What is the most common method of attack for ransomware?

Ransomware is a type of malware that encrypts a victim’s files and demands payment in order to decrypt them. The most common method of attack used by ransomware is phishing emails containing malicious attachments or links.

What is ransomware?

Ransomware is a form of malware that encrypts a victim’s files and blocks access to their computer system. The attacker demands a ransom payment in order to decrypt the files and restore access. If the victim refuses to pay, they risk losing their data permanently.

Ransomware attacks have been rapidly increasing in frequency over the past several years. They pose a serious threat to individuals, businesses, and organizations of all sizes.

How does ransomware infect systems?

Ransomware typically infects systems through phishing emails containing malicious attachments or links. Phishing is a social engineering technique where attackers send authentic-looking emails designed to trick recipients into opening attachments or clicking on links that install malware.

Some common phishing email subject lines used to distribute ransomware include:

  • Unpaid invoice notification
  • Shipping confirmation for a package delivery
  • Notification of suspicious login attempt
  • Password expiration warning

The email attachments used to spread ransomware often include file types like:

  • .doc or .docx (Word documents)
  • .xls or .xlsx (Excel spreadsheets)
  • .zip or .rar (compressed files)

When recipients open these malicious attachments, the ransomware is able to install itself and begin encrypting files. Ransomware is also spread through infected website ads, compromised software installers, and remote desktop protocol (RDP) vulnerabilities.

How does ransomware encrypt files?

Once installed on a system, ransomware uses encryption algorithms to encrypt files and make them inaccessible to the user. Advanced encryption like AES and RSA is used to scramble files beyond recovery without the decryption key.

Ransomware encrypts files located on:

  • Local hard drives
  • External storage devices
  • Network or cloud-based shared drives

Documents, media files, databases, financial records, and other important data are prime targets for encryption. The ransomware scrambles the data and changes the file extensions to a different format.

For example, a file named “expense_report.docx” may be encrypted and renamed as “expense_report.locked”. The encrypted files cannot be opened or accessed normally, essentially locking users out until the decryption key is obtained.

What happens after encryption?

Once the encryption process is complete, the ransomware displays a ransom note with instructions for how to pay the ransom and regain access to files. This ransom demand is usually in the form of cryptocurrency, such as Bitcoin, that provides anonymity to the attacker.

The ransom note threatens permanent data loss if payment is not made quickly, often within 24-48 hours. The note provides information on how to purchase cryptocurrency and send the payment to the provided wallet address.

Ransom amounts demanded have increased over time, with the average ransomware payment now over $100,000. Even if paid, decryption is not guaranteed, as attackers do not always provide working keys.

Examples of common ransomware variants

Some of the most prevalent ransomware threats include:


Ryuk is used to target larger organizations and governments. Infection often occurs through phishing emails containing .zip files or links to executable downloads. Ryuk encrypts entire networks and demands high ransom payments written to text files across the system.


Active since 2016, Cerber is distributed via exploit kits and spam emails. It uses AES encryption to lock files and scrambles file names. A ransom note contains instructions for paying the fee to receive the decryption key.


First observed in 2016, Locky is spread through spam emails containing malicious Microsoft Office documents. It encrypts over 160 different file types. The ransom note uses the .locky file extension and is localized based on the victim’s location.


CryptoLocker flourished between 2013-2014 until a takedown operation neutered it. It spread as an attachment to spam emails and used RSA public key cryptography to encrypt files. Victims were required to pay within 3 days or lose their files forever.


WannaCry made headlines in 2017 when it caused massive disruption by infecting hundreds of thousands of computers globally. It exploited a Windows vulnerability to propagate and encrypt system files. Victims received ransom notes demanding $300 to $600 in Bitcoin.


Pretending to be ransomware, NotPetya’s goal was merely to destroy and disrupt systems. It caused an estimated $10 billion in damages in 2017. The malware propagates via exploits and password guessing to encrypt the master boot record and crash Windows devices.

Recent trends and statistics

Ransomware attacks have been growing in frequency, sophistication, and cost over the past 5 years. Some key trends include:

  • Attacks on healthcare, government, and education sectors are rising rapidly
  • Ransom amounts have increased more than tenfold, with demands over $1 million becoming more common
  • New ransomware models include extorting businesses by threatening to publicly leak sensitive data
  • Attackers are shifting from consumer targets to organizations that are more likely to pay higher ransoms

Some noteworthy statistics on the current state of ransomware include:

Metric 2021 Statistic
Global ransomware damage costs $20 billion
Ransomware attacks per day 304,000
Ransom payments in the U.S. $590 million
Average ransom payment $118,000
Highest ransom payment $50 million

These figures demonstrate how extremely lucrative ransomware attacks have become, driving large numbers of cyber criminals to adopt this attack method.

Defending against ransomware

Preventing ransomware comes down to building strong defenses by:

  • Training employees to identify and avoid phishing attempts
  • Keeping all systems and software up-to-date with the latest security patches
  • Installing antivirus/antimalware tools to detect and block known threats
  • Configuring email security gateways to filter out malicious attachments and links
  • Regularly backing up critical data, air-gapped from the network
  • Limiting access and permissions to prevent lateral movement post-infection

Implementing layered security measures makes organizations a harder target and improves resilience when ransomware attacks do occur.

Should ransom be paid if infected?

Paying the ransom should be an absolute last resort. There is no guarantee files will be recovered, and it encourages more attacks. The FBI and security experts advise victims not to pay ransoms.

However, in cases where backups are non-existent and the encrypted data is mission-critical, some organizations calculate that paying the ransom to restore business operations is the least-bad option. But this should only be considered after consulting law enforcement agencies first.


Phishing emails with malicious attachments and links make up the vast majority of ransomware attacks today. Users must remain vigilant against attempts to coax them into downloading or opening files from unknown senders. Keeping software patched, backing up data, and implementing layered defenses significantly reduces the attack surface.

While ransomware remains a serious threat, the impact can be minimized through comprehensive security awareness training and technical measures to prevent, detect, and respond to infections.