How Ransomware Works? | EasyDMARC

How Ransomware Works?

10 Min Read

The concept of ransomware, a form of malicious malware, is simple: It’s a fast-evolving malware that targets everyone – from home users to corporate organizations. 

Cyber attackers use such software to lock you out of your data and demand a ransom before restoring access. Since the WannaCry outbreak of 2017, ransomware attacks have been on the rise, and it’s evident that the battle between organizations and cyber attackers is just getting started. 

According to an FBI report, over 4,000 ransomware attacks occur daily.

With sophisticated security measures in place, it makes people wonder – why is ransomware still successful? 

Read on to discover how ransomware works, recent examples, and how ransomware spreads

Why is Ransomware So Successful?

Ransomware continues to be a success because attackers are perfecting their techniques. Meanwhile, organizations fail to implement the best security practices like offline backup and network segmentation. 

Most businesses that fall victim to ransomware usually fail to install the latest software security patches, making it easy for attackers to compromise their network. Large organizations focus more on high attacks like ATP (Advanced Persistent Threat), forgetting that basic ones like ransomware can result in dire outcomes.

Technical aspects aside, ransomware has a psychological impact on teams and individuals. Frightened people are easier to manipulate. Hence, the success of the attack type.

Who Does Ransomware Target?

Anyone with confidential data can be a target of ransomware attacks. Small businesses, mega-corporations, and international organizations can all become victims. That said, these attacks have focused more on some industries than others in recent years. 

One of the reasons is the COVID-19 pandemic, forcing many organizations to shift to remote work. Some industries that are more vulnerable to ransomware hacks include healthcare, financial, and academic institutions, tech companies, and government agencies.

In 2019 and 2020, several Canadian health institutions were victims of ransomware, including a medical company and three hospitals in Ontario. In early 2021, there was a ransomware attack on the Colonial Pipeline, the biggest pipeline in the US. The entire network shut down, and the company ended up paying the attacker a sum of $4.4 million via Bitcoin. 

According to the 2021 Data Breach Investigations Report from Verizon, ransomware accounts for 10% of its breaches – more than double the frequency from the previous year. 

CSE also warns that 2022 will see ransomware attackers become increasingly aggressive in their targeting. Organizations need to enhance cyber security and adopt best practices to mitigate the risks. 

How Ransomware Spreads

To prevent ransomware attacks, you need to know how it spreads in the first place. Ransomware can expand through phishing emails, malicious links, drive-downloading, and malicious websites. Here, we’ll cover how ransomware spreads. 

Email Attachments

One of the most common ways to spread ransomware is via email Attackers trick users into clicking and downloading malicious attachments. 


Cyber attackers send email attachments to their victims in different formats like JPEG, PNG, PDF, Word document, or ZIP file, hoping to fool them into clicking. 

Once you successfully click or download the ransomware, cybercriminals hijack your system and lock your data. More often than not, people are more likely to open legitimate emails. That’s why scammers carry out in-depth research to learn about their victims and create a convincing story.


While attackers usually take their time to craft such attacks, the good news is that there are ways to protect yourself against ransomware via email phishing:

  • Only open emails or click attachments from legitimate sources
  • Double-check the sender’s address and domain URL before taking any actions
  • Familiarize yourself with email phishing and prevention tactics. 

Malicious links direct users to fake websites for scam purposes. Attackers insert malicious links in messages, sending them to victims either via email or social media platforms.


Cyber attackers formulate messages to encourage their victims to click on the links – they evoke a sense of urgency. Clicking on the malicious links triggers your system to download ransomware, encrypt your data, and demand ransom. 


Most people are quick to click a link when they think it comes from a reliable source. However, cyber actors can make links seem legitimate to fool you. Below are some tips to avoid ransomware infection through such links:

  • Don’t blindly follow links attached to direct messages or emails. Always confirm the link is legit before performing any actions
  • Hover over any links you received to double-check the URL
  •  onDon’t click shortened URLs as some attackers hide malicious links in them. Use CheckShortURL to expand and check them

Remote Desktop Protocol (RDP)

Remote Desktop Protocol (RDP) is a communication standard that lets you connect and access a computer remotely over network connections. Attackers can leverage this standard to spread ransomware. Some notable ransom hacks via RDP include GandCrab, Dharma, and SamSam.


Since Remote Desktop Protocol receives a network connection via port 3389, cybercriminals can scan the internet for open and weak RDP ports. The Cortex Xpanse Research reported that ransomware attackers could scan the whole internet in under 45 minutes. 

If the RDP port is exposed, an attacker can access your network via multiple ways like brute force, use of stolen login credentials, and man-in-the-middle attacks. One of the prevalent vulnerabilities in RDP is BlueKeep, common in older versions of this protocol. 


One of the best ways to prevent RDP exposure is to disable all ports where you don’t need them. You can also take preventive measures to secure systems where RDP is required. Here are some security measures you can implement:

  • Use Multi-Factor Authentication
  • Limit login attempts to avoid brute force attacks
  • Place your RDP behind a strong VPN network
  • Create an access control list that only allows authorized IP addresses to connect to the RDP port. 

Managed Service Providers (MSPs) and Remote Monitoring and Management (RMM) Software

MSPs have a significant responsibility toward their clients to keep their data safe. An RMM is a software program that allows MSPs to monitor and maintain their customers’ IT infrastructure, including servers, workstations, networks, hardware, and other endpoints. If the software becomes compromised with ransomware, it can lock all client data and digital assets.


An attacker can exploit vulnerabilities in Remote Monitoring and Management Software to launch phishing attacks on MSPs. When attackers successfully hack an MSP, they can hold the entire customer base ransom.

In 2021, cyber actors launched a massive attack on users of Kaseya VSA, a popular monitoring, focal, and management tool adopted by more than 40,000 organizations. 


While ransomware hackers can exploit RMM software, MSPs should implement security measures like:

  • Enabling Two-Factor Authentication on all RMM software
  • Increasing cyber awareness among MSP employees


“Malvertizing” is a blend of words “malicious” and “advertising.” It’s a seemingly legitimate ad injected with malicious codes that might be a gateway for malware download, identity theft, or ransomware attacks. 


This method is simple to implement. The attacker purchases an ad (banner, link, or other) and places the ransomware in the call to action. The ads look and seem authentic, coming in the form of a notification, picture, or a free software offer. 

When a user clicks on the ad, the code redirects the victim to a malicious website, scans their computer for vulnerabilities, or initiates the ransomware download.

Some widespread ransomware attacks executed via malvertizing include Sodinokibi and CryptoWall. 


Malvertizing looks like a legit ad, so users find it challenging to identify. Below are some preventive measures you can adopt:

  • Ensure your browser, antivirus, and operating systems are up to date
  • Disable unused plugins
  • Enable ad blockers
  • Install click-to-play plugins on your browser to prevent Java or Adobe Flash from running automatically

Drive-by Downloads

Drive-by downloads are programs that auto-install without your knowledge. 


Ransomware attackers execute these attacks by infiltrating legitimate websites or even hosting the malicious code on their websites. 

The drive-by downloads can install ransomware in the background by exploiting known vulnerabilities in the web browser, operating system, or application.

Unlike other cyber attacks, users don’t need to perform any action – no need to press download, click a link, or open a malicious email attachment. 


Drive-by downloads activate without your consent or knowledge, making them highly risky. Here is how you can stop such threats:

  • Install the latest software security patches
  • Install an ad blocker
  • Disable plugins you’re not using

Network Propagation

Some advanced malware has self-propagating mechanisms allowing them to spread to other devices on the network. 


Attackers can send malicious links or attachments to spread malware and compromise your system. Unlike older variants of malware that only encrypt the local machine they infected, these advanced variants can lock your entire network. 

Some notable ransomware attacks that exhibit self-propagating mechanisms include SamSam, Petya, and WannaCry. 


If this malware type infects your network, an attacker can encrypt your data and demand a fortune for decryption. To avoid that, follow these steps:

  • Segment your network 
  • Implement the principle of least privilege
  • Enforce a good data backup strategy

Pirated Software

Pirated software is distributed illegally without copyright. Pirated programs are cheaper, so users prefer them to the original because they spend less money. Attackers can leverage this to spread ransomware. 


Cybercriminals develop fake pirated software sites and spread ransomware.When you download something, the malware automatically installs itself on your device. Devices using pirated software are likely to get infected by ransomware. 

Pirated software doesn’t receive updates or patches from the developers, resulting in vulnerabilities that scammers can exploit. 


  • Don’t use pirated or cracked software
  • Avoid visiting websites that host cracks, keygens, pirated software, and activators
  • Don’t jump into software offers that are too good to be true

Portable Gadgets

Portable gadgets are devices that are easy to move around. These could include portable laptops, mobile devices, USB drives, and hard drives. They’ree lightweight, so attackers can easily smuggle them into an organization to spread ransomware.


Portable gadgets are standard tools used by scammers to spread ransomware. Attackers can plug an infected flash drive into a corporate network, which encrypts their system and eventually spreads to other devices on the network. 

While attackers can disguise themselves as legitimate employees, an insider can also carry out the attack. 


  • Don’t allow unknown devices on your network
  • Don’t plug your portable gadgets into computers at cyber cafes and printing kiosks
  • Update your antivirus security software 
  • Implement strict BYOD (Bring Your Own Devices) policies

Final Thoughts

We’ve discussed the various ways through which an attacker can spread ransomware. While ransomware spread through email attachments or malicious links requires a user to take action, network propagation, drive-by downloads, and malvertising don’t need user input.

No matter how ransomware spreads, implementing the preventive measures we’ve discussed can help to mitigate the risk of these attacks. 

Organizations should invest in trusted and reliable antivirus security software, educate their employees on phishing scams and implement a good backup strategy. This will go a long way to keeping data safe.

Content Team Lead | EasyDMARC
Hasmik talks about DMARC, email security, and cyberawareness. She finds joy in turning tough technical concepts into approachable and fun articles in plain language.


Inline Feedbacks
View all comments

succees We’re glad you joined EasyDMARC newsletter! Get ready for valuable email security knowledge every week.

succees You’re already subscribed to EasyDMARC newsletter. Continue learning more about email security with us