Stop Ransomware 2 – Where Does Ransomware Come From?

Industry expertise by Martin Bannister, written by Jason Eichner

In our last post we discussed what ransomware is, and why it is such a concern for the modern business. But where does it come from? How is it getting on to our computers in the first place?

If we know where it comes from, we can protect ourselves against it – so let’s take a look at where ransomware can come from, and how it spreads from there.

Ransomware is a category of malware, meaning many of its avenues of attack are those of other malware strains – the problem though is because ransomware is so incredibly profitable, there is a lot of money funding cybercriminals developing new and more sophisticated attacks. A free copy of the latest antimalware software won’t help against this dangerous new world of organised cybercrime, and looking at the many ways ransomware can attack you, you’ll soon know why.

Malvertisements – Infected Ads

A common, and well known, source of ransomware is browsing the web. Many websites these days use adverts, and by exploiting that doorway onto a website cybercriminals can then download their ransomware onto your computer.

There are some serious misconceptions about how people can get infected by malvertisements however, and where.

One common misconception is that it’s easy to protect against these infected ads by simply not clicking on them. It’s easy to know how that belief came about, as it used to be true; however with the advance of malware new exploit kits are being used to abuse ad-space, and now by simply loading an infected ad clever cybercriminals can have their ransomware downloaded to your computer automatically. That’s right – just by visiting a webpage ransomware can be downloaded to your computer.

Not only that, but ad-blocking can no longer offer the security it once did. Many websites are designing intelligent ways to bypass ad-blocking, and cybercriminals are developing methods of having their exploits load even if the ad itself is blocked. With both the website and the criminals working against them, ad-blockers simply cannot be trusted like they once were.

Another common misconception is that by being careful with what sites you visit, you can avoid malicious adverts. Again, this was once (mostly) true, so it stands to reason that people would believe it. Sadly, though, it just isn’t true now. No longer is the infectious ad the sole domain of illegal or dubious websites; they are cropping up everywhere. It seems every other week there is another story of a big, reputable website accidentally allowing a malvertisement to display for thousands or millions of users, and thus the infection is spread.

It’s a sad truth these days – if you browse the internet these days, you are constantly at risk of ransomware.


Although people tend to expect the majority of risks to come from the web, the most common vector of attack is actually email.

It makes a lot of sense – we rarely change our email addresses, so they get traded and sold regularly within criminal circles. Even if you’re careful with who you give your address to, it only takes one person who has your address to get infected, and all of their contacts could have been sent to a cybercriminal to sell or use as they see fit.

There are a lot of ways cybercriminals use email to infect us. While most email clients and simple protection software knows to block the most common files, such as .bat and .exe files, there are far more insidious methods cybercriminals are using these days.

One method they use is to send a document file, such as a .doc, .xls, or .pdf file, with some simple but leading instructions in the email that guide the user to open the document. This could be as simple as saying “The invoice is attached, we’ll take payment in 3 days.” – many people would simply open the attachment to check what invoice the email is talking about. A little bit of code called a macro in the document then runs, and the ransomware is installed on the victim’s computer.

Of course it needn’t even be that complicated. Some emails simply guide the user to click a link for any number of reasons; to view a photo, a document, anything that triggers the user’s desire to know more. The link leads to – you guessed it – an infected website, and the ransomware is downloaded to the computer.

These days it isn’t even as easy as only opening emails from people you know, either. Cybercriminals have developed methods to mimic legitimate email addresses, meaning they could make it look as though an email were coming from almost anywhere they wanted. Some ransomware even hijacks a user’s email once it has encrypted the computer, and uses it to send infected emails to all the user’s contacts, propagating the malware in a way that looks as though it is coming from a known contact.

Malicious USBs

Yes; physical hardware can be a threat vector for your business. Cybercriminals have started attacking valuable targets with USB based attacks using social engineering to get their ransomware onto their targets’ systems. This is a far more targeted attack than the others – the cybercriminal chooses a particular victim and adapts the attack to suit their target.

The most common method of doing this is remarkably simple and low-effort. The criminal creates an infected USB and leaves it in a visible, but perhaps slightly out of the way location very near the business. They make it look as though it could have fallen out of someone’s pocket as they left the building. Some unwitting victim arrives to work, sees the USB and decided it would be helpful to return it to its owner; to determine who it belongs to they plug it into their computer – and there we have it, infection within the company. If the files are made sufficiently confusing or vague, the victim may well pass the USB on to other members of the company as well, accelerating the infection process and causing more damage to the company’s systems.

There is an even more unexpected way that ransomware can be spread via USB, however. USB sticks have become a common way of sharing media after meetings, demonstrations, and conferences. It only takes a single rogue IT user, or malicious giveaway, to create a batch of infected USBs that get handed out to attendants or visitors. Once again, this attack is very low effort – the cybercriminal creates a batch of malicious USBs and just waits for victims to infect themselves.

Direct Attack

All the above attack methods are, essentially, automatic. Cybercriminals using technology and social manipulation to get their infections onto their targets’ systems without much direct intervention on their parts. They do have a more direct route as well, though – hacking.

If a cybercriminal targets your network they will exhaust all available methods to breach the defences and get access to your systems. With a real person behind the scenes these attacks are far more aggressive, and often more successful, than the others.

When the cybercriminal gains access to a network, they have free rein to do as they wish. A common method of attack is to steal as much sensitive data and important documents as possible, and then leave a ransomware program running in the background. Not only does this ransomware offer a chance to earn a little more money for the criminal, it also distracts the company from the huge data breach they have just suffered, and sometimes masks it entirely.

Network Infection – How it Spreads

All the previous methods of infection appear to only hit one or two computers per attack. A major issue to be sure, but it gets much worse.

Modern ransomware has been developed to be as infectious as possible, and that means that once any of the above methods works and infects a single computer on a company system, many strains of ransomware will immediately get started on infecting everything connected.

How it does this is dependent on the strain of ransomware you are dealing with, but a common method is sidestepping via the network to continue the infection path. One computer catches the ransomware, and then while it is quietly encrypting files it also scans for connected computers and delivers an infectious payload to them. This means from a single infection; just one user accidentally clicking the wrong link or receiving an infected email; the infection can spread to every computer on the network.

Beyond that, ransomware often scans for all connected devices and infects them – that means fileservers and shared drives can both get encrypted and become vectors for other computers to become infected. The success of ransomware stems from just how good cybercriminals have become at spreading the infection, and extorting money out of those infected.

Different ransomware strains have different abilities in these regards, so some may use the visible network, while others scan for shared folders or drives to infect them. Eventually, a strong strain of ransomware will find a way to spread from one computer to the rest; encrypting whole businesses in short order.

In our next post we’ll be discussing the key protective strategies to protect your business, in How Can I Prevent Ransomware?

Get a Free Ransomware Booklet

All this info and more appears in our “What is Ransomware?” booklet. Fill out the form below and we’ll rush you a free copy of the book straight away!