Ransomware is a form of malicious software that encrypts files on a victim’s computer and demands payment in order to restore access. Over the past several years, ransomware has emerged as a lucrative criminal enterprise, with attacks on businesses and organizations skyrocketing. Understanding the most common ways ransomware spreads can help organizations and individuals protect themselves against infection.
One of the most common ways ransomware spreads is through email. Cybercriminals will send emails containing malicious attachments or links that download ransomware onto a victim’s computer when opened. These emails are designed to appear legitimate, often impersonating someone the recipient knows or a company they do business with. They may have subject lines related to invoices, delivery notices, or other topics that seem trustworthy. The malicious attachment is often a Microsoft Office file, PDF, or archive file that exploits vulnerabilities when opened. The link may direct the user to a compromised website that automatically downloads ransomware.
Phishing emails
Phishing emails are a type of fraudulent email impersonating a trustworthy source. They aim to trick recipients into installing malware, revealing sensitive information, or transferring funds. Phishing emails impersonating well-known companies are a common distribution method for ransomware. The email directs the user to a fake login page to harvest credentials or has an infected attachment disguised as an invoice or order confirmation. Spear phishing emails target specific individuals and organizations and are customized with familiar logos and messaging to appear more legitimate. Phishing emails take advantage of human error and limited cybersecurity awareness to infect systems with ransomware when opened by the recipient.
Malspam campaigns
Mass spam email campaigns distributing ransomware are known as malspam. These widespread attacks involve sending waves of infected emails to millions of potential victims. Instead of targeting specific companies or roles, malspam blanket targets geographic regions hoping to infect as many random recipients as possible. The emails are short, generic, andcontaining malicious links or attachments. Malspam campaigns can quickly infect thousands of systems in a short period, aiming to cast a wide net to maximize the criminal’s return on investment.
Drive-by downloads
Visiting compromised websites can lead to drive-by ransomware downloads. Cybercriminals infect websites with malicious code that automatically downloads ransomware onto the visitor’s computer without any action needed on their part. Often no signs of infection will be apparent to the website visitor. The ransomware silently runs in the background encrypting files. Pop-up advertisements, especially on illegal streaming or torrent sites, are a common source of drive-by downloads. The pop-ups are embedded with malware that begins installing when clicked. Drive-by downloads take advantage of unpatched browsers, plugins such as Flash or Java, and other software vulnerabilities to covertly install ransomware.
Software vulnerabilities
Vulnerabilities in operating systems, applications, and network devices are often exploited to spread ransomware across networks. Unpatched software contains flaws like buffer overflows that allow hackers to execute malicious code on the target system. Two common examples are vulnerability in Microsoft’s Server Message Block (SMB) protocol and Shellshock vulnerability found in Linux and UNIX operating systems. The WannaCry and NotPetya ransomware outbreaks exploited the SMB vulnerability to spread. Successful ransomware attacks will often scan the network for unpatched systems and propagate via vulnerabilities. Prompt patching and upgrading of software is critical to avoid susceptibility to ransomware infections.
Infected websites
Websites compromised by threat actors can be utilized to distribute ransomware to site visitors through malicious advertising or JavaScript code. A tactic called malvertising involves embedding malicious ads containing ransomware installers on legitimate websites. Website visitors will get infected simply by browsing to the site with no other interaction needed. Another method is compromising JavaScript libraries like jQuery hosted on third-party servers and used by websites for functionality. The altered script when loaded by the website downloads and installs ransomware onto visitor devices. Any highly trafficked website is an attractive target for compromise to turn it into an unknowing ransomware distribution channel.
Fake software updaters
Some ransomware infects systems by disguising itself as fake software installed by the user. Misleading programs will claim to update common applications like Adobe Flash Player, web browsers, Java, media players or PC utilities. When launched by the victim, they silently download and execute the ransomware code. Social engineering tricks users into believing the fake updater is legitimate software needed to fix security issues on their computer. Fake Adobe Flash updaters have been a notorious ransomware method. This technique relies on persuading users to execute untrusted code disguised as a routine software update.
Network propagation
Network shared drives and remote desktop connections allow ransomware to spread throughout organizations once an initial infection has occurred. When ransomware runs on a networked system, it can scan for shared drives and resources to encrypt. SMB protocol connections are often used for internal file transfers between endpoints. By stealing credentials or exploiting vulnerabilities, ransomware can traverse across a network destroying files as it goes. Remote desktop connections are another path for propagation. Brute forcing weak remote desktop protocol (RDP) passwords gives ransomware access to infect remote systems. Internal network vulnerabilities enable ransomware to behave like a computer worm, automatically spreading itself to all accessible systems.
External drives
USB flash drives and other external hard drives connected to an infected computer can pass ransomware onto other systems. When an external drive is plugged into a computer with ransomware, it may encrypt the files directly on the drive. Now this portable drive carries the infection to new machines it is connected to. Once plugged in, the ransomware detects the opportunity to encrypt the new system’s local, mapped and network drives. Offline backups and transferring files via external drives is a common method. So this becomes an unintentional vector to spread ransomware if drives are reused without scanning and cleaning. The ability to encrypt external drives gives ransomware portability to infect additional endpoints.
Remote access tools
Cybercriminals can utilize remote access tools to manually install ransomware on systems. By hacking or guessing user credentials, attackers can remotely log into computers and servers to manually execute the ransomware installation. Tools like Remote Desktop (RDP) or TeamViewer give full control over the system’s mouse and keyboard. An unchecked remote session allows malicious actors to disable security software, copy ransomware programs or start encryption routines. Criminals may disable system restore points and backups to make recovery more difficult. Malicious use of remote access services provides tools for criminals to manually propagate ransomware across a network.
Spam and P2P software
Peer-to-peer (P2P) software used for torrenting, gaming or sharing files can be configured by hackers to distribute ransomware installers. The same goes for messaging apps and spam programs leveraged for spamming or robo-calls. By hacking development accounts or exploiting vulnerabilities, criminals insert malicious installers into legit software getting distributed to many systems quickly. These tactics turn popular apps into trojan horses, silently installing ransomware onto victim’s machines along with the intended software. Integrating ransomware into common programs lets cybercriminals hide in plain sight to bypass traditional network defenses.
Social engineering
Ransomware gangs are increasingly using social engineering tactics to manually infect systems. This may involve contacting employees via phone or email masquerading as IT staff or management. They will use persuasion or intimidation to get victims to disable security tools, run fake “anti-virus” scanners, install remote access tools or transfer money. Social engineering provides a human touch to get around strictly technology based safeguards. Training staff to recognize these social engineering ruses helps prevent them from inadvertently compromising systems leading to ransomware outbreaks.
Mitigation strategies
There are several best practice security measures organizations should take to protect against ransomware infections from any intrusion vector:
- Keep all software patched and up-to-date to eliminate vulnerabilities.
- Install anti-virus/anti-malware tools and keep definitions current.
- Implement email security gateways to filter malicious emails and attachments.
- Block access to known malicious websites.
- Use pop-up blockers and ad blockers when web browsing.
- Disable macro scripts in Microsoft Office.
- Create backups offline and regularly test restoring them.
- Limit use of Remote Desktop and secure with MFA.
- Disable SMB v1 protocol if possible.
- Install firewalls and segment network zones.
- Enforce strong password policies on all devices.
- Educate end users on information security best practices.
Conclusion
Ransomware remains a top cyber threat facing organizations in 2023 and beyond. Its ability to rapidly infect systems and encrypt data can cause massive disruption. Awareness of the common infection vectors like phishing emails, drive-by downloads, and remote access tools is critical to defend against ransomware. Technological security controls combined with user education gives organizations layered protection against ransomware outbreaks. But no single method will stop all ransomware attacks. Maintaining comprehensive backups offline as part of a ransomware resilience plan remains crucial for recovering encrypted data after an attack.