Ransomware is a form of malicious software (malware) that encrypts files on a device and demands payment in order to decrypt them. Ransomware attacks have been rapidly growing in frequency and impact in recent years. Understanding how ransomware spreads can help organizations and individuals better defend against these threats.
What is ransomware?
Ransomware is a type of malware that locks or encrypts files on a system and demands a ransom payment in order to regain access. The earliest known ransomware attacks date back to the late 1980s, but ransomware has evolved and become much more sophisticated and dangerous in the last decade.
Once installed on a system, ransomware encrypts files so they cannot be accessed. It displays a ransom note demanding payment, typically in cryptocurrency like Bitcoin. Even if the ransom is paid, there is no guarantee files will be recovered. Newer ransomware strains also exfiltrate or steal data prior to encrypting, threatening to publish sensitive files if ransom isn’t paid.
Major ransomware families include CryptoLocker, WannaCry, NotPetya, Ryuk, Conti and others. Ransomware is a lucrative criminal business model, with estimated annual costs measured in the billions of dollars.
How does ransomware infect a system initially?
Ransomware uses various infection vectors to gain a foothold and spread within networks and systems. Common infection methods include:
- Phishing emails with malicious attachments or links
- Compromised websites that download malware
- Exploiting software or operating system vulnerabilities
- Brute force or stolen remote access credentials
- Malvertising or compromised ad networks
Phishing is one of the most prevalent methods of distributing ransomware. Emails impersonate trusted sources and contain attachments or links to download the malware. WannaCry and NotPetyaboth initially spread via phishing emails.
Drive-by downloads from compromised websites are another common vector. Browsing to a website or ad infected with malware can trigger an automatic download. This technique was used to spread the ransomware families Angler and Teslacrypt.
Ransomware also exploits vulnerabilities in software like operating systems, browsers, or plugins to silently infect systems. The 2017 WannaCry and NotPetya outbreaks both utilized Windows SMB vulnerabilities to spread.
Brute force attacks on remote access tools like RDP can allow attackers to gain access and manually install ransomware. Stolen login credentials sold on the dark web also facilitate remote access.
Finally, malvertising involves injecting malware into ad networks. Users browsing compromised sites get infected through malicious ads.
How does ransomware spread within a network?
Once inside a system, ransomware leverages various techniques to spread laterally and infect other connected devices or resources:
- Network shares and drives
- Mapped drives
- Internal email
- SSH or RDP sessions
- Windows admin tools
- Exploiting vulnerabilities
One of the most common methods is scanning for open network shares and drives. Ransomware locates shared folders and resources and may use compromised admin creds to access them. It can then infect and encrypt files on these drives.
Ransomware families like WannaCry scan for unpatched systems and use vulnerabilities like EternalBlue to spread. Moving laterally this way allows ransomware to infect many more devices on a network.
Some ransomware leverages Windows admin tools like PsExec to execute remote commands and copy itself to new systems.
Internal email systems can also be abused to spread malicious links or attachments to additional victims.
What allows ransomware to spread so rapidly?
Several key factors enable ransomware to propagate quickly and cause widespread damage:
- Automated malicious tools
- Cryptocurrency enabling anonymous payments
- Delivery via difficult-to-block web traffic
- Exploiting common software vulnerabilities
The development of ransomware kits and malware-as-a-service has allowed less skilled attackers to launch their own campaigns. Ransomware kits provide easy-to-use interfaces, automation, and support.
Cryptocurrencies like Bitcoin enable fast, anonymous ransom payments that are difficult to trace or block. This is a key driver funding ransomware attacks and development.
Delivering ransomware via web traffic makes blocking based on file type or location difficult. Advanced malware also hides in HTTPS encrypted traffic.
Widespread vulnerabilities in common software like Windows, Java, Flash, and apps give ransomware many potential targets and entry points.
Most notable ransomware attacks
Some of the largest ransomware attacks that caused massive damage include:
| Ransomware | Year | Damage |
|---|---|---|
| WannaCry | 2017 | Infected over 200,000 systems across 150 countries. Caused outbreaks in healthcare, logistics, and other industries. |
| NotPetya | 2017 | Caused over $10 billion in total damages. Significantly disrupted global shipping, logistics, and healthcare businesses. |
| Ryuk | 2018-2020 | Targeted large enterprises and public agencies. Extorted over $150 million in payments. |
| Conti | 2020-2022 | One of most prolific current ransomware groups. Claimed over 1,000 victims and $150 million in ransom. |
These major events demonstrate how ransomware can lead to billions in economic damage, disruption of critical infrastructure, and loss of sensitive data.
How can organizations defend against ransomware?
A combination of security best practices is required to defend against ransomware threats:
- User education and phishing prevention
- Software patching and vulnerability management
- Restricting admin privileges
- Strong password policies and MFA
- Email and web content filtering
- Limiting shared drives and RDP access
- Next-gen antivirus and anti-ransomware
- Network segmentation and access controls
- Backups stored offline and regularly tested
- Incident response planning
User education helps identify phishing attacks and security awareness training can reduce human error. Promptly patching known software flaws removes common entry points.
Restricting admin rights ensures malware cannot easily spread or modify systems. Strong access controls and passwords also limit lateral movement.
Email and web filtering helps block malicious URLs and attachments before they reach users. Antivirus and anti-ransomware can detect and block known threats.
Network segmentation, limiting RDP and share access, and multifactor authentication make lateral movement more difficult.
Maintaining recent backups offline and regularly testing restoration ensures data can be recovered in the event of an attack.
Finally, having an incident response plan for quickly isolating, investigating, and remediating threats can mitigate damage.
Conclusion
Ransomware represents a serious threat to businesses, organizations, and personal users today. Understanding common infection vectors like phishing allows users to be more vigilant. Robust technical controls focused on preventing infection and lateral movement are essential for information security teams.
Implementing least privilege access, patching, backups, and user education provides defense in depth. Ransomware threats will continue evolving, so maintaining strong security fundamentals provides the best long-term protection against emerging techniques.