Security awareness

Top 5 ways ransomware is delivered and deployed

Dan Virgillito
September 22, 2020 by
Dan Virgillito

If your computer has not yet been affected by ransomware, odds are it could soon be. With ransom payments averaging more than $80,000 in Q4 2019, the coveted malicious software is fast becoming cybercriminals’ weapon of choice. Ransomware utilizes internal systems to encrypt a chain of files and deactivate recovery processes, preventing access to that data. Meanwhile, the hacker sends a ransom demand to the victim to unencrypt and restore access to the files. 

But just how does ransomware slip unnoticed past security controls? That’s the question we aim to answer.

Two year's worth of NIST-aligned training

Two year's worth of NIST-aligned training

Deliver a comprehensive security awareness program using this series' 1- or 2-year program plans.

In this piece, we’ll look at five main strategies cybercriminals use to deliver and deploy ransomware. We’ll also highlight the steps needed to reduce the risk of infiltration. Although the ransomware attack technique seems straightforward, an adversary can engineer it in various and ever-changing ways to bypass security implementations.

So how is ransomware distributed? Below are the top five ransomware attack vectors. 

1. Email phishing

The vast majority of ransomware is delivered via phishing email campaigns. This is when adversaries use legitimate-looking emails to trick an individual into clicking a malicious URL or opening an attachment that contains malware. The URL redirects the target to a malicious site that triggers the download of ransomware. In the case of attachments, hackers use common file formats like Word, PDF, Excel and ZIP file to make things less suspicious. Once the attachment is opened, the ransomware immediately delivers its payload, encrypting and holding files for the hacker.

When it comes to minimizing your risk exposure to phishing, knowledge is key. For example, you should know how to distinguish illicit URLs from genuine links. Manually entering the links in your browser, hovering over URLs and expanding shortened URLs can help prevent you from clicking malicious links. For attachments, check if the sender’s email address is legitimate by reviewing the domain extension. And only open files sent by people who you trust. 

Pro tip: If you’re an executive looking to boost phishing awareness among your employees, consider a security awareness training program, which includes various simulations and exercises to boost comprehension.

2. Remote Desktop Protocol (RDP)

A cybercriminal can also deploy ransomware via RDP, a communications protocol that enables IT admins to gain access to systems. RDP typically initiates requests via port 3389, which if exposed, can become the gateway for ransomware attacks. Bad actors can take advantage of these by using port scanners to explore the web for systems with exposed ports. Once the systems are identified, they’ll use brute-force attacks to crack the login credentials so that they can log in as an administrator. 

RDP attacks are on the rise, with ransomware incident response firm Coveware stating that RDP accounted for half of all successful deployments in Q3 2019.

Fortunately, you can take several steps to secure RDP endpoints, including changing the default port 3380, enabling two-factor authentication for remote sessions and requiring network-level authentication from new users. Limiting access to enterprise VPN users may also help. Among other steps, you can consider disabling any open connections or ports when they’re not needed. 

3. Drive-by downloads

Malicious actors can also deliver malware by exploiting vulnerabilities in the backend of legitimate websites. The attack vector allows them to embed malicious software on the sites or to redirect site visitors to web pages that they control. Exploit kits like Spelevo and RIG give adversaries the ability to analyze your device for potential weaknesses silently and, if discovered, execute ransomware in the background without you clicking anything. So, if you visit an infected webpage, you may suddenly get a ransom note informing you about the malware and demanding payment — but you’d be clueless, as the infection (or drive-by download) is invisible to you.

The best way to prevent drive-by downloads is to delete unnecessary browser plugins, use ad-blockers like AdBlock Plus and install the latest software patches. On an enterprise level, you can combine SIEM solutions with endpoint protection to detect and block infiltrations as they occur. Application whitelisting — allowing only certain applications to run on the device — can also be effective against drive-by infections.

4. Pirated software

Using pirated software on your Windows, Mac or Linux PC can also increase the risk of ransomware attacks. That’s because the software is unlicensed and doesn’t receive official patches from the creator. Attackers exploit weaknesses in such software and then upload the repackaged version to torrent websites. When you download the program, you think you are getting the latest application, game or key generator or free. But when you install it, you get a popup notification asking you for a ransom payment. Besides torrent websites, hackers may also deliver ransomware via YouTube and fake crack sites.

To prevent ransomware infections via pirated software, avoid downloading activators, key generators and software cracks from torrent websites. It’s also a good idea to use a robust anti-malware application to detect any installations happening in the background. In addition, steer clear of heavily discounted software deals, as they’re most likely to carry ransomware.

5. Removable media

Another way ransomware can sneak into your device is through removable media like USB flash drives and memory sticks. Hackers inject malicious software into removable devices and then wait for unsuspecting users to connect them to their systems. This is especially risky if a user’s system is connected to an enterprise network, as it could allow the ransomware to infect a whole organization. Also, once a machine is compromised via a removable media port, its locally installed cloud drives can be infected as well. The ransomware CryptoLocker is a good example of this attack tactic.

The good news is that advanced antivirus software can detect and eliminate ransomware from removable devices. Besides, you can protect your systems by avoiding plugging in your USBs and hard drives into shared public systems. And if you’re a security professional tasked with the responsibility to secure a corporate network, make sure to devise and implement strict BYOD security protocols.


The easiest way to fall victim to ransomware is by failing to be proactive in your defense strategy. Malicious actors often target the low-hanging fruit, relying on human error and sophisticated programs to propagate their infection. Therefore, never underestimate the value of educating yourself on the latest malware trends and how to shore up weakened system defenses. 

Hopefully, the threat vectors and prevention tips mentioned above will help you keep your personal and corporate computers safe. 

Get six free posters

Get six free posters

Reinforce cybersecurity best practices with six eye-catching posters found in our free poster kit from our award-winning series, Work Bytes.


Dan Virgillito
Dan Virgillito

Dan Virgillito is a blogger and content strategist with experience in cyber security, social media and tech news.