How does most ransomware get in?

Ransomware is a form of malicious software that encrypts files on a device and demands payment in order to decrypt them. There are a few primary ways that ransomware typically manages to get onto a system and launch an attack.

Email Attachments

One of the most common distribution methods for ransomware is via email attachments. Cybercriminals will send out mass emails that appear legitimate, often impersonating a trusted source, with an infected file attached. If the user opens this attachment, the ransomware payload can be delivered and launched.

These emails usually contain persuasive language urging the recipient to open the attachment, such as claiming the attachment is an overdue invoice or important document. The filenames are also crafted to sound plausible and important, such as “Resume.docx.”

Once the user opens the infected attachment, the ransomware is able to silently infect the system and begin encrypting files in the background before any notification is shown to the user. It is important to carefully check email attachments before opening them, especially from unknown or suspicious senders.

Techniques Used in Email Attachments

Ransomware distributors use a variety of tricky techniques to get users to open attachments, such as:

  • Using subject lines that create urgency or demand immediate action
  • Spoofing the sender address to appear to come from a trusted source
  • Embedding the ransomware payload inside ordinary file types like Word documents and PDFs
  • Giving files innocent-sounding names related to common documents and content

Infected Websites

Another avenue ransomware uses to reach target systems is via websites infected with malicious code. Users browsing the web can inadvertently visit compromised sites or click infected ads or links that trigger a drive-by download.

With drive-by attacks, the ransomware payload can get installed onto the victim’s device with little or no action on their part, simply by visiting the infected site. The ransomware then activates as soon as the device is infected.

Signs of Malicious Websites

Warning signs of an infected website can include:

  • Visiting a site and receiving strange pop-ups or error messages
  • Being redirected to unfamiliar pages you didn’t click on
  • Your browser or other programs freezing or crashing
  • A sudden spike in activity from your hard drive

Being cautious around unfamiliar websites and avoiding clicking questionable links and ads can help prevent drive-by ransomware attacks.

Malvertising Campaigns

Malvertising refers to the use of online advertising as a delivery method for malware. Cybercriminals can embed ransomware inside legitimate-looking ads running on reputable sites.

If a user clicks one of these tainted ads, the ransomware can download onto their system without any action beyond visiting the page with the infected ad. This allows ransomware to reach millions of potential victims quickly and across many sites.

How to Spot Malvertising

Possible indications your system has encountered malicious advertising include:

  • Ads with strange animations or geometric shapes designed to attract clicks
  • Ads that autoplay sound, pop-unders, or other obtrusive behavior
  • Sudden, inexplicable crashes in your browser or other programs
  • Ads promoting dubious software downloads or giveaways

Avoiding clicking questionable ads from unfamiliar advertisers can help users steer clear of malvertising attacks.

Social Engineering

Beyond technical means, ransomware gangs also rely heavily on social engineering to infect new systems. This involves manipulating human psychology and emotions to lower defenses and trick users into compromising their own security.

Examples of social engineering attacks used to spread ransomware include:

  • Phishing emails mimicking trusted entities like banks, credit card companies, or social networks
  • Calls pretending to be tech support from major companies offering to fix a device issue
  • Texts with links claiming to have photos of the recipient or directing them to track a package
  • Pop-up messages posing as alerts from Windows or macOS with a toll-free number for help

By preying on fear, curiosity, or a sense of urgency, these attacks can often dupe victims into willingly running malicious software, granting remote access, or opening infected attachments contained in phishing messages.

How to Avoid Falling for Social Engineering

Tips to recognize and avoid social engineering ransomware traps:

  • Carefully inspect any unexpected messages for telltale signs of phishing
  • Verify any threats or warnings with the legitimate company by phone before taking action
  • Don’t open attachments from strangers or click unfamiliar links in odd messages
  • Don’t trust caller ID on incoming calls – numbers can be spoofed

Exploit Kits

Exploit kits are hacking tools used to probe for and take advantage of vulnerabilities in systems and software. By leveraging security holes in browsers and applications, they can silently install ransomware after a user visits a compromised website.

Some of the most nefarious exploit kits used to spread ransomware include:

  • RIG – Detects browser vulnerabilities and pushes payloads via malvertising
  • Magnitude – Formerly used Adobe Flash zero-days to drop payloads
  • GrandSoft – Web-based tool that identifies weaknesses in the target’s defense
  • Fiesta – Initial attack points visitors to a scanner page to fingerprint the system

Keeping software regularly updated with the latest security patches can reduce susceptibility to many exploit kit attacks.

Infectious Removable Media

USB flash drives infected with ransomware can also act as the initial vector. By leaving infected USBs in public areas, cybercriminals hope victims will find them and plug them into computers, automatically launching the ransomware payload.

AutoRun features make this attack possible – with AutoRun enabled, just connecting the USB to a PC can trigger malicious code without any action from the user. Disabling AutoRun can help block these “USB drop” attacks.

Signs of an Infected USB Drive

  • Generic or handwritten labels with no owner information
  • Strange files you don’t recognize showing up in File Explorer
  • Increase in read/write activity on your hard drive after connecting it
  • Programs crashing, freezing, or errors occurring shortly after connecting the USB

Avoiding plugging in unknown USB devices found in public locations can protect against infection.

Software Vulnerabilities

Ransomware groups are constantly searching for new software bugs and flaws in popular applications that they can exploit to take control of systems. Any program running on a device could potentially contain an unknown zero-day vulnerability.

Some past examples include:

  • The 2017 WannaCry attack that leveraged an NSA exploit called EternalBlue, which targeted weaknesses in older Windows versions.
  • A Chrome browser zero-day discovered in 2022 that allowed remote code execution on visiting a site.
  • A 2022 vulnerability in VMware that enabled attackers to escape the virtual machine and access the host.

While patches are usually released quickly after discovery, keeping software updated at all times is key to avoid falling prey to such threats.

Brute-Force Attacks

Ransomware distributors will also simply attempt to crack weak passwords guarding remote access to systems. Scripts can launch brute-force attacks that try millions of combinations to break passwords via:
– Remote Desktop Protocol (RDP)
– Virtual Private Network (VPN)
– Virtual Network Computing (VNC)

Once in the system, the attackers can deploy ransomware manually or plant malware that provides an opening for future automated attacks. Having strong passwords and enabling multi-factor authentication can sharply limit the success of these brute-force efforts.

Best Practices Against Brute-Force Attacks

  • Long, complex passwords using unpredictable strings of letters, numbers and symbols
  • Multi-factor authentication enabled on remote access services
  • Limiting RDP access only to specific IP ranges
  • Monitoring systems for sudden spikes in login attempts

Supply Chain Compromise

Hacking a company that has access to the systems of other downstream organizations represents another business-focused vector for ransomware operators. By compromising one supplier in the chain, the attackers can pivot from there into networks of other victims.

Some examples of supply chain ransomware attacks include:

  • The Kaseya breach that exploited vulnerabilities in their remote management tool to hit customers downstream.
  • The SolarWinds hack by Russian state-backed APT that used trojanized software updates to penetrate numerous US groups.
  • The Codecov bash uploader compromise that used their tool to spread malware to Codecov customers.

Supply chain security audits,Least Privilege Access policies, and monitoring third-party vendors can help minimize this threat.

Insider Threats

In some cases, ransomware makes its way onto systems with the aid of rogue insiders, including:

  • Disgruntled employees seeking retaliation against a company
  • Negligent users who ignore security best practices
  • Outsourced IT partners who abuse admin privileges

While outsider attacks account for the bulk of incidents, insider incidents often cause greater damage as they can target the most sensitive areas. Strict access controls and extensive monitoring are key to reducing insider threat risks.

Mitigating Insider Threats

  • Conduct thorough background checks on employees
  • Implement the rule of least privilege access
  • Log and monitor all activity by sysadmins and privileged users
  • Frequently rotate all passwords to critical systems
  • Quickly revoke access for employees as soon as they depart or switch roles

Security Gaps that Enable Ransomware

While the initial infection vectors may differ, ransomware is often successful at spreading rapidly once inside the victim’s network due to security gaps that enable lateral movement. Some of the most common deficiencies include:

Weak Passwords

Reusing simple passwords across accounts, combined with no multi-factor authentication enabled, allows attackers to move laterally across the network by leapfrogging from one compromised machine to another.

Flat Network

With all systems on the same network level, ransomware can easily discover and access other devices to infect once it gains an initial foothold.

Unpatched Software

Missing OS and application security patches open up vulnerabilities that give ransomware other paths to penetrate into the network.

Legacy Systems

Older operating systems often lack the advanced security protections and monitoring capabilities of modern platforms.

Poor Access Controls

Overly permissive access controls mean ransomware may be able to spread to other parts of the network that should be restricted.


Ransomware developers employ a wide array of tactics to infiltrate target systems and maximize infections across networks. While email and web-based vectors are common initial access points, ransomware also enters through security weaknesses, malvertising, social engineering, USB drives, and other paths.

Understanding the many potential vectors ransomware uses to compromise systems is crucial for companies and users to deploy effective defenses across multiple fronts. Technical controls, user education, access management, and updating and hardening software are key strategies to restrict the ability of ransomware campaigns to take hold and inflict damage.