How is Ransomware Really Spread?

When you are discussing something where you can’t really view it with your eye, such as ransomware, it is hard to really understand where it comes from. It’s easier to believe it just magically appeared on your network or computer versus thinking something you did caused it to appear. We regularly hear about malware attacks, especially when they happen to large corporations. But rarely is there focus on what the end user did to cause the attack to happen in the first place.

There are several false pretexts on which such ransomware files are pushed at you via the Internet such as fake antivirus pop-up ad or a box prompting you to install a driver file. These attempts have been around for a while, but there are still many, many users that fall for them. If you click on one of these corrupt popups, a ransomware program will be installed that encrypts the data on your computer system and shows you a message to make a ransom payment to the perpetrators to have your data decrypted.  In most cases, the payment is sought to be done using bitcoins, so no tracking can be done on the money or the person receiving it.

The most common way that ransomware is spread is through email-based attacks. It’s estimated that almost 60 percent of ransomware spreads via emails. These emails contain infected files, typically as attachments, and are worded to encourage the user to download the file and execute it. Often, they appear to be from someone you know, but as you look closer you will see something is slightly off in the email address. It also could appear to be from a known company, posing as a software download, or even an image that draws your eye.  Social engineering tactics are often used by the perpetrators. This involves the careful planning of malicious communication by contextualizing the message, salutations, sender address, and tone to inspire trust in the receiver, leading to the desired action (typically double-clicking on that cursed .exe file).

One other way ransomware is spread on is by malvertising. This is where the ransomware is hidden in an advertisement on a legitimate site. The perpetrator buys advertising space and entices users to click on the ad with a great deal or interesting story, but once the user clicks, they have infected their machine and server. By clicking on this malvertising, information about the user’s operating system, software versions, plugin status in the browser, and other vital details to protecting ones identify are revealed. In 2017, Google alone remove 1.7 billion suspicious ads. Scary, huh?