Ransomware is very dangerous. It encrypts data in such a way that it is often impossible to restore it. As a result, the harm caused by ransomware can be immeasurable.
There are a few different ways in which criminals spread their ransomware infections: phishing emails, open RDP access, and various security flaws. It’s important to be aware of the ways in which our systems may be vulnerable to ransomware so that we can avoid these dangerous infections.
How Ransomware Spreads quicklinks
- Malicious email spam
- Remote Desktop Protocol
- Malicious advertisements
- Infected media and programs
- Supply chain and MSP infections
- Software vulnerability exploits
Malicious email spam
Malicious emails might carry malware as attachments. They might also link to dangerous files or websites. These emails will try to get you to download and open those attachments or click their links.
Such malicious emails are sometimes called phishing emails. These messages are disguised as mundane and trustworthy. They might impersonate a trusted company, such as your bank or post office. Sometimes, the emails are highly targeted, going so far as to use your name and your workplace.
This method of delivering ransomware (as well as other malware) is used against individual PC users and against the employees of big companies.
As an example, DeroHE was ransomware sent to the members of a forum and disguised as a special offer for a software package.
Remote Desktop Protocol
Another method that cybercriminals use to spread ransomware is to break into systems through vulnerable remote access points: RDP, VPN, etc.
The vulnerability in RDP is usually weak credentials. For example, usernames like “admin” and passwords like “123456” are easy to guess. The criminals might remotely access the computer and plant the ransomware, as well as steal files, disable security, and delete backups.
Since many individual PC users do not enable remote access to their computers, this method of delivering ransomware is mostly used against business companies and other organizations.
Dharma is one of many file-encrypting programs that spread this way.
Cybercriminals can use advertising infrastructure to deliver malware. They can infect legitimate ads or defraud advertising companies in order to trick them to display malicious content.
Shady and reputable sites can suffer from malvertising. Malicious ads can cause redirects to malicious websites and then automatically download ransomware and other malware. They may use exploit kits to automatically install the infections.
This method of ransomware distribution can affect individual users as well as the employees of companies and organizations, where ransomware can then spread through the network.
As an example, Seon ransomware was delivered by infected ads on an Mp3 converter website.
Infected media and programs
Ransomware can be embedded in the installers of other programs. It can be downloaded by Trojan Downloaders alongside other malicious programs.
Pirated programs and media (such as movies) are sometimes infected with Trojan Downloaders. Running these infected programs allows the trojans to install ransomware and other malware.
This method of ransomware distribution is most likely to affect individual PC users and small businesses.
A good example of ransomware that spreads this way is Djvu. This ransomware was incredibly widespread and affected users around the globe.
Supply chain and MSP infections
Cybercriminals could infect a commonly used resource and force it to deliver ransomware. Dependencies like linked libraries, third-party software and services can be infected with malware.
This method of ransomware delivery is more likely to be used against companies and organizations.
For example, managed service providers have been targeted by cybercriminals and their tools used to infect their clients with ransomware.
The devastating NotPetya attack in 2017 is believed to have originated in a compromised update for accounting software.
SolarWinds is another example of malware spreading this way, though it’s not specifically ransomware.
Software vulnerability exploits
Ransomware can be delivered by criminals abusing a software vulnerability – a known security bug present in a program used by the victim.
Such bugs are usually present in outdated versions of software. Updates fix these bugs, but not every user installs the updates. Cybercriminals take advantage of that.
Cybercriminals might create custom processes to perform targeted attacks. They can also automatically look for vulnerable systems online. Therefore, this method of ransomware distribution is dangerous to individual PC users and to companies and organizations.
One of the most infamous examples of ransomware abusing software vulnerabilities is WannaCry. This ransomware spread using an exploit present in old Windows versions. By the time WannaCry started infecting computers, the patch to fix the exploit had already been out, but there were still plenty of vulnerable systems.