Top 5 ransomware attack vectors and how to avoid them

1. Social engineering and phishing

Phishing, the most popular type of social engineering, continues to be the No. 1 attack vector for all kinds of malware, including ransomware, because it continues to work. Attackers especially target email because it arrives in employees' inboxes, which reside directly on corporate networks or endpoints with access to critical resources. The attacker has high confidence that email-borne malware -- if opened -- will reach a valuable target.

Phishing emails can be disguised in various ways to keep pace with topics users are most likely interested in. For example, nothing leads to clicks like the promise of a quicker tax refund in April or a great deal on electronics ahead of Black Friday or Cyber Monday. Likewise, the believability of these phishing emails is increasing as cybercriminals employ new and sophisticated tools, such as AI chatbots to create convincing text. Once the email is delivered, all it takes is a quick click of an attachment or malicious link for dropper malware to install and then download ransomware payloads.

Other social engineering scams that trick users into downloading malware include text- or SMS-based phishing, known as smishing; voice phishing over the phone, known as vishing; and highly targeted phishing attacks, referred to as spear phishing.

How to prevent social engineering and phishing

• Add security awareness training. A well-trained and security-aware workforce provides a powerful first line of defense. Rather than shaming employees for clicking on suspect emails, model their behavior with positive feedback. For example, celebrate the "Catch of the Month" for the employee who finds and reports the most interesting phishing attempt.
• Use technology to detect ransomware activity. Email hygiene systems, especially those running in the cloud, can reduce the load on your mail server and lighten employee inboxes by filtering out low-hanging, easy-to-spot phishing emails. Endpoint detection and response systems, especially products that recognize anomalous behavior, are another line of defense that can detect ransomware activity if it gets past email filters and users.

2. Compromised credentials

To quote Leonardo da Vinci, sometimes "simplicity is the ultimate sophistication." In the context of ransomware, this means obtaining employee or contractor credentials to access internal or production environments and then spreading malware.

Attackers can purchase credentials on the dark web or use techniques such as credential stuffing -- large-scale automated efforts using stolen credentials lists -- spear phishing, watering hole attacks and keystroke loggers. Once attackers have credentials, they can use ingress vectors such as exposed remote desktop endpoints, VPN connections or cloud services to spread ransomware. This occurred in the Colonial Pipeline attack: A user's password, which was likely reused between their work account and a compromised website, granted the attackers access to an existing VPN system.

How to prevent credential compromise

• Use MFA as an additional layer of protection. Getting employees to adhere to good password hygiene, such as not reusing passwords between home and work accounts, can be difficult. MFA prevents direct compromise even when an attacker gains access to a password. MFA won't directly prevent password reuse, but it does help mitigate the effect.
• Implement education and awareness programs. Helping users to understand why they should follow password hygiene guidelines can help enforce compliance with those guidelines.
• Employ password managers. Password managers can help ensure that passwords aren't reused between sites and services and enforce high-quality passwords.

3. Remote desktop software, particularly RDP

Remote desktop methods and software, such as Microsoft's proprietary remote desktop protocol (RDP) and virtual network computing (VNC), are valuable to modern enterprises because they enable administrators to access servers and desktops from virtually anywhere. If not appropriately protected, however, they can also allow attackers to do the same thing.

Attackers obtaining compromised credentials and accessing internal resources is analogous to having the key to the front door. In addition to methods designed to acquire legitimate user credentials, ransomware operators and other criminal gangs can target the protocols using brute-force attacks and, in some instances, offline password cracking.

How to protect remote desktop services

• Add and require MFA for remote access. Even with valid credentials, an attacker won't be able to access the system without the additional authentication factor, whether it's a one-time code, dongle or text message.
• Lock down remote system access. Use VPNs and restrict admin access to a single-purpose device, such as a jump server or a privileged access workstation. This means attackers must infiltrate the jump server or workstation before they can attempt to access the remote server using RDP or another method.
• Consider closing the admin ports and opening them only for verified user requests. This way, admins can still do their jobs, but systems aren't open to potential attacks 24/7.

4. Exploitable software vulnerabilities

Another way attackers can gain access is by exploiting software vulnerabilities. WannaCry, arguably one of the most impactful cybersecurity events in recent memory, was ransomware that spread using a software vulnerability in the Server Message Block protocol. Other examples include NotPetya, which didn't have recovery capability but functioned like ransomware, and attacks by ransomware gangs LockBit and REvil that exploited Citrix issues and problems in the Pulse Secure VPN.

Any internet-facing system that isn't patched could be a vector for a cyberattack. This includes attacks against web applications and third-party dependencies. Due to the complexity of modern software supply chains, websites often include numerous plugins and libraries that might be vulnerable to attack if not monitored and updated. Likewise, many low-code/no-code workflows interconnect with different services and functions. A vulnerability in any of these could be a ransomware attack vector.

How to minimize exploitable software vulnerabilities

• Update your patch management program. At a minimum, ensure all of your systems -- especially those that are public-facing -- are up to date on patches. Establish an updated cadence for OSes, network and infrastructure devices, critical software packages and websites, including support for libraries and dependencies.
• Implement an application lifecycle management program for software and workflows. An ALM program inventories and tracks applications and services in use at the organization.
• Use a software bill of materials to inventory software components. SBOMs are gaining traction because they provide transparency into what's deployed, giving organizations better control. If a new zero-day vulnerability hits the internet, companies using ALM and SBOMs don't need to wonder if they are affected; they will know if they are.

5. Malicious websites and malvertising

While somewhat less common today, ransomware can spread through malicious websites and advertising, known as malvertising. While large-scale attacks like CryptXXX are less common now due to browser advances, sandboxing, auto-updates and Flash Player removal, websites and malicious ads are still actively being exploited for ransomware proliferation. For example, consider the recent use of malicious advertising to disseminate WinSCP and Putty, as well as the SocGholish malware downloader that delivered ransomware masquerading as fake browser updates.

The point is that the browser still can be, and often is, a potential vehicle for ransomware delivery and other types of malware. It still behooves us to monitor this channel and the others on this list vigilantly.

How to prevent browser-borne ransomware

• Push user education. Some malicious advertising can appear scary, while some malicious websites can seem innocuous and helpful at first glance. Training users to be critical of these sites and to understand their browser's security instrumentation -- UI elements that speak to the security of the underlying site -- can help bolster user web-surfing hygiene.
• Update browsers and OSes with patches. While drive-by downloads are less likely now, it's prudent to ensure browsers are hardened against attack.
• Use endpoint protection. Endpoint security ensures that if a user inadvertently downloads and tries to run a malicious executable, there are safeguards against malicious infection.

Editor's note: This article was updated in April 2025 to add additional attack vectors and to improve the reader experience.

Ed Moyle is a technical writer with more than 25 years of experience in information security. He is a partner at SecurityCurve, a consulting, research and education company.

Diana Kelley is co-founder and CTO of SecurityCurve and donates much of her time to volunteer work in the cybersecurity community.