Ransomware is a form of malware that encrypts files on a victim’s computer and demands a ransom payment in order to decrypt the files. Ransomware has become an increasingly prevalent cyber threat in recent years. Attackers have come up with various clever techniques to distribute ransomware and infect unsuspecting users. Understanding the most common ransomware delivery methods can help individuals and organizations better defend themselves against these threats.
One of the most common ways ransomware is distributed is through phishing emails. These emails often appear legitimate and convince the recipient to open a malicious attachment or click on a link that triggers the ransomware download.
Attackers have gotten very skilled at crafting phishing emails that look authentic. They may spoof the sender address to appear like it’s from a trusted source. The subject lines and email content are tailored to persuade the target to open the attachment or click the link.
Some common phishing email themes used to distribute ransomware include:
- Fake invoice or receipt
- Request to update account information
- Notification of suspicious login attempt
- Tracking information for a package delivery
- Password reset request
Once the user opens the malicious attachment (which often has an innocent looking file name like “Invoice.pdf”) or clicks the link, the ransomware payload is downloaded to encrypt their files. Even security-conscious users can be fooled by well-crafted phishing emails. It only takes a moment of distraction or lapse in judgment to fall victim.
Infected Websites
Another common vector for ransomware delivery is compromised websites. Attackers may exploit vulnerabilities in websites to insert malicious code that distributes ransomware to visitors.
Often these are legitimate websites that have security flaws attackers can take advantage of. In other cases, attackers may create copycat or fake websites designed specifically to infect visitors.
Users may get directed to malicious sites through phishing links or by clicking ads or pop-ups containing the harmful code. In some cases, just browsing an infected website is enough for the ransomware to be installed on the victim’s computer.
Software Vulnerabilities
Hackers frequently take advantage of unpatched software vulnerabilities to deliver ransomware, especially targeting common applications like Adobe Flash, Microsoft Office products and web browsers. They use specially crafted files or content that exploits the vulnerability to automatically download and execute the ransomware code when opened by the victim.
Keeping software up-to-date with the latest security patches helps mitigate this threat. However, there is often a gap between when a new vulnerability is discovered and when a patch is released. During this window of time, many computers are left exposed to potential attack.
Trojan Downloaders
Trojan downloaders are a type of malware that downloads other malicious software onto an infected computer. Hackers commonly use trojans designed to download ransomware payloads.
These trojans are distributed through various techniques, including:
- Malicious email attachments
- Infected websites
- Fake software bundles
- Social engineering
Once on a system, the trojan sits dormant and contacts a remote server controlled by the attacker to download ransomware and other malware onto the device.
Drive-By Downloads
Drive-by downloads occur when visiting a website causes malware like ransomware to be automatically downloaded without any action from the user. This is often achieved by taking advantage of browser vulnerabilities.
Attackers may compromise trusted websites and embed malicious code that fingerprint’s the visitor’s browser type and version. If it detects a browser that has a vulnerability, it will force download the ransomware. Drive-by downloads happen extremely fast in the background.
Keeping browsers updated and avoiding suspicious sites helps mitigate the risk of drive-by downloads. It’s also important to use extreme caution when clicking pop-ups or ads as these are common conduits for malicious code.
Botnets
Botnets are networks of computers infected with malware that are under the control of a cybercriminal. Hackers commonly use botnets to distribute ransomware to the compromised machines.
Once a device is infected and part of a botnet, the attacker can send commands to automatically install ransomware on all the infected bots at once. This allows them to launch massive widespread ransomware campaigns across thousands or millions of devices simultaneously.
For this reason, if a computer is known to be part of a botnet it’s critical to immediately disconnect it from the network and disinfect it to prevent further spread of ransomware.
Targeted Attacks
Sometimes ransomware attacks are more targeted rather than broad sweeping campaigns. These precision attacks aim ransomware at specific companies, organizations or individuals through methods like:
- Spear phishing emails tailored to the target
- Exploiting known vulnerabilities in the target’s network or software
- Brute forcing weak remote access credentials
- Abusing tools like PsExec to spread laterally once in the network
Targeted ransomware attacks are often preceded by careful reconnaissance from the hackers to analyze the target’s systems and identify ideal infection vectors. These types of concentrated attacks aim to cause maximum damage and are harder to defend against.
Removable Media and External Drives
USB drives and other removable media infected with ransomware are an effective delivery method, as people tend to trust and readily open files that come from familiar USB sticks or external hard drives from colleagues.
These infections often rely on social engineering, where an attacker leaves an infected USB drive in a location the victim will find it and plug it into their computer out of curiosity. However, insiders with malicious intent can also deliberately infect and distribute removable media from within an organization.
It only takes one infected removable device connected to a computer to rapidly spread ransomware across an entire network. Organizations should educate employees about this threat and institute policies prohibiting unapproved media and devices.
Software Cracks and Illegal Downloads
Searching for illegal cracked software or pirated media is extremely risky, as it frequently contains ransomware or other malware bundled into the downloads. The appeal of getting premium software for free or before public release tempts many users to disregard the risks.
Even popular filesharing sites and tools like torrents are common vessels for malware distribution as it takes advantage of high numbers of people downloading files. Ransomware attackers prey on these behaviors to infect unaware victims.
RDP Compromise
Unsecured Remote Desktop Protocol (RDP) connections are a prime target for ransomware attackers. Brute forcing weak RDP credentials provides direct access into a network to deliver and execute ransomware.
Poor RDP security practices like:
- Exposing RDP to the internet
- Using simple/default usernames and passwords
- Allowing RDP connections from anywhere
Allow attackers easy opportunity to breach networks. Properly configuring RDP with MFA, restricted source IP access, and complex passwords is important to restrict unauthorized remote access.
Malvertising
Malvertising involves concealing malware in online ads which users may inadvertently click or interact with. It provides a way for ransomware creators to widely distribute malicious links.
These infected ads are delivered through ad networks to commonly visited websites. Users expect ads to be harmless, so they readily click/engage with them without realizing the consequences. Once clicked, the ransomware payload is downloaded.
Malvertising demonstrates why organizations should be very selective about which ad networks they allow on their sites. Users should also exercise caution before clicking ads or pop-ups on unfamiliar websites.
Drive-By Cryptomining
Some ransomware operators have shifted towards cryptomining malware infections that hijack victim’s computers to mine cryptocurrency. While not traditional file-encrypting ransomware, it still involves hackers holding systems hostage for profit.
Drive-by cryptomining involves an infected website or ad using scripts to mine cryptocurrency on the visitor’s computer. The user experiences slowed down performance as their CPU power is sapped to enrich the hacker.
Anti-cryptomining browser extensions can detect and block most instances of cryptomining. Still, it exemplifies the financial motivation of ransomware attacks.
Conclusion
Ransomware developers are very innovative in finding new vectors to infect victims. Some of the most prolific delivery methods include phishing emails, infected websites, software and browser vulnerabilities, trojan downloaders, botnets, removable media, pirated software, RDP access, malvertising, and drive-by cryptomining.
Staying vigilant and keeping software updated are effective ways individuals and organizations can reduce their risk of ransomware infection. However, since new delivery methods are constantly emerging, it’s essential to maintain reliable backups, security software, and incident response plans for detecting and containing ransomware outbreaks quickly.