Ransomware attackers are always working to find new ways to innovate their attacks, but several strategies stand out as the most popular (and effective) means of infiltrating systems. These are the most common ransomware attack vectors:
Phishing: Deceptive emails or similar messages, usually laden with infected links or attachments, trick users into letting ransomware onto their system.
Drive-by downloads: Attackers exploit software, OS, or browser vulnerabilities to enable stealthy downloads of ransomware when victim interact with compromised websites or links.
Software vulnerabilities: Attackers exploit weaknesses in applications or systems, giving them entry points into a network, where they can deploy ransomware directly.
Malicious websites: Attackers create fake or copycat sites that users mistake for legitimate ones, which host ransomware that they entice visitors into downloading under false pretenses.
Watering hole attacks: Attackers compromise legitimate websites used by their intended victims, and then use social engineering to trick visitors into downloading ransomware.
Remote Desktop Protocol (RDP) attacks: Hackers gain illicit access to RDP connections, generally by cracking or stealing login credentials, to deploy ransomware directly onto a target network.
Malvertising (malicious advertising): Attackers place infected ads on otherwise legitimate website, which infect systems with ransomware when victims interact with the ad.
Most ransomware attacks start with phishing. Threat actors often use deceptive emails, messages, or websites to trick users into downloading malware or divulging login credentials. These techniques are effective because they exploit human vulnerabilities, not technological ones, making them difficult for traditional security measures to detect.
How Is Ransomware Typically Delivered?
Ransomware can be delivered through various vectors, with phishing being most common. Another method, called drive-by download, automatically downloads ransomware to a victim's system when they visit a compromised or malicious website. Attackers may also use exploit kits, which target known software vulnerabilities to deliver ransomware. Some attackers even use fraudulent ads, even on legitimate websites, to lure victims.
How Does a Ransomware Attack Start?
Ransomware attacks most often start when a victim interacts with a malicious link, website, or file, or surrenders privileged information through phishing. Once ransomware is installed on a victim's system, it will exfiltrate and/or encrypt files, and then send a ransom demand promising an exchange for the decryption key or surrender of stolen data.
How Do I Know If I’m the Victim of a Ransomware Attack?
Various telltale signs can indicate you’ve been hit with ransomware. The most obvious are a sudden inability to access files, or receipt of a ransom message. Less obvious signs could be changes to file extensions, additional files appearing on the system, or out-of-the-ordinary network traffic or encryption activity. If you notice any of these, you should disconnect from the internet and immediately consult your IT or security team.
What Do I Do if I Believe My System Has Been Infected by Ransomware?
If you suspect you’ve fallen victim to ransomware, you should immediately take several steps to prevent the spread of the infection. Isolate infected devices by disconnecting them from the internet and network, powering them down if needed. Next, reach out to your IT or security team or other trusted professional, who can help you determine if decryption is possible, restore data from a backup, and potentially remove the ransomware. Finally, you’ll need to evaluate what led to the ransomware infection and shore up your defenses accordingly.
How Serious Is a Ransomware Attack?
Any organization should consider a ransomware attack serious if the organization, its clients, or its employees have anything to lose. Both money and data are at risk the moment ransomware is executed in your environment, and depending on your response, you could face reputational damage, legal repercussions, fines, sanctions, and more.
What Is an Example of a Ransomware Attack?
There are many ransomware families and notable ransomware attacks. One example, the Ryuk ransomware, has targeted healthcare, public sector, and education organizations worldwide. Delivered via phishing emails, Ryuk encrypts victims' files and demands a ransom in exchange for the decryption key. Although not as notorious as massive attacks like NotPetya and WannaCry, Ryuk has nonetheless seen great success in extorting payments from its victims.
What Is the Greatest Ransomware Attack?
One of the most damaging ransomware attacks in history was the May 2017 WannaCry attack. It affected hundreds of thousands of computers in more than 150 countries, affecting critical infrastructure from healthcare to government agencies as well as other businesses. WannaCry encrypted files and demanded ransoms in bitcoin. While far from the first widespread ransomware attack, it was the first to reach such a devastating global scale of disruption.