Air-gapped, immutable backup archives will not be compromised by even widespread ransomware spread.
User education and training
Human error often enables ransomware to gain an initial foothold, especially through phishing attacks. Consistent education and engagement helps employees recognize and report potential threats before they turn into major incidents.
Conducting periodic phishing simulations and security awareness training makes users a strong last line of defense against ransomware infections.
Example defensive architecture
A multi-layered ransomware defense combining the controls above could look like:
| Layer | Controls |
|---|---|
| Email gateway | Malware scanning, phishing filters, graymail filters |
| Endpoints | EDR, exploit prevention, application allowlisting |
| Network | Segmentation, access controls, firewalls |
| Privileged access | MFA, least privilege roles, PAM |
| Backups | Isolated, immutable backups, regular testing |
| Vulnerability management | Scanning, rapid patching |
| Employees | Security awareness training, phishing simulations |
Conclusion
Ransomware has the potential to spread through connected networks by taking advantage of vulnerabilities and weak security practices. Wormable strains can self-propagate rapidly using exploits, while targeted ransomware relies more on social engineering and manual attacker involvement to spread.
Implementing fundamental best practices around network segmentation, least privilege access, patching and backups is key to limiting ransomware infection and spread. Advanced protections like EDR and user awareness also play important roles in preventing ransomware from moving laterally across networks.
A defense-in-depth approach combining multiple layers of protection provides the strongest protection against ransomware propagation and limits damage if infections occur. With proper containment measures in place, organizations can avoid ransomware spreading widely across networks.
