Skip to main content

The four most popular methods hackers use to spread ransomware

(Image credit: Image source: Shutterstock/Carlos Amarillo)

Organizations from COSCO to FedEx, local governments from Atlanta to Alaska, and several hospitals and law firms around the world all share a common, jarring experience - in the past year, all of these organizations have watched as malicious software took over their networks and demanded a ransom payment, while disrupting their business service continuity.

Ransomware is an escalating, increasingly sophisticated threat, and no one seems to be immune. With new ransomware authors constantly upping their game to evade detection by demanding new forms of crypto-currency, such as DASH, or stealing passwords and Bitcoin wallets, it can be difficult for the average user to understand how they were infected in the first place when they fall victim to an attack. 

There are a number of attack vectors ransomware can exploit to take over computers or servers. These are the four most common ways ransomware infects its victims.

1. Phishing Emails

The most common method for hackers to spread ransomware is through phishing emails. Hackers use carefully crafted phishing emails to trick a victim into opening an attachment or clicking on a link that contains a malicious file. 

That file can come in a number of different formats, including a PDF, ZIP file, Word document or JavaScript. In the case of a Word document, the attacker most commonly tricks the user into “Enabling Macros” upon opening the document. This enables the attacker to run a script that downloads and executes a malicious executable file (EXE) from an external web server. The EXE would include the functions necessary to encrypt the data on the victim’s machine.

Once the data is encrypted, and ransomware gains a foothold on one machine, the more advanced ransomware variants will spread to other machines on the network (PCs and servers). All it takes is for one person to naïvely open an attachment in the phishing email, and an entire organization can be infected.

Popular ransomware exploiting victims using phishing emails include:

2. Remote Desktop Protocol

An increasingly popular mechanism in which attackers are infecting victims is through Remote Desktop Protocol (RDP). As the name implies, Remote Desktop Protocol was created to enable IT administrators to securely access a user’s machine remotely to configure it, or to simply use the machine. RDP typically runs over port 3389.

While opening doors to a device for legitimate use has many benefits, it also presents an opportunity for a bad actor to exploit it for illegitimate use. In 2017, it was determined that over 10 million machines are advertising themselves to the public internet as having port 3389 open – ie, they are running RDP over 3389. Hackers can simply search for those machines on search engines such as to find devices that are vulnerable to infection. Once the target machines are identified, hackers commonly gain access by brute-forcing the password so they can log on as an administrator. Open source password-cracking tools help achieve this objective. Popular tools, including Cain and Able, John the Ripper, and Medusa, allow cybercriminals to quickly and automatically try multiple passwords to gain access.

Once they’re in as an administrator, hackers have full control of the machine and can initiate the ransomware encryption operation. To create additional damage, some hackers will disable the endpoint security software running on the machine or delete Windows file backups prior to running the ransomware. This creates even more reason for the victim to pay the ransom, as the Windows backup options may no longer exist.

Popular ransomware exploiting victims through RDP include:

  • SamSam: Responsible for significant damage in 2018 on the City of Atlanta, Colorado Department of Transportation, Hospitals, and other organizations. A recent report estimated that SamSam authors made $5.9 million of revenues
  • LowLevel04 
  • CrySis  

3. Drive-By Downloads From a Compromised Website

Another entry path that attackers use to deliver ransomware is through what is known as drive-by downloads. These are malicious downloads that happen without a user’s knowledge when they visit a compromised website. 

Attackers often initiate drive-by downloads by taking advantage of known vulnerabilities in the software of legitimate websites. They then use these vulnerabilities to either embed the malicious code on a website or to redirect the victim to another site that they control, which hosts software known as exploit kits. Exploit kits give hackers the ability to silently scan the visiting device for its specific weaknesses, and, if found, execute code in the background without the user clicking anything. The unsuspecting user will then suddenly be faced with a ransom note, alerting them of the infection and demanding payment for returned files.

While this may sound like something encountered only on small, under the radar sites, drive-by downloads are actually not limited to obscure websites. They have happened to some of the most popular sites in the world including the New York Times, the BBC, and the NFL – all of these were targeted in a ransomware campaign through hijacked advertisements.

Popular ransomware exploiting victims through drive-by downloads include:

4. USB and Removable Media

Another avenue that ransomware uses to penetrate an environment is through a USB device. In 2016, Australian police issued a warning to citizens about USB drives containing malicious software appearing in mailboxes. The USB drives masqueraded as a promotional Netflix application, then once opened deployed ransomware on to the unsuspecting user’s computer. 

The mighty Spora Ransomware even added the capability to replicate itself onto USB and Removable Media drives (in a hidden file formats), jeopardizing subsequent machines in which the USB device is plugged into. 

Ransomware has become the go-to attack of choice for cybercriminals to generate revenues. It’s simple to buy on the dark web through Ransomware-as-a-Service (RaaS) and attacks are relatively easy to launch through one of the above methods. It’s important for organizations to recognize how their systems can be targeted and proactively take steps through a layered security approach to keep themselves protected and to safeguard their business service continuity. 

Antonio Challita, Director of Product Management at CyberSight 

Image Credit: Carlos Amarillo / Shutterstock

Antonio Challita
Antonio has been immersed in cybersecurity since the mid-2000s, and serves as the Director of Product Management at CyberSight, the creators of the award-winning RansomStopper solution.