How ransomware spreads: 9 most common infection methods and how to stop them

how ransomware spreads

Cybercriminals are looking for creative new ways to hold your data hostage. One of the more devious yet ingenious ways is ransomware.

This type of cybersecurity threat penetrates networks and systems so fast and covertly that many people end up wondering, “how does ransomware spread on a network?”

Emsisoft Enterprise Security + EDR

Robust and proven endpoint security solution for organizations of all sizes. Start free trial

However, while ransomware might be getting more sophisticated, it’s important to remember that the technology still has to abide by the same rules as regular old malware.

That means it still has to be distributed, it still has to infect your system before it can deliver its payload – and it can still be avoided by taking a proactive approach to security.

So, how does ransomware get in and infect your computer? In this article, you’ll learn how ransomware spreads – including some of the most common propagation types and how you can prevent an infection.

1. Email attachments

Do you know how ransomware spreads so fast? Email has something to do with it.

Ransomware is commonly distributed via emails that encourage the recipient to open a malicious attachment. The file can be delivered in a variety of formats, including a ZIP file, PDF, Word document, Excel spreadsheet and more. Once the attachment is opened, the ransomware may be deployed immediately; in other situations, attackers may wait days, weeks or even months after infection to encrypt the victim’s files, as was the case in the Emotet/Trickbot attacks.

Attackers may conduct extensive research on their target (often a specific company or high-ranking individual in an organization) to create credible and very believable emails. The more legitimate the email looks, the more likely the recipient is to open the attachment.

Prevention tips

2. Malicious URLs

Attackers also use emails and social media platforms to distribute ransomware by inserting malicious links into messages. During Q3 2019, almost 1 in 4 ransomware attacks used email phishing as an attack vector, according to figures from Coveware.

To encourage you to click on the malicious links, the messages are usually worded in a way that evokes a sense of urgency or intrigue. Clicking on the link triggers the download of ransomware, which encrypts your system and holds your data for ransom.

Prevention tips

3. Remote desktop protocol

RDP, a communications protocol that allows you to connect to another computer over a network connection, is another popular attack vector. Some examples of ransomware that spread via RDP include SamSam, Dharma and GandCrab, among many others.

How is ransomware spread through RDP?

By default, RDP receives connection requests through port 3389. Cybercriminals take advantage of this by using port-scanners to scour the Internet for computers with exposed ports. They then attempt to breach the machine by exploiting security vulnerabilities or using brute force attacks to crack the machine’s login credentials.

Once the attacker has compromised the machine, they can do more or less anything they wish. Typically this involves disabling your antivirus software and other security solutions, deleting accessible backups and deploying the ransomware. They may also leave a backdoor they can use in the future.

Prevention tips

4. MSPs and RMMs

Cybercriminals frequently target managed service providers (MSPs) with phishing attacks and by exploiting the remote monitoring and management (RMM) software commonly used by MSPs.

A successful attack on an MSP can potentially enable cybercriminals to deploy ransomware to the MSP’s entire customer base and put immense pressure on the victim to pay the ransom. In August 2019, 22 towns in Texas were hit with ransomware that spread via MSP tools. Attackers demanded $2.5 million to unlock the encrypted files.

Prevention tips

5. Malvertising

Malvertising (malicious advertising) is becoming an increasingly popular method of ransomware delivery.

Malvertising takes advantage of the same tools and infrastructures used to display legitimate ads on the web. Typically, attackers purchase ad space, which is linked to an exploit kit. The ad might be a provocative image, a message notification or an offer for free software.

When you click on the ad, the exploit kit scans your system for information about its software, operating system, browser details and more. If the exploit kit detects a vulnerability, it attempts to install ransomware on the user’s machine. Many major ransomware attacks spread through malvertising, including CryptoWall and Sodinokibi.

Prevention tips

6. Drive-by downloads

A drive-by download is any download that occurs without your knowledge. Ransomware distributors make use of drive-by downloads by either hosting the malicious content on their own site or, more commonly, injecting it into legitimate websites by exploiting known vulnerabilities.

When you visit the infected website, the malicious content analyzes your device for specific vulnerabilities and automatically executes the ransomware in the background.

Unlike many other attack vectors, drive-by downloads don’t require any input from the user. You don’t have to click on anything, you don’t have to install anything and you don’t have to open a malicious attachment – visiting an infected website is all it takes to become infected.

Prevention tips

7. Network propagation

While older strains of ransomware were only capable of encrypting the local machine they infected, more advanced variants have self-propagating mechanisms that allow them to move laterally to other devices on the network. Successful attacks can cripple entire organizations.

Some of the most devastating ransomware attacks in history featured self-propagation mechanisms, including WannaCry, Petya and SamSam.

Prevention tips

8. Pirated software

Ransomware is known to spread through pirated software. Some cracked software also comes bundled with adware, which may be hiding ransomware, as was the case in the recent STOP Djvu campaign (free decryptor available here). In addition, websites that host pirated software may be more susceptible to malvertising or drive-by downloads.

The use of pirated software may also indirectly increase the risk of ransomware infection. Typically, unlicensed software doesn’t receive official updates from the developer, which means users may miss out on critical security patches that can be exploited by attackers.

Prevention tips

9. USB drives and portable computers

USB drives and portable computers are a common delivery vehicle for ransomware. Connecting an infected device can lead to ransomware encrypting the local machine and potentially spreading across the network.

Typically this is inadvertent – a member of staff unwittingly plugs in an infected USB drive, which encrypts their endpoint – but it can also be deliberate. For example, a few years ago, residents of Pakenham, a suburb in Melbourne, discovered unmarked USB drives in their mailboxes. The drives contained ransomware masquerading as a promotional offer from Netflix.

Prevention tips


Ransomware spreads in many different ways. Some attack vectors such as malicious email attachments, phishing links and removable devices rely on human error, while others such as malvertising, drive-by downloads and network propagation are effective with no user input whatsoever.

Now that you know how ransomware spreads, there are many things you can do to reduce the risk of infection and mitigate the effects of an attack. Investing in proven antivirus software, maintaining backups and being cautious with your clicks can go a long way toward protecting your data and keeping your system safe from ransomware.

Which attack vector do you think is the biggest threat?



Writer. A picture is worth a thousand words but unfortunately I can't draw. The world of IT security has always fascinated me and I love playing a small role in helping the good guys combat malware.

What to read next