Today, ransomware attacks are rapidly growing in number and complexity. The FBI’s Internet Crime Complaint Center received 2,084 ransomware reports from January to July 31, 2021, representing a 62% year-over-year increase. And according to SonicWall’s 2021 Cyber Threat Report 2021 Mid-Year Update, in June 2021 alone, there were 78.4 million ransomware attempts recorded — more than the number reported in Q2 2020 and almost half of the total for all of 2019. This has led SonicWall to declare 2021 as the worst one to date in terms of ransomware attempts. 

 

Ransomware attacks typically target schools, hospitals, retail businesses, professional services firms, manufacturing companies, and government agencies. But in 2021, ransomware was even used to hijack critical infrastructure. The ransomware attack on Colonial Pipeline disrupted the flow of oil across the eastern United States. What’s more, cybercriminals evolved from targeting just single organizations to supply chains, such as when remote management software vendor Kaseya fell victim to the REvil ransomware, which impacted 1,500 companies. 

 

To protect your company from emerging ransomware threats, you need to learn what ransomware is and how it spreads on networks.

What is ransomware and what does it do?

Ransomware is a type of malware that encrypts its victims’ data or systems and holds them hostage until the ransom is paid, typically in cryptocurrency. Its roots can be traced to a simple Trojan that spread during the 1989 World Health Organization conference. Today, ransomware has become mainstream, especially with the rise of Ransomware-as-a-Service in which ransomware is sold as a commodity on the black market. 

Related reading: The Rise and Evolution of Ransomware

How is ransomware deployed?

Cybercriminals use a number of methods to spread ransomware on computer networks:

Email attachments

Ransomware is typically distributed via email attachments. In this approach, attackers send an email with an attachment, which can range from a variety of formats, such as an executable program, PDF, Word document, or Excel spreadsheet. When you open the attachment, the ransomware may start to encrypt your files immediately. In other cases, attackers may wait for months after the infection before encrypting your files, like with the Emotet/TrickBot attacks.

 

Some attackers even extensively research their target (often a specific company or an top-ranking official in that company) to craft a credible-looking email, which increases the likelihood that the recipient will download and open the attachment. 

Malicious links

Attackers may spread ransomware through malicious links embedded in emails, social media platforms, or other sites. To trick victims into clicking the links, these are often accompanied by messages that evoke a sense of urgency. For example, such messages may indicate that your computer has been infected with a virus and you need to click on the link to fix the issue. However, clicking on the link actually triggers the download of ransomware. 

Drive-by downloads

To distribute ransomware, cybercriminals can host malicious code on their own site or inject it into legitimate websites by exploiting the sites’ vulnerabilities. When you visit infected websites, the malicious content scans your device for vulnerabilities and exploits these to execute ransomware. 

 

This ransomware delivery method does not require any human interaction — there’s no need to click on links, install programs, or open malicious attachments. You simply have to visit an infected website and the ransomware will be downloaded without your knowledge, hence the name “drive-by download.” 

Malvertising

With malicious advertising or malvertising, attackers buy ad space on high-traffic websites and display an ad that entices people into clicking it, such as a provocative ad or those that offer free software. These ads are linked to an exploit kit, which contains code that attacks vulnerabilities in your computer’s software, operating system, or browser to install the ransomware. CryptoWall and Sodinokibi are some of the major ransomware attacks that spread through malvertising. 

Pirated software

Some pirated software are bundled with adware and ransomware like the STOP (djvu) ransomware. Attackers may distribute these bundles through file-sharing websites, chat rooms, or peer-to-peer networks. Once you install the pirated software on your computer, the ransomware will start encrypting your files. 

 

In other cases, the use of pirated software may indirectly cause the ransomware infection. This is because an unlicensed program does not get software updates and security patches from the developer, allowing attackers to easily exploit its vulnerabilities. 

Removable media

USB drives and other removable media are commonly used to deliver ransomware. In this method, attackers infect USB drives and removable media with ransomware. Afterwards, they find ways to connect those infected devices to a local machine to trigger the spread of ransomware across the network. 

Network propagation

Unlike older ransomware strains that only encrypt the local machine they infect, advanced ones, such as WannaCry, Petya, and SamSam, have self-propagation mechanisms that enable them to move laterally to other devices on the network. These advanced strains can easily take down entire organizations. 

Remote Desktop Protocol

Cybercriminals can spread ransomware by exploiting the Remote Desktop Protocol (RDP), which is a communications protocol that enables you to access another computer over a network connection. Network administrators utilize RDP to remotely log in to servers and provide technical support, among other actions. Some employees may also use RDP to remotely access their company email and documents. 

 

Unfortunately, cybercriminals can exploit weaknesses in RDP software or misconfigurations in RDP deployment to gain access to computer networks and spread ransomware. Examples of ransomware strains that spread through RDP include Dharma and GandCrab.

Conclusion

The aforementioned methods are just some of the ways ransomware can spread on networks. Unfortunately, as ransomware becomes more sophisticated over time, we can expect cybercriminals to come up with even more methods to distribute ransomware. The good news is that there are also measures you can take to minimize the risk of infection. Learn more by reading our previous blog, “How To Protect Your Business Network From Ransomware (2021).”

 

For expert ransomware protection, turn to Dynamic Solutions Group. We follow a well-rounded security framework composed of security processes, technology, and people, which will provide you with an effective, comprehensive cyber defense. Get in touch with us to keep ransomware at bay.