Ransomware attacks can compromise organizational reputation and inflict substantial financial damage. Understanding the propagation vectors of ransomware across enterprise networks is essential for implementing effective prevention strategies.
But what is ransomware? Ransomware is a type of malware that encrypts the data and demands a ransom in exchange for the decryption key. Some ransomware gangs use the double extortion tactic, demanding payment to not leak the victim’s data onto their Tor website. Using cybersecurity solutions is the best way to prevent ransomware. Besides that, you must keep updated backups, including at least one offline, so you can have your data back fast in case of an incident.
Here is a list of 12 ways ransomware spreads on a network:
1. Phishing emails
Phishing is the most common type of cyber attack and the primary way of distribution for ransomware. A phishing email is a message hackers send that seems like legitimate communication from businesses and organizations. They induce users to click on malicious websites or download attachments that have ransomware.
The 2025 Verizon investigative report shows that 68% of all data breaches involve a human element, including falling victim to a social engineering attack or making an error. Attackers apply social engineering tactics, which exploit human psychology to manipulate victims into divulging sensitive information or taking unsafe actions. These emails often create a sense of urgency, fear, or curiosity to compel the recipient to act quickly without thinking critically. For instance, an email might claim there’s a problem with your account that needs immediate attention or offer an enticing deal that’s too good to pass up.
Sophisticated phishing attempts may use information gathered from social media or other public sources to make the email appear more convincing, a technique known as spear phishing. This personalized approach increases the likelihood of success, as victims are more likely to trust a message that appears to come from someone they know or an organization they interact with regularly.
Even more concerning is the increasing sophistication of these attacks due to Artificial Intelligence (AI). In May 2024, the FBI warned about the rising threat of cybercriminals using AI in their scams, including crafting persuasive voice or video messages and emails. These AI-powered tools, which can cost as little as $5, enable attackers to bypass security filters and create personalized phishing emails that are far more likely to deceive recipients.
The February 2025 cyber-attacking campaign targeting Gmail users exemplifies this trend. In it, attackers combined robocalls claiming account compromise with legitimate-looking emails from Google, prompting users to provide their Gmail recovery code. This combination of tactics can grant attackers access to a wide range of services, potentially leading to identity theft.
How to protect from phishing attacks:
- Implement email filtering solutions
- Conduct regular phishing awareness training for employees
- Use multi-factor authentication for email accounts
- Encourage a culture of skepticism towards unexpected or urgent email requests
- Verify sender identities through alternative communication channels when in doubt
- Never click on links or download files from unexpected emails or messages
- Protect your devices with up-to-date security software
- Use text protection and text message filtering on your mobile device
2. Malvertising
Malicious ads, also known as malvertising, appear to be genuine but are embedded with malicious files. As soon as you click the ad, the exploit kit scans your computer for vulnerabilities. If it finds any, it downloads the ransomware and spreads it across the network laterally.
Hackers buy real advertising spaces online and connect them to an exploit kit, making it challenging to trace the spread of this type of ransomware and prevent its presence online.
Data from early 2024 reveals a disturbing trend in malvertising. Misleading offers now account for 29% of these attacks. Malicious extensions and add-ons are also on the rise, representing 16% of malvertising cases, marking a notable increase from previous years. Desktops remain the primary target, comprising 57% of incidents.
How to protect from malvertising:
- Use ad-blocking software
- Keep all browsers and plugins updated
- Use endpoint detection and response (EDR) solutions
- Don’t enter personal information on a website unless you are certain it is legitimate
If you are unsure if you can trust an ad or promotional content, look for it on your search engine and look for comments and references from other users or consumers.
3. Malicious links
Phishing emails aren’t the only way users can stumble upon malicious links. Cybercriminals also distribute them via text messages (smishing) and social media platforms. These links often lead to exploit kits that scan your computer for vulnerabilities. Like phishing emails, if a vulnerability is found, the exploit kit downloads ransomware, allowing it to spread throughout the network.
While precise statistics on the prevalence of malicious links outside of email are hard to pinpoint, security experts note that these methods are increasingly popular due to their ability to bypass traditional email security measures. The key to their success lies in social engineering tactics. These messages are designed to entice users to click by presenting a compelling narrative, such as a limited-time offer, breaking news, or a personal message from a friend.
How to avoid malicious links:
- Be wary of unsolicited links received via text message or social media.
- Verify the sender’s authenticity before clicking any links.
- Use link scanners or URL checkers to preview the destination of a link before visiting it.
- Keep your operating system, web browsers, and security software up to date.
- Educate employees about the dangers of clicking on suspicious links and the importance of verifying the source.
4. Zero-day vulnerabilities
Sometimes, the software has vulnerabilities known as zero-day vulnerabilities. These flaws are unknown to the software vendor and can be exploited by attackers before a patch is available. The urgency of patching them cannot be overstated, as threat actors actively seek to weaponize these vulnerabilities before a fix is available, often leading to severe consequences.
According to the 2025 Global Threat Report, the cyber threat landscape is increasingly dominated by stealth, with threat actors actively seeking ways to evade detection. Zero-day exploits are a prime example of this trend, as attackers can bypass traditional security measures and gain unauthorized access to systems. The report also notes an alarming rise in covert activity and malware-free attacks. The time to identify a new vulnerability averages around six months, and remediation of critical or high vulnerabilities can take between 60 to 150 days.
A recent example highlighting the severity of zero-day exploits is the CVE-2025-24200 vulnerability in Apple’s iOS and iPadOS. This zero-day flaw allowed attackers to bypass the USB Restricted Mode on locked devices, potentially granting unauthorized access. Apple released emergency security updates (iOS 18.3.1 and iPadOS 18.3.1) to address this issue, which had been actively exploited in targeted attacks.
How to protect against zero-day vulnerabilities:
- Implement a robust patch management system to ensure systems are updated as soon as patches are available.
- Enable automatic updates on your devices to receive security patches promptly.
- Use advanced endpoint protection solutions with behavior-based detection to identify and block suspicious activity.
- Employ network segmentation to limit the spread of potential infections.
- Regularly conduct vulnerability assessments and penetration testing to identify and address potential environmental weaknesses.
- Monitor threat intelligence feeds to stay informed about emerging zero-day vulnerabilities and exploits.
If you suspect your device has been compromised, contact cybersecurity professionals immediately.
5. Drive-by-download
A drive-by download is a type of attack where malware is downloaded onto a device without the user’s knowledge or consent simply by visiting a compromised website. The malware can infiltrate systems and navigate the network infrastructure without triggering alerts, allowing threat actors to conduct reconnaissance for days and map valuable data repositories before initiating encryption and subsequent extortion demands.
A drive-by attack leverages vulnerabilities in various web browsers, plugins, or apps to launch the attack. Once the attack is underway, the hacker can hijack the device, spy on the user’s activity, or steal data and personal information. These attacks often involve injecting malicious code into legitimate websites or creating fake websites that mimic trusted brands.
How to prevent drive-by download attacks:
- Use reputable antivirus software with real-time scanning capabilities to detect and block malicious downloads.
- Install web filtering solutions to block access to known malicious websites and suspicious domains.
- Educate users about the risks of visiting unfamiliar websites and downloading files from untrusted sources.
- Use browser extensions that block known malicious sites and prevent the execution of malicious scripts.
- Regularly scan your computer for malware and remove any suspicious files or programs.
- Consider using a virtual machine or sandbox environment to isolate browsing activity from your main operating system.
6. Unsecured Remote Desktop Protocol – RDP
Remote Desktop Protocol (RDP) provides administrative access to remote systems and represents a common attack vector. While alternative remote access protocols exist, including Independent Computing Architecture (ICA) and Virtual Network Computing (VNC), RDP remains the predominant protocol targeted by threat actors.
However, the widespread use of RDP also makes it a significant target for cybercriminals. According to recent reports, compromised RDP is involved in 80% of network breaches related to ransomware. Cybercriminals use port scanners to search the internet for vulnerable RDP ports. Then, they use brute-force attacks or other credential theft techniques to gain access. Once they are in, they can do as they please, including leaving a “back door” for future access.
How to protect RDP:
- Use strong, unique passwords for RDP access to prevent brute-force attacks.
- Implement multi-factor authentication (MFA) to add an extra layer of security.
- Limit RDP access to only necessary users and use a VPN for secure connections.
- Monitor RDP connections for suspicious activity, such as unusual login times or locations.
- Keep RDP software up to date with the latest security patches.
- Consider disabling RDP if it is not needed.
7. Pirated software
Pirated software and cracks often contain malicious files that can infect your computer with ransomware. Besides violating property and intellectual rights, pirated software and cracks often contain malicious files that can infect your computer with ransomware. One key vulnerability of pirated software is that regular updates are not automatically performed or cannot be performed at all, leaving unpatched security areas that increase the risk of zero-day exploits.
Plenty of pirated software is out there, some of which is hard to tell apart from legitimate software. Ransomware is well-known to spread through pirated software, and it is much easier to become a victim of a cyber attack.
How to prevent pirated software exploits:
- Use only legitimate, licensed software from trusted sources.
- Put strict software installation policies in place to prevent unauthorized software from being installed on company devices.
- Regularly audit installed software to identify and remove any unauthorized or pirated software.
- Use a software asset management tool to track software licenses and ensure compliance.
- Educate employees about the risks of using pirated software and the importance of using legitimate software.
8. Unpatched systems
Unpatched systems are a significant vulnerability that ransomware attackers frequently exploit. Threat actors often seek out the “lowest-hanging fruit” to maximize their revenue, and systems with known, exploitable vulnerabilities are prime targets.
Cybercriminals target known vulnerabilities that either don’t have patches available or that businesses have not yet applied the updated security measures. The year 2024 had an increase of 54% in attacks targeting known vulnerabilities compared to 2023.
Unfortunately, the time between discovering and patching the vulnerability can take up to 150 days, which is more than enough time for cyberattacks. Given that the median time to encrypt an organization can be under 6 minutes, traditional patching cadences, such as monthly or weekly, are inadequate for addressing the constant stream of newly disclosed vulnerabilities.
How to protect from unpatched systems:
- Implement a continuous vulnerability management program.
- First, focus on patching the vulnerabilities that pose the greatest risk to the organization.
- Use automated tools to streamline the patching process
- Ensure all systems are patched according to policy and any exceptions are documented and addressed.
9. Unsecured WiFi networks
While not a direct infection method, attackers can exploit unsecured Wi-Fi networks to gain access to devices and potentially spread ransomware. Public Wi-Fi networks, in particular, are often unsecured and can be easily intercepted by malicious actors.
Attackers can use techniques such as man-in-the-middle attacks to intercept traffic on unsecured WiFi networks and steal sensitive information, including credentials. Once they have access to a user’s credentials, they can use them to access other systems and potentially deploy ransomware.
How to protect WiFi networks:
- Use strong encryption (WPA3) for WiFi networks.
- Separate guest WiFi networks from the corporate network to prevent attackers from accessing sensitive data if they compromise a guest device.
- Educate users about the risks of using public WiFi networks.
- Use a VPN when connecting to public WiFi.
- Disable WPS (WiFi Protected Setup).
10. MSPs and RMMs
Managed Service Providers (MSPs) function as third-party entities that administer client IT infrastructure and endpoint systems. Remote Monitoring and Management (RMM) platforms enable MSPs to monitor and manage client networks, creating potential supply chain attack vectors when compromised.
This can lead to cybercriminals distributing ransomware to the MSP customer base, which increases the demand for ransom payments.
How to protect MSPs and RMMs:
- Implement strict access controls for third-party providers.
- Regularly audit MSP and RMM access and activities.
- Ensure that MSPs have robust security measures in place, including multi-factor authentication, strong password policies, and regular security assessments.
- Monitor MSP activity for suspicious behavior and investigate any anomalies promptly.
- Have a clear incident response plan in case of a breach or ransomware attack.
11. Privilege escalation
Upon establishing initial access to a host within the network, threat actors can leverage privilege escalation techniques to harvest credentials and penetrate additional systems containing high-value information assets. Following, attackers exfiltrate sensitive data and establish persistence mechanisms through backdoor deployment, enabling continued access and future attack campaigns.
This technique allows cybercriminals to gain higher access levels than initially granted, potentially leading to complete control over the compromised system or network.
One notable example of privilege escalation in ransomware attacks was the 2023 MGM Resorts breach. Attackers initially gained access through a social engineering attack on an IT help desk employee, then used privilege escalation techniques to move laterally through the network, eventually encrypting critical systems.
How to protect against privilege escalation:
- Implement the principle of least privilege (PoLP) to ensure users only have the minimum permissions necessary for their roles.
- Use multi-factor authentication (MFA) for all privileged accounts.
- Regularly audit user permissions and remove unnecessary privileges.
- Use Privileged Access Management (PAM) solutions to monitor and control privileged account usage.
- Implement robust logging and monitoring systems to detect unusual account activity or access attempts.
12. Lateral movement
Lateral movement techniques enable adversaries to pivot from the initial infection point to other endpoints within the network architecture. The goal is to identify and exfiltrate high-value data assets across the environment. This is how these hackers threaten enterprises to leak stolen data if they do not pay the ransom.
Ransomware variants are growing more complex and have self-propagating mechanisms allowing lateral movement to other devices connected to the network. This means that if one computer is infected, the ransomware can quickly spread to other devices on the network, increasing the potential damage.
How to protect against lateral movement:
- Implement network segmentation to isolate critical systems and limit the spread of potential infections.
- Use strong, unique passwords for all accounts and require regular password changes.
- Monitor network traffic for suspicious activity, such as unusual access patterns or large data transfers.
- Use endpoint detection and response (EDR) solutions to detect and block malicious activity on endpoints.
- Implement application whitelisting to prevent unauthorized applications from running on systems.
Conclusion
Ransomware can shut down your business, cause you to lose clients, and cause downtime. Porthas can provide cybersecurity services to help protect your business network.
If you are a ransomware victim looking for a solution, our expert team can also help with ransomware removal and recovery services. Contact us 24/7 for emergency ransomware data recovery services.
