Register today for Zero Trust World 2026!
Contact us
833-292-7732
BACK TO BLOGS Back to Press Releases
How is ransomware delivered? I ThreatLocker
February 27, 2025

How can ransomware be delivered?

Written by:

Oliver Plante, Cybersecurity Expert, ThreatLocker Vice President of Support

Table of contents

Text Link

Contents: Ransomware is a significant cybersecurity threat, encrypting files and systems until a ransom is paid. Key delivery methods include:

  • Phishing emails: Mimicking legitimate communications to trick users into downloading ransomware.
  • Infected software downloads: Tampering with legitimate software to include malicious code.
  • Malicious websites: Using legitimate-looking sites to trigger automatic malware downloads.
  • Remote desktop protocol (RDP) Exploits: Exploiting weak credentials to access and deploy ransomware on networks.

Ransomware remains one of the most formidable threats to businesses, capable of crippling operations and inflicting severe financial damage. Understanding how ransomware can infiltrate your systems is crucial for enhancing your defense mechanisms and safeguarding your critical data. 

What is ransomware?

As we have covered here before, ransomware is a type of malicious software with a long history. It is designed to block access to a computer system or data, typically by encrypting files, until a sum of money is paid. Even if the ransom is paid, there is no guarantee that your files haven’t already been corrupted or leaked.

Ransomware typically works by:

  1. Infiltration: Threat actors use a ransomware delivery method to gain access to a victim's device. The victim inadvertently downloads the ransomware by clicking the link or downloading the attachment.
  2. Encryption: Once the device is infected, the ransomware scans for files and data to encrypt. It may also attempt to spread to other connected devices within the same network.
  3. Demand a ransom: After successfully encrypting the data, the ransomware displays a ransom note. This is often a pop-up, instructing the victim on the ransomware payment method—typically via cryptocurrency like Bitcoin.

The damage caused by ransomware extends beyond the financial losses incurred from the ransom payment. It also includes operational disruptions, data breaches, and reputational harm that can be difficult to recover from.

Common ransomware delivery methods

Recognizing how ransomware can be delivered is crucial in defending against these attacks. Ransomware can infiltrate systems through various ransomware attack methods, including phishing emails, malicious advertisements, and exploiting vulnerabilities in software.  

Social engineering  

Year after year, social engineering techniques remain some of the most common cyber threats. As CNBC recently reported, there was a 61% increase in the rate of phishing attacks in the six months ending October 2022 compared to the previous year. It wouldn’t be surprising to see that number continue to increase in the future.

Some common types of social engineering tactics include:

  • Phishing emails: Emails that mimic legitimate organizations asking victims to urgently click on a link or open an attachment that contains ransomware.
  • Fake alerts: Pop-ups or alerts that appear on websites, warning the user of a nonexistent security breach or virus. This creates a sense of urgency for them to download software to "fix" the problem, which is actually malicious code.
  • Phone scam calls: Calls from individuals pretending to be tech support or customer service. They will claim there is an issue with the user’s computer or account and convince them to allow remote access or download software that is malicious.
  • Baiting: Includes offering something enticing to the victim, like a free download of a popular movie or software. When it’s downloaded and opened, it unleashes ransomware onto their system.
  • Quid pro quo attacks: Offering a service or assistance in exchange for information or access, such as promising IT services to solve a computer issue, during which ransomware is installed on the system.

All of these ransomware infection methods involve manipulating individuals into breaking security procedures to gain access to systems, data, or personal information. This psychological manipulation is especially difficult to stop since it allows bad actors to bypass security software for direct access to a system.

Social engineering attacks have only become more sophisticated with advancements in technology. Artificial Intelligence makes it easier than ever before to create convincing, personalized phishing emails on a mass scale. Ransomware as a service is also becoming more common since bad actors don’t need to be technically savvy to participate in cybercrime.

Infected software downloads

Sometimes, attackers tamper with legitimate software packages to include ransomware. They might distribute these through unofficial or compromised download channels. This is a particularly impactful ransomware delivery method since users trust legitimate software sources and might not suspect that their usual tools could carry malware.  

Legitimate software also has a broad user base. Tampering with software can affect a large number of users or an entire organization simultaneously. Just consider the 2017 Petya malware variant “NotPetya”. It was spread via a compromised update mechanism in a widely used Ukrainian accounting software. It then used lateral movement techniques to spread across networks and encrypt user data.  

NotPetya infected organizations across finance, transportation, energy, and healthcare. It resulted in the loss of sensitive data and massive financial losses both from business interruptions and the cost of restoring systems and files.

Malicious websites

Another more covert ransomware delivery method is through malicious websites. These sites may look legitimate but are infected with malicious code. So, when a user visits, they will unintentionally download malware or ransomware.  

This is often carried out by what is called “drive-by downloading.” This is when malware is automatically downloaded when a user visits a website, without their knowledge or consent. For instance, a user could be visiting a seemingly harmless local news website that has been tampered with. When they visit, it injects malware into visitors' systems through outdated browser plugins.

The user might then get pop-ups demanding they pay a ransom.

Remote desktop protocol (RDP) exploits

This ransomware attack method is slightly more specialized. The Center for Internet Security explains that Remote Desktop Protocol (RDP) is a Microsoft proprietary protocol that enables remote connections to other computers. In other words, it provides network access for a remote user over an encrypted channel.

This is a popular tool for remote work. With more and more employees working from home full or part-time, having a secure way to access their applications and files outside of the office is essential. Its widespread use, however, makes it a target of this ransomware attack method.

Cybercriminals can exploit weak or stolen RDP credentials to gain remote access to computers and networks. They can then move laterally to escalate privileges and steal information while keeping a low profile.  

There are specific ransomware variants that target networks through unsecured RDP ports. The ransomware is then manually deployed across the entire compromised network. Since bad actors have time to manipulate the network beforehand, these attacks are widespread and often demand a higher ransom.

Methods to prevent ransomware

Protecting against ransomware is essential for businesses to safeguard their assets and reputations. There is no single solution to stop this type of cyberattack, a multi-faceted approach is needed to detect, block, and mitigate ransomware.

  1. Cybersecurity awareness: It will always remain true that people are the first line of defense against common ransomware delivery methods. Regular training for staff and individuals on recognizing phishing attempts and other social engineering tactics is crucial. This education can reduce the likelihood of employees inadvertently downloading ransomware by helping them identify suspicious emails, links, and websites.
  2. Updating and patching software: Many ransomware variants exploit security vulnerabilities in outdated software. Keeping software up to date is crucial to manage these vulnerabilities and reduce the risk of exploitation. Consider automating software updates to have peace of mind that you are maintaining the latest security patches.
  3. Implementing security solutions: Application Allowlisting stops the execution of untrusted software on your devices, mitigating threats like viruses and ransomware. If Allowlisting is not in your security toolbelt, antivirus and other anti-ransomware solutions can further help detect and isolate malicious software before it can spread. These tools are continually updated to respond to new and evolving types of malware.  
  4. Backup strategies: If a ransomware attack occurs, having up-to-date backups allows organizations to restore encrypted data without paying the ransom. Make sure backups are regular and comprehensive, covering all critical data. Store backups in a secure location that is disconnected from the main network to prevent them from being encrypted in the event of a ransomware attack.  

The impact of ransomware

It is predicted that by 2031, ransomware will cost its victims around $265 billion (USD) annually.

This staggering cost alone should be enough for businesses to invest in ransomware protection. However, it’s also important to understand the long-term ramifications of these attacks. They can damage a company’s reputation, result in the permanent loss of critical data, and lead to substantial financial burdens during recovery. Not to mention the potential legal implications and loss of customer trust that can last for years.

Ransomware should always be taken seriously. ThreatLocker® offers comprehensive Application Allowlisting which prevents all executables, libraries, and scripts from executing, except those that are explicitly permitted to run in an environment. Even legitimate tools that have not been explicitly allowed, including those that could be used to encrypt data, are blocked.

ThreatLocker takes the time to learn what is required for your business and blocks everything else. If you need to add a new tool, it’s also very simple to permit it to run. This ensures your cybersecurity posture remains strong without getting in the way of productivity.

Learn more about how ThreatLocker can help you stop ransomware attacks in their tracks. Schedule a demo today.  

Recent posts
What is endpoint privilege management?
March 12, 2025
The illusion of impenetrability: Debunking the myth of macOS immunity 
March 7, 2025
Broadcom discloses three VMware vulnerabilities: VMSA-2025-0004
March 6, 2025
Register now for Zero Trust World 2026 in Orlando, FL!
Blog posts feed

TAKE CONTROL OF YOUR ORGANIZATION'S SECURITY

Request your 30-day trial to the entire ThreatLocker platform today.

Try ThreatLocker

Ready to try out the ThreatLocker® platform?

Request a free 30-day trial today and see how ThreatLocker can take your organization's security to the next level.

Click X to close