How Does Ransomware Spread on a Network?

Miklos Zoltan

By Miklos Zoltan . 12 February 2024

Founder - Privacy Affairs

Justin Oyaro

Fact-Checked this

Ransomware is malware that locks victims out of their systems, encrypts their files, and even threatens to publish their sensitive information unless they pay a ransom.

Businesses and organizations with valuable data are usually the targets of ransomware attacks. This is because they can’t afford to lose the data and can pay the ransom.

Threat actors also target individuals and anyone else who can be a victim of a ransomware attack.

In this article, you will learn how devices get infected by ransomware, how ransomware spreads across a network, and ransomware prevention practices.

Let’s get started.

How Does Ransomware Infect Devices?

Before ransomware can spread on a network, it must first infect an endpoint – usually, an unsecured and vulnerable device in a network.

Here are the common techniques threat actors use to infect devices with ransomware.

Phishing attacks.

This technique is responsible for a considerable percentage of cyberattacks that involve malware, such as ransomware.

Threat actors usually target their victims and trick them into downloading ransomware into their devices. This is through opening malicious attachments or clicking on phishing links.

Drive-by downloads.

Drive-by downloads are unauthorized software downloads that occur without a user’s knowledge.

Sometimes, a user may perform the download without knowing that the software contains malware, such as ransomware.

Drive-by downloads happen when one visits websites that host malware.

Malicious Ads.

Malicious ads are a medium for delivering ransomware. These ads contain exploits kits that scan for vulnerabilities in your system.

When a user clicks the ad, the exploit kit exploits a vulnerability and attempts to deliver or run ransomware on the user’s system.

Compromised software.

Free software, cracked premium software, and software bundles are avenues threat actors use to introduce ransomware to devices.

Additionally, websites that host cracked premium software may contain malware and can be used for drive-by downloads.

Cracked premium software also increases the risk of ransomware infection since this software isn’t eligible for updates and security patches.

Compromised storage devices.

This is a more direct way of infecting devices with ransomware. Removeable and portable storage devices such as USB drives with ransomware can infect the devices they are connected to.

How Ransomware Spreads on a Network

After infecting an endpoint, ransomware scans vulnerabilities to exploit and executes its payload in other interconnected devices and nodes.

Here are various ways that explain how ransomware spreads across a network:

Lateral movement.

This is a network propagation technique ransomware uses to infect other devices on a network after infecting an endpoint.

This is possible if the ransomware contains self-propagating mechanisms that allow it to access and infect other connected network devices.

Remote Desktop Protocol (RDP).

This is a protocol used for remote desktop connections over a network. It is known that ransomware can use this connection to infect other devices.

Some ransomware variants use this connection for lateral movement on a network. Other than Windows, ransomware can also infect other machines that use RDP.

Zero-Day Vulnerabilities.

These are vulnerabilities that are already known, but they have not been patched. Usually, other individuals discover the vulnerabilities before the developer, and thus, the developer has little time to patch them.

Unpatched vulnerabilities, especially on network devices, offer a lucrative opportunity for threat actors to spread ransomware.

Threat actors can exploit the vulnerabilities and execute ransomware on a network without detection.
Insider attacks.

Threat actors such as disgruntled or compromised employees can directly spread ransomware on a network unnoticed.

In this case, they may spread ransomware on network devices using an already infected storage device.

Additionally, since they are employees, they easily bypass most security protocols.

Compromised Credentials.

Threat actors use credentials from the dark web or phishing to access systems and other network devices. They will appear as legitimate entities on access controls.

By accessing a single system, threat actors can exploit the system’s vulnerability for privilege escalation and gain access to critical systems.

With escalated privileges, threat actors can execute ransomware and spread it across the whole network in a few moments.

Best Cybersecurity Practices for Ransomware Prevention

Here are some of the best ransomware protection and prevention practices:

Regular data backups.

Employ proper backups and disaster recovery strategies. For example, rather than snapshots, make regular external copies of the system and critical data and store them away from the network.

With a decent backup, you won’t have to worry about ransom, getting locked out of your system, or being unable to access your data. Of course, ensure the backups are encrypted.

Use technology best practices.

These practices include strategies for detection and prevention. They include a multi-approach solution to security against malware such as ransomware.

These best practices ensure that you have an automated patching process for regular system and software updates, a comprehensive detection system, email security, secure access control policies for passwords, authentication, and a zero-trust model.

Robust endpoint security.

Before spreading to other devices on a network, ransomware first infects a vulnerable endpoint. To ensure this doesn’t happen, secure all endpoints, including mobile devices.

Endpoint security strategies include using premium antivirus/antimalware software, firewalls, endpoint detection and response, and access privileges.

Network segmentation.

Segmenting your network limits the infection, spread, and impact of ransomware in a network. Also, it is easier to deal with ransomware on a segmented network.

Network segmentation makes it easier to inventory your systems, keep an eye on critical systems, evaluate risks, and apply effective controls to various segments.

You can also bolster security in network segments by monitoring traffic for suspicious activities and implementing network policies.

Educate employees on cybersecurity awareness.

Organizations and institutions should train and educate employees and staff on security best practices regarding malware and ransomware.

These include phishing simulations, recognizing malicious emails, password policies, and technology protection practices.

Essentially, the outcome of the awareness training is to reduce human errors and to inform employees on how to prevent and deal with ransomware scenarios.

Wrap Up

To successfully fight against ransomware, it’s crucial to understand both how it propagates and the strategies for recovering from an infection without succumbing to ransom demands.

Leave a Comment