The 5 Most Common Ways That Ransomware Spreads

In the past few years, ransomware has become one of the biggest cyber security threats that organisations face. It was the second-leading cause of cyber attacks in 2021, according to research by IT Governance, with more than 400 publicly disclosed incidents being reported.

The nature of ransomware means that it is more disruptive than other forms of cyber attack. The malware worms through the victim’s system rapidly, and business operations are brought to a halt while the organisation decides how to deal with the situation.

But how exactly does ransomware spread through an organisation? We answer that question in this blog, as we look at the five most common ways that a ransomware infection begins.

What is ransomware?

Ransomware is a type of malware that encrypts computer files, locking the owner out of their systems.

Once this happens, the ransomware will display a message demanding that the victim make a payment to regain access to their files.

Many ransomware victims feel obliged to pay up, because it’s the quickest and least expensive way to get up and running again.

However, experts generally urge organisations not to negotiate, because ransom payments help fuel the cyber crime industry. There is also no guarantee that paying the ransom will mean the criminals release the files.

See also:

How does ransomware spread?

For a ransomware attack to begin, the attackers must find a way to plant the malware on an organisation’s systems. There are countless ways they can do this, but they will typically use one of the following five methods.

1. Email attachments

Phishing emails are the most common delivery method for ransomware. Scammers send messages that appear to be from a legitimate organisation and prompt the recipient to open an attachment.

The messages often take the form of a business correspondence, with the attached file seemingly related to a work topic. Emails also often masquerade as invoices, with the recipient being instructed that they have been billed for something.

These are just a few examples. Phishing emails can take any form, and the attachment can appear as a Word document, Excel spreadsheet, PDF or ZIP file.

However, in every instance, the attachment contains a malicious payload that is downloaded as soon as the recipient opens the file.

The ransomware might be deployed immediately, but in other situations the scammers wait days or even months to instigate the attack.

2. Malicious URLs

Phishing emails present another threat in the form of malicious URLs. Instead of downloading an attachment, the message prompts the recipient to follow a hyperlink.

These scams follow the same pattern that we’ve described above, with the attackers posing as a legitimate organisation.

The only difference is that malicious URL attacks are more likely to pose as a private organisation such as PayPal, Netflix or Microsoft. They might state, for example, that there is a problem with the user’s account and instruct them to log on to address the issue.

The message will contain a link that appears to direct the recipient to a login page but which is in fact a mock-up of the legitimate site. When the user provides their username and password, they are inadvertently handing over this information to the attackers, who can then use the compromised account to launch a ransomware attack.

In some cases, simply following the link is enough to trigger the ransomware to download on a device. This is particularly the case for people using older versions of operating systems or browsers, because they don’t have the same protections in place to prevent malware from executing automatically.

3. Remote desktop protocol

RDP (remote desktop protocol) is a way for one computer to connect to another virtually. It’s often used when an employee seeks IT support and the team isn’t nearby to look at the problem in person.

The expert takes control of the computer using remote access software, which allows them to control another device using their own keyboard and mouse.

If a cyber criminal was able to gain remote access to someone’s computer, they could plant ransomware. There are two ways they can do this. The first is by finding system vulnerabilities that enable the attacker to create their own remote access.

By default, RDP receives connection requests through port 3389. Cyber criminals can use port-scanners to scour the Internet for devices with exposed ports.

Once they’ve found a target, they might try to gain access by exploiting a security vulnerability or conducting a brute-force attack to crack the machine’s login credentials.

Alternatively, they can trick people into handing over remote access by conducting a social engineering attack. One of the most popular techniques is to create a pop-up spam message in an Internet browser that claims that the individual’s computer is infected with malware.

The window is designed to trick people who aren’t tech-savvy and cannot differentiate between an Internet window and an alert sent by their antivirus software.

The scammer’s message will contain a phoneline that users are prompted to call to receive support. Those who call the number are directed to a fake support centre and someone claiming to help fix the issue.

They will request remote access to the device to perform a bogus vulnerability scan, which will detect the apparent virus. The scammer will then download a piece of software that appears to fix the issue, but it is in fact malware.

The malicious software might be ransomware itself or a keylogger that tracks everything that a user types on their machine, such as passwords or other sensitive information.

With those details, the attacker can gain extended access to the victim’s account. This helps them conduct further scams before finally unleashing a ransomware strain on the device.

4. Pirated software

Illegitimate software was once the single-most common way that malware was spread.

Individuals who downloaded cracked software believed they were getting a bargain by not having to pay for the legitimate service, but they soon learned that the software was laced with malware.

Part of the problem is that unlicensed software doesn’t receive updates from the developer, which means that it will contain an increasing number of vulnerabilities that a cyber criminal can exploit.

Pirate sites that enable individuals to download songs and films provide another way for malware to spread. As with malicious email attachments, the files might have been injected with a malicious executable that enables attackers to surreptitiously infect the user’s device.

The threat of ransomware attacks via pirated software has decreased in recent years as the popularity of the services have waned. It is increasingly easy and affordable to stream content legitimately, reducing the popularity of pirate sites.

However, for people who still use these services, there remains a serious risk of infection.

5. Removeable devices

Organisations are highly susceptible to malware that enters their systems via removeable devices such as USB sticks. Unlike when transferring files over email, there is no threat detection system that can warn users of a security risk.

With removeable devices, individuals can simply plug them into their computer and copy over files. It only takes one infected document to compromise an organisation’s systems.

Cyber criminals often exploit this weakness by leaving infected USB sticks in public. The goal is for someone to find the device and be curious enough to plug it into their computer to see what’s stored on it.

Organisations are equally liable to fall victim if an employee uses a removeable device for both their personal and work computers. They might inadvertently download malware while doing personal activities, and that malicious code will execute when it is plugged into another computer.

How to prevent ransomware attacks

All of the techniques we’ve listed here have one thing in common: they are, to some extent, the result of human error.

Ransomware is often considered an IT problem, because cyber criminals exploit system weaknesses to plant malware. But in most cases, the first step of the process is to leverage a vulnerability introduced by the individual.

The success of phishing emails relies on individuals fooling for the bait and downloading a malicious attachment or clicking a bogus link.

RDP attacks are only possible if people fall for scams or employees fail to properly configure their networks, and infections via pirated software and removeable devices occur because people don’t understand the threat using untrusted sources.

The key to protecting your organisation from ransomware is therefore to educate employees on the threats they face and the steps they can take to stay safe.

IT Governance’s Ransomware Staff Awareness E-learning Course contains the materials and tools you need to get started.

This online course provides a comprehensive introduction to ransomware in just 30 minutes. It’s designed for all employees, and covers:

  • The threats posed by a ransomware attack;
  • The main forms a ransomware attack can take and how they work; and
  • Actions that individuals and organisations can take to help protect against ransomware.



  • Luke Irwin

    Luke Irwin is a writer for IT Governance. He has a master’s degree in Critical Theory and Cultural Studies, specialising in aesthetics and technology..