Ransomware Threat Vectors

What Are the Most Common Attack Vectors for Ransomware?

In 2021, ransomware attacks are expected to expand at a record pace. In the first six months of the year, according to a recent analysis published by Threatpost, 304.7 million attack attempts were made. For the entire year 2020, this represents a total of 100,000 more tries than were made in 2019.

The infection vectors used in these ransomware assaults were diverse. Ransomware actors, on the other hand, prefer certain approaches over others. As an example, researchers discovered that unprotected Microsoft Remote Desktop Protocol (RDP) connections accounted for more than half of all ransomware assaults. Approximately a quarter of all ransomware infections were caused by email phishing, with the exploitation of software vulnerabilities accounting for a further 12 percent of all ransomware infections. In this section, we’ll take a look at how each of these three delivery channels results in a ransomware infection.


Users can connect to other computers from their computer via the RDP protocol, which is a proprietary protocol designed by Microsoft. As a prerequisite for using this protocol, the RDP software must be installed on both computers involved in the connection. Specifically, according to Microsoft’s documentation, RDP “hears” a connection through defined listening ports such as TCP port 3389 and UDP port 3389.

This becomes a problem when organizations leave their RDP ports open to the public over the internet. According to ZDNet, certain cybercriminal organizations specialize in monitoring the internet for open ports. When they locate them, they launch a series of brute-force strikes in an attempt to gain in. These individuals can then resell their access to an organization’s network on the dark web, providing a chance for attackers such as ransomware gangs to gain a foothold within the organization’s network.


Phishing emails are a frequent method of spreading malware, and ransomware is just one type of threat. In a typical attack attempt, a victim receives a malicious email that directs them to open an infected file attachment attached to the message. In addition to PDF documents and ZIP archives, it can also appear as a Microsoft Office file that tricked the receiver into allowing macros on his or her system. To mislead the recipient into running an executable file that installs ransomware onto their computer, an attacker can utilize any of the file types listed above.

It is not always the case that phishing emails include attachments that infect receivers with malware. Furthermore, they can direct victims to click on a malicious link. [page break] The recipient may be redirected to a website that contains phony software downloads or other ruses that are intended to transmit ransomware or exploit kits as their payload if they choose to click on the link.


Now let’s go back to the phishing scenario we outlined before, in which an attack email contains an embedded link that takes the receiver to a website that contains an exploit kit. It’s possible that the ransomware payload was sent via a phishing email in this instance, but it wasn’t the initial vector of the assault. By evaluating the visitor’s web browser, operating system, and/or other software for security flaws, the exploit kit serves as the delivery mechanism for the virus. The exploit kit launches its exploit code and uses it to infect the victim’s computer with ransomware if it detects a supported vulnerability that it has identified.

Drive-by downloads are the technical term for this type of situation. If an email attacker wants to execute a drive-by download, he or she can put up their website. However, to avoid being flagged by email gateways for their embedded links, he or she must utilize redirect chains, typosquatting, and other evasive measures. Alternately, attackers can attempt to infiltrate a reputable website and leverage its reputation to disseminate malicious malware through it.


The good news is that enterprises can take several precautionary measures to safeguard themselves against the ransomware delivery vectors outlined previously. In the case of RDP port 3389, for example, they can restrict it if they do not require it. For systems that need to support Remote Desktop Protocol (RDP), they can place them behind a firewall and monitor them for indicators of abuse.

When it comes to phishing and drive-by downloads, organizations can perform phishing simulations across their whole workforce regularly and ensure that their vulnerability management programs cover the plugins and other software that helps to power their website.

Businesses should also concentrate on strengthening their security posture to better defend against ransomware and other cyber-attacks. This can be accomplished, for example, by installing an anti-ransomware solution that makes use of both Indicators of Compromise (IOCs) and Indicators of Behavior (IOBs), the more subtle assault activity that can disclose an attack early in its course.

It is possible to see the complete table of a ransomware attack wherever it occurs in an organization’s environment, even if it is an operation that has not been identified elsewhere before, allowing security teams to take swift action to stop the operation.


When it comes to ransomware attacks, the most effective technique for businesses is to avoid them in the first instance. This requires them to invest in a multi-layered solution that uses Indicators of Behavior (IOBs) to detect and prevent a ransomware attack at the earliest stages of initial ingress, before the exfiltration of sensitive data for double extortion, and long before the actual ransomware payload is delivered to the victim.

The operation-centric approach adopted by Cybereason enables the company to detect RansomOps assaults early, which is one of the reasons why Cybereason is victorious in the battle against ransomware, having developed the most effective prevention, detection, and response capabilities available.