How Does Ransomware Spread

Ransomware is one of the biggest cybersecurity threats faced by computer systems and networks today. This is especially due to the advent of large databases and the increasing reliance of big and small businesses, governments, and militaries on virtual databases. However, it does not mean that personal computers and data are safe from this threat.

Most computer systems are very vulnerable to ransomware attacks. It can only be by learning about the modes of spread of ransomware that one can prevent their valuable data from falling prey to it.

What Is Ransomware?

Ransomware is a type of malicious software, or malware, that involves threats to encrypt files or publicly publish the victim’s data. The attacker then keeps the data or decryption key hidden until the ransomware victims agree to pay the ransom that has been asked.

Ransomware is usually propagated via a Trojan, a malware that misguides a user about its true purpose, which appears to be an authentic file according to the user’s search intent. Hence, the user is tricked into clicking on the file to open or download it, ultimately installing the ransomware on their system.

Several ransomware variants can spread on a computer system in many ways. Even systems with the most advanced cyber security arrangements and encrypted files can still fall prey to ransomware attacks. So, it is best to understand how to avoid phishing attacks and surf the net more responsibly.

How Does Ransomware Spread?

Phishing Emails

Emails are the most common mode of spread of ransomware. These emails, called spear phishing attacks, usually contain malicious attachments that the user will likely download. Sending a phishing email is the most common and popular ransomware delivery method among cyber attackers.

When the attachment is opened, one possibility is that the ransomware may be executed immediately. In the other case, the attacker may wait for some time before executing the attack. Attackers propagating ransomware via emails rely mainly on the user’s gullibility regarding safe surfing practices.

In the case of businesses or high-profile targets, the attacker may conduct in-depth research to tailor the email attachments ransomware to make them believable for the victim. This can be done, for example, by using the name, details, or other credentials of a reliable source or contact to trap the victim.

How To Prevent?

To avoid ransomware attacks by emails, one should be able to identify the credibility of the email contents and the email address used. Such attacks may sometimes contain grammatical mistakes or other tell-tale signs that the email is not legitimate. Even if it appears to be, and the source appears to be someone you know, get in contact with them to confirm they are the senders.

Remote Desktop Protocol (RDP)

Remote desktop protocol (RDP) is a communications protocol that provides a user with a graphical interface that allows connection with another computer over a network. RDP allows Virtual Desktop Infrastructure, or VDI, which has been popular since work-from-home gained traction.

It is quite easy for cyber attackers to identify the port(s) that an RDP request is sent to. Another harm from a ransomware infection on an RDP node is that the infection can spread laterally since several computers are connected to the network.

Moreover, from ransomware infections on RDP nodes, the ransomware instigators get complete freedom to do as they wish with the valuable data in their control. They can execute ransomware, delete important backup files, and disable antivirus or other security software.

How To Prevent?

Users should try to use strong passwords and PIN codes for their devices and valuable data storage. One should use VPN when surfing the net and only enable RDP when necessary. Also, try not to use the default port for RDP.

Malicious Advertising

Malicious advertising, or simply malvertising, is one of the most popular modes of spread of a ransomware attack. Attackers can buy ad space on a website and link it to an exploit kit. The ad usually contains offers like free software, a message notification, or a provocative graphic.

When the user clicks on such an advertisement, the exploit kit scans the user’s system for information about the operating system, browser details, et cetera. As soon as the exploit kit detects a vulnerable spot in the system, it deploys ransomware on the computer.

How To Prevent?

Avoid visiting suspicious websites or clicking on malicious links and ads when surfing the Internet. Keep your security software up to date and only use legitimate websites that are verified and secure.

Users can also use ad blockers and disable plugins that are not in use.

Pirated Software

In an attempt to avoid paying for software, users usually end up risking or losing their precious data to ransomware attacks. Pirated software is usually loaded with malvertising or another form of ransomware. Even the websites offering such software contain ransomware. This is because these websites and their softwares do not originate from verified sources and hence, do not get any security or other software updates.

How To Prevent?

One should try to avoid installing and using pirated software.

Users should avoid visiting websites that offer pirated software, deals that seem too good to be true, or keys and cracks that help install such software.

Drive-by Downloads

A drive-by download takes place in the background without your knowledge. They can be easily exploited by ransomware instigators, who can add their malware on genuine, verified websites or, sometimes, on websites created by them. When an infected website is visited, the malware inspects the systems for vulnerabilities and executes the ransomware in the background.

A ransomware attack propagated via drive-by downloads is perhaps the most dangerous kind because they do not require any user input to deploy, i.e., the user does not have to click on a link or install something. As soon as the website is opened, it takes mere seconds for the ransomware to spread to the system.

How To Prevent?

Users can install ad blockers on their systems to avoid any malicious ads running in the background.

They should keep their security and antivirus software up to date, run regular malicious content scans, and eliminate any unnecessary plugins in browsers.


Cyber attackers commonly target managed service providers (MSPs) via phishing and exploit their Remote Monitoring and Management (RMM) softwares. Such an attack can allow the perpetrator to install ransomware on the entirety of the MSP’s customer database, forcing them to pay large sums in ransom.

How To Prevent?

MSPs should invest in quality cyber security to vigilantly monitor phishing traps.

Network Propagation

Network propagation is also a widespread method of the spread of ransomware infection. While in older times, ransomware could only infect the device they were installed on; today, this malware has become more advanced. Modern ransomware can self-propagate laterally from the local machine on multiple devices connected to a network.

How To Prevent?

Users should try to maintain a backup of all important data on their system. All devices connected to computer networks should keep their security software up to date.

Other Ways Of The Spread Of Ransomware

Zero-day vulnerabilities, also called unpatched vulnerabilities, are the preferred target of ransomware attackers. Every software has certain bugs and unfixed weak spots. Hence, attackers with access to decent resources usually even pay ample sums to discover such vulnerabilities in the device network of an organization.

As a result, like in the case of drive-by downloads, the attacker can deploy ransomware on a system or network without fooling a user into making a mistake.

Infected USB drives, public Wi-Fi, and portable computers can also easily help spread ransomware. Connecting to an infected device like USB drives can not only execute ransomware on the device, but the initial infection on the local machine can also spread it to other devices on any network the now-infected device is connected to.


Once it is deployed on a system, it can be extremely difficult to remove ransomware from a system or network, and in some cases, even impossible. Hence, it is better to know how to identify phishing attacks and prevent a ransomware attack.

There are several modes via which ransomware can propagate. Sometimes, an attack involves fooling a user into taking a step that would inadvertently install ransomware on the system. In other instances, the ransomware is deployed automatically without any user input.

At times, preventing successful ransomware attacks on a device can be hard. However, by safe surfing practices and a decent knowledge of the threat, users can prevent the permanent loss of valuable data.

Derik Belair

As President and CEO, Derik leads the vision, strategy and growth of Augmentt. Prior to founding Augmentt, Derik was the Vice President at SolarWinds, leading the digital marketing strategy for SolarWinds’ Cloud division. Derik has been working in the channel for over 20 years, starting his career as a channel sales rep at Corel Corp. and eventually becoming the first employee at N-able Technologies in April of 2000.
SUBSCRIBE for more resources
Related Content

Agent-based SaaS Discovery

    When it comes to Augmentt Discover, we believe in flexibility and power. Augmentt Discover can collect SaaS usage data using both an Agent and Agentless model. Here is a quick [...]

    Product Evaluation Guide

      Thank you for starting your Augmentt Product Evaluation and Trial   Here are a few resources that will help you through this technical process. Support Technical Support is available to [...]
      Augmentt is a centralized SaaS security platform built for MSPs to deliver scalable managed security services for Microsoft and cloud apps. Our multi-tenant platform gives you visibility across all your end-users to easily audit, protect and detect security threats for a holistic approach to cyber security.