The Top 7 Ways Ransomware Enters Networks

The 3 most common ransomware delivery vectors for ransomware

As David Bisson recently outlined on the Zix blog, there are a number of ways that attackers can enter networks. However, not all delivery vectors are created equal, and some are used more frequently than others. Here are the top three most-commonly used delivery methods:

Email

Email is one of the most common ways that attackers try to enter networks. This is no coincidence; phishing scams are easier to carry out, relative to the tactics we’ll cover later. As Pickett explains, “Trying to social engineer, as opposed to beat machinery, is just easier.” He should know; in his own career, he has blocked over 3 billion ransomware-laden emails.

As Bisson noted in his post, ransomware delivered over email can take one of two forms. The first is phishers tricking recipients into clicking on a malicious link that redirects them to a fake login page. The second involves suspicious email attachments that are used to infect recipients with malware.

According to Coveware, email was the top delivery vector for ransomware attackers at the end of 2020. This year, however, things have shifted slightly, and in Q1, email was surpassed by remote desktop protocol (RDP) as the most common attack method. Presently, about one-third of all ransomware attacks are delivered via email phishing.

As Bisson outlined in another blog post titled, “Understanding the Connection between Ransomware and Email,” email remains a top delivery vector because it relies on human weakness—that is, the victim clicking a link or downloading an attachment—to work. This makes it a less technically complex operation to carry out. Attackers often masquerade as a trusted contact; along the way, they change email addresses or domains only slightly from a source the victim might be used to interacting with regularly. Doing so helps to give their attacks a sense of legitimacy.

Remote desktop protocol (RDP)

While Coveware’s report shows that this ransomware delivery method was surpassed by email phishing as the most popular vector in Q4 of 2020, it shot up again to take the top spot in Q1 of 2021, making up nearly 50% of all ransomware attacks that quarter.

Security Scorecard has a great explanation of how this threat works on their blog:

RDP is a protocol designed by Microsoft that allows users to connect to and carry out commands on a system remotely. The issue is that RDP security is heavily dependent on having strong password hygiene which is often ignored by users. This means that cybercriminals are often able to easily crack RDP credentials and gain access to a system. These credentials are also available for purchase on the Dark Web for those who don’t want to do the work.

As Gerry Grealish explains in an article over at Dataversity, the popularity of this delivery vector is mostly due to the fact that ransomware attackers have shifted from targeting individuals to corporations over the last few years (and more companies than ever before are using RDP to make it possible for employees to work remotely).

As for why this attack method is still a threat despite being so well-known, Grealish points to a few important facts:

1. RDP vulnerabilities are very common, and corporations are typically slow to patch these vulnerabilities.
2. Many companies’ RDP ports are open and easily discoverable online. Because of this, attackers can use vulnerability scans and credential stuffing attacks to carry out their work.
3. Even when companies do keep their patches up to date, attackers can still take advantage of weak credentials to find their way in.

Viewed together, these three factors make a good case for why this delivery vector remains so popular. Even when corporations take the right security measures, attackers can still find a way in.

Software vulnerabilities

Coveware’s summary of attack vectors shows that email and remote desktop protocol have taken their turns at the top spot. All the while, software vulnerabilities have consistently remained the third most-common ransomware delivery vector since 2018.

As Security Scorecard explains on their blog, this delivery vector works by taking advantage of unpatched software. They go on to explain that this delivery vector is so popular because exploiting vulnerabilities is easier than other attack methods. Using this method, attackers can “gain access to unpatched systems without having to harvest credentials.”

A recent ransomware that made headlines using this delivery vector was the Kaseya supply chain attack. As Bisson explains in his blog post, this attack was carried out when the REvil ransomware group “misused a zero-day vulnerability to compromise what many SMB and managed service provider (MSP) customers considered to be a trusted and authorized software product,” resulting in them “infecting an untold number of businesses worldwide.”

The 3 most common ransomware delivery vectors for ransomware

While email, RDP, and software vulnerabilities are the most common vectors we should be mindful of, there are other methods that are still used relatively frequently.

Exploit kits

As Bisson explains, exploit kits are “malicious software packages that commonly lie in wait on the other end of a malvertising or drive-by download attack.”

He goes on to describe how both scenarios lead to the victim’s system being infected: after “leading users to a compromised website where the exploit kit scans for vulnerabilities in the visitor’s browser, operating system, or other software,” the attacker executes its malicious code if it comes across a supported flaw.

As Recorded Future reported in December 2020, this delivery vector has waned in popularity in recent years. According to their report, “Some criminals have changed their targeting methods, partly due to the securing of browsers and software that EKs have historically used within their arsenal, while other threat actors have ceased operations altogether.”

Though in decline, this delivery vector shouldn’t be discounted. It’s still being used to attack victims, and as Recorded Future notes, it’s also still being discussed on dark web forums, which is as unsettling as it is a good reason not to forget about it altogether.

Pirated software

In this ransomware delivery method, victims are targeted when they download a pirated version of software that, as Bisson explains, “often comes bundled with something like adware for the purpose of dropping a digital threat like ransomware.” This scenario is more likely to affect individuals than corporations, as most corporations have strict security measures around downloading software from untrusted sources.

Network propagation

This delivery method relies on ransomware having already entered a system, likely through one of the aforementioned vectors. Once in the system, network propagation works by enumerating shares so that they can spread to other machines in the network, as Bisson explains in his blog post.

Removable media

In this delivery method, ransomware attackers infect hardware (like a USB drive) with the expectation that victims will plug the USB into their computer. This is perhaps the least efficient method of ransomware delivery, as it relies on the victim taking a distinct action in order to set things into motion.