A Single Click Cost One Hospital $67 Million
In September 2020, Universal Health Services — one of the largest healthcare providers in the U.S. — got hit by the Ryuk ransomware strain. The attack shut down systems across 400 facilities. Patients were diverted. Records went analog. The final damage? An estimated $67 million in pre-tax losses, according to their Q4 2020 earnings report.
That attack didn't start with some sophisticated zero-day exploit. It started the way most ransomware attacks start: with a phishing email that an employee clicked. Understanding how ransomware spreads is the single most important step your organization can take to avoid becoming the next headline.
This isn't an abstract threat. The FBI's Internet Crime Complaint Center (IC3) received 2,474 ransomware complaints in 2020 alone, with adjusted losses exceeding $29.1 million — and those are just the reported cases. The real number is far higher. Let me walk you through the five primary vectors threat actors use to plant ransomware inside your network, and exactly what you can do about each one.
What Is Ransomware and Why Does It Keep Winning?
Ransomware is malware that encrypts your files and demands payment — usually in cryptocurrency — for the decryption key. Modern variants like Ryuk, REvil, and Maze don't just lock your data. They exfiltrate it first, then threaten to publish it if you don't pay. This double-extortion model has made ransomware the most profitable cybercrime category on the planet.
Here's the uncomfortable truth: ransomware keeps winning because it exploits the weakest link in every organization — human behavior. According to Verizon's 2020 Data Breach Investigations Report, 22% of breaches involved phishing, and the human element was a factor in the vast majority of incidents. The technical defenses matter, but if your people don't know how ransomware spreads, those defenses are just speed bumps.
Vector #1: Phishing Emails — Still the King
I've investigated dozens of ransomware incidents over the years. The entry point? A phishing email. Every single time I think organizations have finally figured this out, another wave proves me wrong.
Phishing remains the dominant delivery mechanism for ransomware. A threat actor crafts an email that looks like an invoice, a shipping notification, or an urgent request from HR. The attachment contains a malicious macro, or the link redirects to a drive-by download site. One click, and the payload is running.
Why Phishing Still Works in 2021
Modern phishing campaigns are disturbingly polished. Attackers scrape LinkedIn for organizational charts, spoof internal email domains, and time their campaigns around real business events like tax season or open enrollment. The days of obvious Nigerian prince scams are long gone.
The Emotet botnet — before its takedown by international law enforcement in January 2021 — was one of the most prolific ransomware delivery platforms. Emotet's phishing emails hijacked existing email threads, making them almost impossible to distinguish from legitimate messages. It would drop a banking trojan, which then downloaded Ryuk or Conti ransomware as a second-stage payload.
This is exactly why every organization needs structured phishing awareness training for employees. Phishing simulations — where you send controlled fake phishing emails and track who clicks — are the closest thing to a vaccine for this problem. They build muscle memory. People who've been caught in a simulation are measurably less likely to fall for the real thing.
Vector #2: Exposed Remote Desktop Protocol (RDP)
If phishing is the front door, exposed RDP is the back door left wide open with a welcome mat. Remote Desktop Protocol lets administrators manage systems remotely. It runs on port 3389 by default. And there are hundreds of thousands of internet-facing RDP endpoints right now, many with weak or reused passwords.
Threat actors use brute-force tools and credential stuffing attacks — often using stolen credentials from previous data breaches — to gain access. Once they're in via RDP, they have a direct interactive session on your network. They can disable antivirus, deploy ransomware manually, and move laterally to maximize the blast radius.
The RDP Problem Got Worse in 2020
The mass shift to remote work during the pandemic caused an explosion in exposed RDP endpoints. ESET reported a 768% increase in RDP-based attacks between Q1 and Q4 of 2020. Many organizations spun up remote access hastily, without proper network segmentation or multi-factor authentication.
CISA has specifically warned about this vector multiple times. Their Stop Ransomware resources highlight RDP as one of the top infection vectors and recommend disabling it entirely when not needed, or at minimum placing it behind a VPN with MFA enforced.
Vector #3: Malicious Websites and Drive-By Downloads
Your employees don't have to open an attachment to get infected. Simply visiting a compromised website can be enough. Drive-by downloads exploit vulnerabilities in browsers, plugins, and operating systems to silently install malware without any user interaction beyond navigating to a page.
Exploit kits like RIG and Fallout automate this process. They probe the visitor's browser for unpatched vulnerabilities, select the right exploit, and deliver the payload — often ransomware — in seconds. Malvertising campaigns inject these exploit kits into legitimate advertising networks, meaning your employees can get hit visiting mainstream news sites.
Keeping browsers and plugins updated is non-negotiable. But patching alone doesn't cover zero-day exploits. Web filtering, DNS-layer security, and browser isolation all add layers. This is where a zero trust approach pays dividends — never assume any traffic is safe just because it comes from a "trusted" site.
Vector #4: Software Vulnerabilities and Supply Chain Attacks
In December 2020, the SolarWinds supply chain attack stunned the cybersecurity community. While that incident was primarily espionage-focused, it demonstrated a terrifying truth: attackers can compromise the software supply chain itself, turning legitimate updates into trojans.
Ransomware operators exploit unpatched software constantly. The WannaCry attack of 2017 spread through EternalBlue, an SMB vulnerability that Microsoft had patched two months before the outbreak. Organizations that hadn't applied the patch got hit. In 2021, we're still seeing variants exploit the same vulnerability because some systems remain unpatched years later.
Patch Management Isn't Optional
I've heard every excuse. "We can't patch production servers during business hours." "That update broke something last time." "We'll get to it next quarter." Meanwhile, threat actors are scanning for that exact CVE within hours of its disclosure.
The NIST National Vulnerability Database published over 18,000 CVEs in 2020. You can't patch everything simultaneously, but you must have a risk-based prioritization process. CISA's Known Exploited Vulnerabilities catalog is a solid starting point for deciding what to patch first.
Vector #5: Removable Media and Lateral Movement
USB drives might feel like a 2005 problem. They're not. In 2020, the FBI investigated a case where a threat actor attempted to recruit an employee at Tesla's Nevada Gigafactory to plant malware via a USB device — with a $1 million bribe on the table. That plot was foiled, but most social engineering attempts aren't that dramatic or that well-documented.
Once ransomware gets a foothold — whether via phishing, RDP, or a USB drive — it spreads laterally. Modern ransomware uses legitimate tools like PsExec, PowerShell, and Windows Management Instrumentation (WMI) to propagate across the network. It harvests credentials from memory using tools like Mimikatz, escalates privileges, and targets domain controllers to maximize damage.
Network segmentation is your best defense against lateral movement. If your HR department's network segment can directly reach your production servers, you have a problem that no amount of endpoint protection will fix.
How Does Ransomware Spread? The Short Answer
Ransomware spreads primarily through five vectors: phishing emails with malicious attachments or links, exposed RDP endpoints with weak credentials, drive-by downloads from compromised websites, unpatched software vulnerabilities, and removable media combined with lateral network movement. In most incidents, the initial compromise exploits human error — a clicked link, a weak password, a missed patch — rather than a sophisticated technical exploit.
The $4.88M Lesson Most Organizations Learn Too Late
IBM's 2020 Cost of a Data Breach Report pegged the average total cost of a breach at $3.86 million. But ransomware incidents often cost significantly more when you factor in downtime, recovery, reputational damage, and regulatory fines. Garmin reportedly paid a $10 million ransom in July 2020 after the WastedLocker attack took their services offline for days.
Here's what frustrates me: most of these incidents are preventable. Not with some mythical silver-bullet technology, but with the basics done consistently. Patch your systems. Enforce multi-factor authentication on everything, especially RDP and email. Segment your network. Back up your data offline.
And above all, train your people. Security awareness isn't a compliance checkbox — it's an operational control. Your employees are either your first line of defense or your biggest attack surface. There's no middle ground.
Building a Ransomware-Resilient Organization
Let me give you the practical playbook I recommend to every organization I work with:
- Deploy phishing simulations regularly. Not once a year. Monthly at minimum. Track click rates, report rates, and improvement over time. Use a structured phishing awareness training program that includes realistic scenarios.
- Enforce MFA everywhere. Email, VPN, RDP, cloud applications, admin consoles. Credential theft is the gateway to ransomware. MFA stops the vast majority of credential-based attacks.
- Disable RDP if you don't need it. If you do need it, put it behind a VPN with MFA. Never expose port 3389 to the internet.
- Implement network segmentation. Zero trust isn't just a buzzword. The principle of least privilege should apply to network access, not just user permissions.
- Maintain offline backups. If ransomware can reach your backups, they're not backups — they're future hostages. Test your restoration process quarterly.
- Patch on a risk-based schedule. Critical vulnerabilities with known exploits get patched within 48 hours. No exceptions.
- Invest in endpoint detection and response (EDR). Traditional antivirus won't catch fileless malware or living-off-the-land techniques that modern ransomware uses.
- Build a security-first culture. Comprehensive cybersecurity awareness training should cover not just phishing, but social engineering, credential hygiene, and incident reporting. People need to know what to do when something looks wrong.
Your Employees Are the Battleground
I've seen organizations spend six figures on next-gen firewalls and zero on training. Then they're shocked when an employee clicks a phishing link and Ryuk is running across their domain within four hours. The technical controls matter — but they're the second line of defense, not the first.
The first line is awareness. Knowing how ransomware spreads. Knowing what a phishing email looks like when it's not the obvious, typo-ridden kind. Knowing that a USB drive found in the parking lot isn't a gift — it's a weapon.
According to the FBI IC3 2020 Internet Crime Report, business email compromise and phishing were the top complaint categories by volume. These are the same vectors that deliver ransomware. If you address them, you dramatically reduce your ransomware risk.
Ransomware isn't going away in 2021. It's getting worse. The ransomware-as-a-service model has lowered the barrier to entry so that technically unskilled criminals can launch devastating attacks. The only question is whether your organization will be ready when — not if — someone targets you.
Start with the basics. Train your people. Lock down your perimeter. And stop treating ransomware as someone else's problem.