How Does Ransomware Spread?

April 28, 2020 By Jack Vines

Next in our series on ransomware is more information about how ransomware spreads.

This article is part of our Definitive Guide to Ransomware series:

Ransomware is malware that encrypts data or locks you out of your system, and demands a ransom or payment in order to regain access to your files or device. But how does ransomware spread?

Ransomware is a concern for businesses of every size. It’s becoming so common that the likelihood of your business remaining unscathed is incredibly low. In 2019, there was a ransomware attack every 14 seconds. And experts predict that the frequency will increase to an attack every 11 seconds by 2021.

No industry, no business size, no file types are immune to ransomware. And ransomware targets all types of devices. Whether you work on a mobile device, desktop, Mac, Windows, or even Linux, you are a target for ransomware. For mobile devices specifically, there were more than 18 million mobile malware attacks in 2018 and the numbers are expected to triple quickly.

How do you get ransomware?

Common attack methods of ransomware include phishing emails, vulnerable web servers, and malicious email attachments, which you can read about here.

Think about phishing emails like malware that casts a wide net. Emails are written and designed to trick or fool the opener into clicking a link or downloading a file. The hope is that if these emails are sent to enough people, someone will click the link and allow access to their system, unknowingly.

With a vulnerable web server, the idea is similar. Bad actors will exploit websites running vulnerable web servers and leverage the site for their own purposes--typically using the site as a front door to visitors and then unknowingly downloading the malware to those visitors systems.

A note about malicious attachments or downloads: it’s important to keep an up-to-date list of known ransomware extensions and files. Update your systems to block malicious file types or extensions. See the tables at the bottom of this post for common file names and extensions.

There are a few other vehicles that can deliver ransomware to your system:

Remote Desktop Protocol Cyber criminals can take advantage of weak passwords and bypass security barriers in an unsecure RDP. With so many people working remotely right now, this delivery method is a growing concern. And if the malware is delivered via remote desktop, if it employs a cryptoworm, it can spread quickly and throughout the rest of the network.

Drive-by Downloading Malicious code can be embedded in an image or on a site (sometimes even a legitimate site that is unaware they are the vehicle for the malware) in the case of drive-by downloading. All that is needed to execute the software or download it onto the device is for the visitor to open a link.

MSSPs and Other Supply Chain Partners Crime actors are now using Managed Security Services Providers or other supply chain partners to get into your system. With an MSSP, they already have access and likely authority to manage users, update software, etc. Once a crime actor has broken into the MSSP system, they have complete access to your network and they can install the malware or poke around and see what data looks enticing to them.

Network Propagation In the beginning, ransomware was only capable of attacking the device or machine that it infected. Now, it’s so sophisticated, once the malware is embedded in the local machine, it can self propagate and move throughout other devices connected to the network.

Removable Media (USB keys, etc.) Though it might not sound typical in today’s age of cloud services, removable media is a common form of delivery for malware. Often the malicious software disguises itself as another program or file and once it’s opened, it installs the ransomware onto the local device.

Malvertising Similar to a drive-by downloading scheme, malvertising delivers the ransomware via a malicious ad. Once the web visitor clicks on that ad, likely ranked on search engine result pages or even social media sites, the malware is delivered and downloaded onto the device.

Once the ransomware is on your system, if it incorporates a cryptoworm, it can easily spread throughout your network until it runs out of places to spread or hits appropriate security barriers.

How can you prevent the spread of ransomware?

In order to prevent the spread of ransomware, it’s important to start with two very specific steps:

1 - Update your software Keeping your system up-to-date will ensure any security holes are patched and your system is in the best position to defend against unwanted software attacks or downloads. Set your system up on an auto-update schedule and make sure your IT team requires that system updates are mandatory for all business devices.

2 - Install malware protection Invest in malware protection software. Ransomware attacks and programs are evolving every day. Without the right software to block attacks, scan new files or programs, and keep up-to-date with known threats, you’re leaving our system vulnerable. Keep your organization safe with reliable security software.

3 - Protect your endpoints It’s important to keep all of your endpoints in mind when you’re building a protection plan against ransomware. Updated software and malware protection are great first steps, but it’s also critical to think about every device that has access to your network. Is every device protected? Are you requiring two-factor authentication? What is your plan for mobile devices? Are you thinking ahead to how laptops transition from home networks and back to the corporate network? Set a plan in place that will protect everything that reaches the end of your network--everything that connects to your business.

4 - Train your employees Just as you protect your files and physical devices from an attack, you must prepare your workforce to detect the common social engineering tactics that crime actors use to trick people into infecting their networks with ransomware. Train your workforce to use the protections you’ve set up--including two-factor authentication, spotting phishing emails, and keeping their systems up-to-date.

5 - Protect your RDP Make sure your RDP is only accessible via a VPN. It’s an extra step, but that barrier creates a wider gap between you and the possibility of an attack. Setting up passwords or authentication to get into your RDP with a VPN as the front door will help protect you and your business. Without a VPN, you’re exposing your entire server to the public.

6 - Segment your network and utilize PoLP Create barriers within your network to avoid a devastating ransomware attack if the malware can self propagate. Apply the principle of least privilege for every employee, preventing access to data that isn’t necessary to their job duty.

For more information about ransomware, check out our other articles here:

Malicious extensions that are added to file names:

Extensions with Repeated Letters Extensions with Only Letters Numerical Extensions Extensions with Phrases or Words Extensions with Numbers and Letters
.vvv .ezz .1999 .bleep .HA3
.xxx .abc .OMG! .r5a
.ccc .RRK .EnCiPhErEd .0x0
.zzz .XTBL .LeChiffre .CTB2
.aaa .ecc .SUPERCRYPT .R16M01D05
.ttt .XRNT .magic
.pzdc .good
.xyz .vault
.crinf .LOL!
.CTBL .locked
.exx .toxcrypt
.RDM .locky
.XRNT .encryptedRSA
.encrypted
._crypt
.keybtc@inbox_com
.crjoker
.micro
.crypt
.bleep

Malicious ransom note files:

.TXT Files - Encrypted .TXT Files - Recovery .TXT Files - Help .TXT Files - How To .TXT Files - Other .HTML Files .URL Files .KEY files
encryptor_raas_readme_liesmich.txt RECOVERY_KEY.txt HELP_YOUR_FILES.TXT How_To_Recover_Files.txt Coin.Locker.txt YOUR_FILES.HTML YOUR_FILES.url IHAVEYOURSECRET.KEY
FILESAREGONE.TXT DECRYPT_INSTRUCTIONS.TXT HELP_DECRYPT.TXT INSTRUCCIONES_DESCIFRADO.TXT ReadMe.txt help_decrypt_your_files.html SECRETIDHERE.KEY
DecryptAllFiles.txt HELP_TO_DECRYPT_YOUR_FILES.txt HOW_TO_DECRYPT_FILES.TXT Read.txt HELP_DECYPRT_YOUR_FILES.HTML SECRET.KEY
secret_code.txt HELP_RECOVER_FILES.txt Howto_RESTORE_FILES_.txt About_Files.txt IAMREADYTOPAY.TXT
ReadDecryptFilesHere.txt HELP_RESTORE_FILES.txt Howto_Restore_FILES.txt READTHISNOW!!!.TXT
DECRYPT_INSTRUCTION.TXT Help_Decrypt.txt howto_recover_file_.txt HELLOTHERE.TXT
DECRYPT_ReadMe.TXT HELP_TO_SAVE_FILES.txt how_recover+[random].txt, how_recover.txt
DecryptAllFiles.txt Howto_Restore_FILES.TXT
HELP_TO_SAVE_FILES.txt RECOVERY_FILES.txt help_recover_instructions+[random].txt
RECOVERY_FILE.TXT _Locky_recover_instructions.txt
restore_files_.txt
RECOVERY_FILE_[random].txt
recovery_file_[random].txt
recover_file_[random].txt
recovery_file_[random].txt
141 West Pierpont Avenue
Salt Lake City, Utah 84101
© 2020 Measured Insurance, Inc. 
All rights reserved.