In This Article

How Does Ransomware Spread?

Anna Szentgyorgyi-Siklosi
| Read Time 6 min read| Published On - March 20, 2023

Ransomware Spread

Ransomware is becoming more sophisticated and effective, making it difficult to detect and prevent. The availability of cryptocurrencies, which are often used to pay ransoms, and the anonymity they provide to attackers, have also made it more attractive for malicious actors to engage in ransomware attacks. In 2022, ransomware accounted for around 20% of all cybercrimes, according to an article by AAG.

Cybercriminals typically use social engineering tactics to trick users into downloading and opening a malicious file or link, often disguised as something harmless or desirable. Once the malicious file is downloaded and opened, ransomware can spread quickly across a network, encrypting data and making it inaccessible to the user. Additionally, ransomware can be spread through exploit kits, which are automated tools that scan for vulnerable systems and inject malicious code into them.

How Ransomware Spreads

Below are some of the main ways that ransomware can spread;

Social Engineering / Phishing

Phishing is the most common entry point for ransomware. Attackers will try to lure unsuspecting victims into downloading malicious files, clicking on malicious links, or even handing over credentials. Attackers may also use social media to spread ransomware by sending messages to friends, family, and acquaintances with malicious links embedded inside.


Attackers can use malicious ads that are embedded with code that can install a ransomware program onto an unsuspecting user’s computer. Malvertising can be found on various websites, social media platforms, and other online services. Malvertising attacks increased by over 70% during the peak of the COVID-19 pandemic, according to ProPrivacy.

Fileless Attacks

Attackers can use malicious scripts to download ransomware onto vulnerable machines and execute it without using a file. They can use legitimate operating system tools and utilities to download and run ransomware, which can go undetected by traditional antivirus software. Fileless attacks are quickly becoming a popular method of delivering ransomware and other malware, as they are harder to detect and easier to deploy. According to Watchguard, fileless malware attack rates grew by nearly 900% between 2019 and 2020.

Remote Desktop Protocol

Ransomware can spread through Remote Desktop Protocol (RDP) by exploiting known vulnerabilities in the protocol that allows attackers to gain unauthorized access to a system. Once inside, attackers can deploy malicious code to execute ransomware, which encrypts data on the system and can spread to other systems on the same network. According to the 2020 Incidence Response and Data Breach Report by Palo Alto, 50% of ransomware attacks were perpetrated using RDP.

Drive-By Downloads

Ransomware is commonly spread through drive-by downloads. This occurs when users visit websites that contain malicious code which automatically downloads and executes the ransomware program.

Pirated Software

A common method of spreading ransomware is through malicious downloads that are disguised as legitimate software. According to a recent post on, one student’s attempt to illegally download data visualization software led to a large-scale Ryuk ransomware attack at a European biomolecular research institute. Simply downloading pirated software is enough to put a user at risk of ransomware infection. Malicious actors may send out emails containing links that claim to offer a free version of a paid software, but will instead download malicious code that will install ransomware onto the user’s system.

Malware Obfuscation

Ransomware can also be spread through malware obfuscation, which is the process of hiding malicious code in legitimate code. Attackers use sophisticated techniques such as code encryption, data encryption, and code obfuscation to make it hard for security solutions to identify the ransomware source code.


Ransomware-as-a-Service (RaaS) is a business model where the creator of the ransomware provides the code to a customer, who is then responsible for distributing the ransomware to potential victims. The customer is typically paid a commission for any successful ransom payments they are able to collect. RaaS often includes tools to help malicious actors customize their attacks, as well as technical support, customer service, and payment processing services.

Zero-Day/Unpatched Vulnerabilities

It is common for ransomware to spread by exploiting zero-day/unpatched vulnerabilities in a system’s software or operating system. Earlier this year, Community Health Systems (CHS), one of the largest healthcare providers in the United States, was hit by a ransomware attack that exploited a zero-day vulnerability to steal data on 1 million patients, according to an article on TechCrunch.

Public Wi-Fi Hotspots

Many employees work remotely from cafes using public Wi-Fi hotspots. However, doing so can be dangerous as hackers have been known to hijack public Wi-Fi hotspots by exploiting security vulnerabilities in the network. Once they have gained access, they can distribute phishing emails containing ransomware to those connected to the network.

Network propagation

Ransomware can spread through network propagation, which occurs when a malicious piece of code, sometimes called a “worm”, is sent to a vulnerable device and then replicates and spreads to other devices on the network. The malicious code can be propagated through vulnerable software, protocols, or applications, or through emails, malicious links, and messages. Once the malicious code is on the network, it can search for other vulnerable devices and replicate itself to them, making it more difficult to detect and remove. As the malicious code propagates, the ransomware will execute, encrypting the data on the targeted devices, and then demanding payment in order to restore access.

How to Prevent Ransomware Spread with Lepide

The Lepide Data Security Platform is a powerful solution for preventing ransomware from spreading across your network. By automating your response to potential threats, including the symptoms of a ransomware attack, Lepide allows you to quickly shut down any suspicious activity before it can cause serious damage. This is achieved through real-time script executions, which are triggered when certain threshold conditions are met.

For example, if a user suddenly renames 300 files in 30 seconds, Lepide can automatically shut down their account and contain the threat. This kind of thing can be achieved using the threat models, which combine threshold alerting with script execution. This helps to prevent the spread of ransomware and other malicious software and ensures that your network remains secure at all times.

Recent iterations of Lepide have built upon this functionality to include Threat Detection Workflows, which detect certain sequences of events that might be indicative of ransomware, such as mass file renames, coupled with failed file reads.

If you’d like to see how the Lepide Data Security Platform can help to prevent the spread of ransomware, schedule a demo with one of our engineers or start your free trial today.

Anna Szentgyorgyi-Siklosi
Anna Szentgyorgyi-Siklosi

Anna is an experienced Customer Success Manager with a demonstrated history of working in the SaaS industry. She is currently working to ensure that Lepide customers achieve the highest level of customer service.

Popular Blog Posts