How Does Ransomware Spread?
10 Most Common Infection Methods

Kurt Baker - October 6, 2023

Ransomware Infection Methods

As ransomware operators continue to evolve their tactics, it’s important to understand the most common attack vectors used so that you can effectively defend your organization.

Ransomware spreads in several different ways, but the 10 most common infection methods include:

  1. Social Engineering (Phishing)
  2. Malvertising
  3. Fileless Attacks
  4. Remote Desk Protocol
  5. MSPs and RMMs
  6. Drive-By Downloads
  7. Pirated Software
  8. Network propagation
  9. Malware Obfuscation
  10. Ransomware-as-a-Service

1. Phishing Emails Using Social Engineering

Technology and human nature are two sides of the same coin when it comes to ransomware attacks. In one case observed by CrowdStrike, a CEO’s email was spoofed and the attacker used social engineering to perform phishing attacks and trick employees into clicking a link in a fake email from the executive.

To succeed, this attack required methodical research into the company’s management, its employees and the industry. As BGH attacks increase, social engineering is becoming a more intensive presence in phishing attacks. Social media also plays a huge role, not only enabling attackers to discover information on potential victims but also as a conduit for deploying malware.

2. Malvertising and Exploit Kits

Malvertising and exploit kits can be used together to propagate ransomware that allows attackers to create “Trojan pop-ups” or advertisements containing hidden malicious code. If users click on one of them, they are surreptitiously redirected to the exploit kit’s landing page. There, a component of the exploit kit will discreetly scan the machine for vulnerabilities that the attacker can then exploit.

If the exploit kit is successful, it sends a ransomware payload to infect the host. Exploit kits are popular with eCrime organizations due to their automated nature. In addition, exploits are an efficient fileless technique, as they can be injected directly into memory without writing anything to disk, making them undetectable by traditional antivirus software.

Exploits kits are also proliferating among less sophisticated ransomware attackers, because they do not require a great deal of technical know-how to deploy. With a modest investment on the darknet, virtually anyone can get into the online ransom business.

3. Fileless Attacks

Fileless ransomware techniques are increasing. These are attacks in which the initial tactic does not result in an executable file written to the disk. Fileless ransomware uses pre-installed operating system tools, such as PowerShell or WMI, to allow the attacker to perform tasks without requiring a malicious file to be run on the compromised system. This technique is popular because fileless attacks are able to bypass most legacy AV solutions.

2024 CrowdStrike Global Threat Report

The 2024 Global Threat Report unveils an alarming rise in covert activity and a cyber threat landscape dominated by stealth. Data theft, cloud breaches, and malware-free attacks are on the rise. Read about how adversaries continue to adapt despite advancements in detection technology.

Download Now

4. Remote Desk Protocol

Remote Desk Protocol (RDP) allows users to connect to a computer from anywhere in the world using a secure and reliable channel. While the tool is generally safe and provides many benefits such as increased productivity and flexibility for the workforce, it also provides security vulnerabilities that can be exploited by an attacker.

Cybercriminals use port scanners to search the internet for vulnerable ports. Then, they use brute force attacks or other credential theft techniques to gain access. Once they are in, they can do as they please, including leaving a “back door” for future access.

5. MSPs and RMMs

Managed Service Providers (MSPs) provide organizations with services to assist them with information technology tasks. Nevertheless, cybercriminals may take advantage of MSP vulnerabilities in their remote monitoring and management (RMM) software and breach data. This is a major issue because not only the organization’s private data is at risk, but also all of their customers’ data.

6. Drive-By Downloads

A drive-by attack, sometimes called a drive-by download, is a malware attack that leverages vulnerabilities in various web browsers, plugins, or apps, to launch the attack. It does not require any human action to initiate, meaning an employee solely needs to unknowingly browse an infected website. Once the attack is underway, the hacker can hijack the device, spy on the user’s activity or steal data and personal information.

7. Pirated Software

There is a plethora of pirated software out there, some of which is hard to tell apart from legitimate softwares. Ransomware is very well-known to spread through pirated software, and it is much easier to be victim of a drive-by download or malvertising if browsing a website that hosts pirated software.

One key vulnerability of using pirated software is that regular updates are not automatically performed or cannot be performed at all, leaving unpatched security areas that increase risk of zero-day exploits.

Learn More

Read our post on zero-day exploit to learn what it is, go over examples, and learn how to best protect against them. Read: Zero-Day Exploit

8. Network Propagation Through Lateral Movement

The first few ransomware variants did not have network propagation capabilities like newer variants do. They were limited to attacking only infected devices. Nowadays, ransomware variants are growing more complex and have self-propagating mechanisms that allow for lateral movement to other devices connected to the network.

9. Malware Obfuscation in the Build Process

In 2020, CrowdStrike Intelligence observed Wizard Spider and Mummy Spider implement open-source software protection tools into their malware build processes. The use of obfuscation techniques in malware is not new, but the inclusion of open source tools into build processes is novel, supporting advanced adversaries seeking agile development processes. Due to open source complexity, this tactic may have limited adoption by less sophisticated threat groups.

10. Ransomware as a Service (RaaS) And Access Brokers

Because cybercriminals are always looking for ways to optimize their operations and generate more profits, they have been inspired by the SaaS (software as a service) model to create a RaaS (ransomware as a service) model. RaaS providers offer all of the ransomware attack components needed to run ransomware campaigns, from malicious code to results dashboards. Some even include a customer service department, putting ransomware within the reach of non-technically savvy criminals. In addition, the subscription cost is usually covered as a portion of the proceeds from the campaign, making this a cost efficient model for cybercriminals to adopt. An example of this type is the notorious RaaS Carbon Spider. Carbon Spider deepened its commitment to BGH in August 2020 by utilizing its own ransomware, DarkSide, and in November 2020, extended its footprint in BGH by establishing a RaaS affiliate program for DarkSide. This program allows other threat actors to use DarkSide ransomware while paying Carbon Spider a cut.

Access brokers are threat actors that gain backend access to various organizations (both corporations and government entities) and sell this access either on criminal forums or through private channels. Buyers save time with pre-identified targets and established access, allowing for more targets and faster deployments that result in a higher potential for monetization. Access broker utilization has become increasingly common among BGH actors and aspiring ransomware operators. CrowdStrike Intelligence has observed some access brokers associated with affiliates of RaaS groups.

Ransomware Protection

Backups are a good defense but must also be protected as they often are the first thing attackers prohibit or try to destroy in an environment. Making sure backups are secure and separately accessible even in a compromised environment, is a standard precautionary measure. In September 2020, the U.S. Department of Homeland Security’s Cyber and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MSISAC) published a joint Ransomware Protection Guide outlining additional cybersecurity measures organizations should take to understand and handle the ransomware threat. The guide advises on how to protect against ransomware, prepare for a potential incident, recover from an attack and where to find help. It includes practical recommendations such as keeping systems patched and up to date, training end users, and creating and executing an incident response plan.

Ransomware Solutions

Ransomware attacks can be detrimental to business operations and data privacy. Depending on your organization’s size, CrowdStrike’s Falcon Go, Falcon Pro, or Falcon Enterprise product bundles help defend your organization’s attack surfaces, including endpoints and cloud workloads, identity, and data.


Kurt Baker is the senior director of product marketing for Falcon Intelligence at CrowdStrike. He has over 25 years of experience in senior leadership positions, specializing in emerging software companies. He has expertise in cyber threat intelligence, security analytics, security management and advanced threat protection. Prior to joining CrowdStrike, Baker worked in technical roles at Tripwire and had co-founded startups in markets ranging from enterprise security solutions to mobile devices. He holds a bachelor of arts degree from the University of Washington and is now based in Boston, Massachusetts.