In February 2022, the FBI and CISA issued a joint advisory warning that ransomware incidents against 14 of 16 U.S. critical infrastructure sectors had increased dramatically. That advisory wasn't theoretical — it followed real attacks against water treatment facilities, hospitals, and food processors. If you're searching for how ransomware spreads, you're asking exactly the right question. Because the encryption payload that locks your files is the last step, not the first. The real battle happens much earlier, at the point of entry. Understanding those entry points is the only way to stop an attack before it starts.
I've responded to ransomware incidents at organizations ranging from 15-person law firms to mid-sized manufacturing companies. The pattern is remarkably consistent. The threat actor doesn't kick down the front door. They find the window someone left cracked open. Here are the six most common ways they get in — and what you can actually do about each one.
How Ransomware Spreads: The 6 Most Common Attack Vectors
The Verizon 2021 Data Breach Investigations Report found that ransomware doubled in frequency from the previous year, appearing in 10% of all breaches. That number has continued climbing into 2022. But the delivery mechanisms aren't new — they're just getting more refined.
1. Phishing Emails: Still the #1 Entry Point
I know you've heard this before. That doesn't make it less true. Phishing remains the dominant method for how ransomware spreads into organizations. The Verizon DBIR consistently identifies phishing as a top action variety in breaches, and the FBI's Internet Crime Complaint Center (IC3) received over 300,000 phishing complaints in 2021 alone.
Here's what actually happens. An employee receives an email that looks like an invoice from a vendor, a shipment notification from FedEx, or a shared document from a colleague. They click a link or open an attachment. That action downloads a loader — often Emotet, Trickbot, or BazarLoader — which then fetches the ransomware payload from a command-and-control server.
The Colonial Pipeline attack in May 2021 shut down fuel distribution across the Eastern Seaboard. The entry point? A single compromised credential, likely harvested through credential theft techniques that frequently start with a phishing email. DarkSide ransomware operators collected a $4.4 million ransom before the FBI recovered a portion of it.
Defending against this requires more than a spam filter. Your employees need ongoing phishing awareness training for organizations that uses realistic phishing simulations. Simulated campaigns build pattern recognition. People who have clicked on a fake phishing email in training are far less likely to click a real one.
2. Remote Desktop Protocol (RDP) Exploitation
RDP is the silent killer. When the pandemic forced organizations to enable remote access quickly, many exposed RDP ports (TCP 3389) directly to the internet. Threat actors scan for these ports constantly using tools like Shodan and Masscan.
Once they find an open RDP service, they brute-force credentials or use stolen username/password pairs purchased on dark web marketplaces. CISA has repeatedly warned that RDP exploitation is one of the top initial access vectors for ransomware groups, including Conti and LockBit.
In my experience, this is the vector that surprises organizations the most. They had no idea their RDP was internet-facing. An IT admin enabled it for a weekend project and never disabled it. That single oversight becomes the entry point for a six-figure ransom demand.
What to do: Audit your external attack surface. Disable RDP unless absolutely necessary. If you must use it, put it behind a VPN with multi-factor authentication. No exceptions.
3. Software Vulnerabilities and Unpatched Systems
The Kaseya VSA attack in July 2021 demonstrated how devastating this vector can be. The REvil ransomware group exploited a zero-day vulnerability in Kaseya's remote management software, ultimately affecting between 800 and 1,500 businesses worldwide. Managed service providers using Kaseya unknowingly pushed the ransomware to their own clients.
But you don't need a zero-day for this to work. Most exploitation targets known vulnerabilities with available patches that organizations simply haven't applied. The ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange Server (CVE-2021-26855 and related CVEs) were exploited by multiple ransomware groups throughout 2021, months after Microsoft released patches.
What to do: Patch aggressively. Prioritize internet-facing systems. Subscribe to CISA's Known Exploited Vulnerabilities Catalog and treat every entry as urgent.
4. Supply Chain Compromise
The Kaseya incident also illustrates supply chain attacks — a growing method for how ransomware spreads beyond a single target. Instead of attacking 1,500 organizations individually, the threat actor compromised one software vendor and reached all of them simultaneously.
The SolarWinds attack in late 2020, while primarily an espionage operation, proved the model. Ransomware groups have taken note. When your trusted software update mechanism becomes the delivery vehicle, traditional perimeter defenses are useless.
This is why zero trust architecture matters. Never trust a connection, a user, or even a software update implicitly. Verify everything. Segment your network so that even if an attacker gets in through a trusted application, lateral movement is contained.
5. Drive-By Downloads and Malvertising
This vector doesn't require any email at all. An employee visits a legitimate website that's been compromised, or encounters a malicious advertisement on an otherwise trustworthy site. Exploit kits like RIG or Fallout probe the browser for unpatched vulnerabilities and silently deliver malware.
In 2021, researchers documented campaigns where threat actors purchased ad space on mainstream websites and used it to redirect users to ransomware payloads. The user doesn't click anything suspicious. They just visit a page.
What to do: Keep browsers and plugins updated. Use ad blockers on corporate devices. Deploy DNS filtering to block known malicious domains. And reinforce through cybersecurity awareness training that even routine browsing carries risk.
6. Removable Media and Insider Threats
The FBI issued a warning in January 2022 about the FIN7 cybercrime group mailing malicious USB drives to U.S. companies. The packages were disguised as gift cards from Amazon or COVID-19 guidelines from the Department of Health and Human Services. When an employee plugged in the USB drive, it installed a backdoor that led to ransomware deployment — including BlackMatter and REvil variants.
This is social engineering at its most physical. The threat actor bypasses every digital defense by putting the payload directly in someone's hands. And it works because people are curious. They plug things in.
What to do: Disable USB auto-run on all endpoints. Implement device control policies. Train employees to never connect unknown devices. Report suspicious packages to your security team.
What Happens After Initial Access: The Kill Chain
Understanding how ransomware spreads doesn't stop at the entry point. After gaining initial access, the attacker follows a predictable sequence that security professionals call the kill chain.
Persistence: They install backdoors or create new user accounts so they can return even if you discover and close the initial entry point.
Reconnaissance: They map your network. They identify domain controllers, backup servers, and file shares. This phase can take days or weeks.
Privilege escalation: They steal credentials — often using tools like Mimikatz — to gain domain administrator access. Once they have admin rights, they own your environment.
Lateral movement: They spread across your network, jumping from workstation to server. This is where network segmentation either saves you or fails you.
Exfiltration: Modern ransomware groups practice double extortion. They steal your data before encrypting it. If you refuse to pay for decryption, they threaten to publish the data. The Conti group maintained a leak site where they regularly posted victim data throughout 2021.
Encryption: Only now, after days or weeks of preparation, do they deploy the ransomware payload. They target backups first. If your backups are accessible from the same network with the same credentials, they get encrypted too.
Why Traditional Antivirus Isn't Enough
I still encounter organizations that believe their antivirus software will catch ransomware. Here's the problem: modern ransomware uses fileless techniques, living-off-the-land binaries (LOLBins), and legitimate system tools like PowerShell and WMI to execute. The ransomware binary itself may never touch disk until the final encryption phase.
Endpoint Detection and Response (EDR) tools are a significant upgrade. They monitor behavior patterns rather than just file signatures. But even EDR is one layer. You need defense in depth — email filtering, network segmentation, patch management, backup isolation, MFA everywhere, and trained humans who can spot social engineering.
The $4.62M Reason to Invest in Prevention
IBM's Cost of a Data Breach Report 2021 found the average cost of a ransomware breach was $4.62 million — and that figure doesn't include the ransom payment itself. It accounts for detection, response, downtime, lost business, and regulatory fines.
For small and mid-sized organizations, the math is existential. The National Cyber Security Alliance estimated that 60% of small businesses close within six months of a cyberattack. You can't afford to treat ransomware defense as optional.
Practical Steps to Reduce Your Ransomware Risk Right Now
Here's what I recommend to every organization I work with, regardless of size or industry:
- Implement MFA on everything. Email, VPN, RDP, admin consoles, cloud services. Multi-factor authentication stops credential theft from becoming a full breach.
- Isolate your backups. Follow the 3-2-1 rule: three copies, two different media types, one offsite. At least one backup should be air-gapped or immutable. Test restores quarterly.
- Segment your network. Don't let a compromised workstation in accounting reach your domain controller or backup server. Zero trust principles demand verification at every boundary.
- Patch within 48 hours for critical vulnerabilities. Especially anything on CISA's exploited vulnerabilities list. If you can't patch, mitigate — take the system offline if necessary.
- Run phishing simulations monthly. Not as a gotcha — as training. People learn by doing. Every simulated phishing email your employees correctly identify makes your organization harder to attack. Start with structured phishing simulation training designed for real-world scenarios.
- Conduct regular security awareness training. Phishing is just one piece. Your people need to understand social engineering, USB threats, safe browsing, and incident reporting. A comprehensive security awareness training program builds this knowledge systematically.
- Develop and test an incident response plan. When ransomware hits, the first hour matters most. Know who to call, what to isolate, and where your playbook lives — before you need it.
- Disable unnecessary services. RDP, SMBv1, legacy protocols. If it's not required for business, turn it off. Every open service is an attack surface.
Frequently Asked: What Is the Most Common Way Ransomware Spreads?
Phishing emails are the most common way ransomware spreads in 2022. Threat actors send emails containing malicious attachments or links that download ransomware loaders. According to CISA and the FBI, phishing — combined with exploited RDP connections and unpatched software vulnerabilities — accounts for the vast majority of ransomware initial access vectors. The best defense combines email security tools, regular patching, multi-factor authentication, and ongoing employee training that includes phishing simulations.
The Human Layer Is Your Best Defense
Every attack vector I've described above has one thing in common: a human decision point. Someone clicks a link. Someone leaves RDP open. Someone skips a patch. Someone plugs in a USB drive. Technology catches some of this. Trained, alert humans catch the rest.
Ransomware groups aren't going to stop. The NIST Cybersecurity Framework provides a solid structure for building layered defenses. But frameworks only work when people follow them. And people only follow them when they understand why.
That's what security awareness training does. Not a checkbox exercise once a year — real, ongoing education that changes behavior. Knowing how ransomware spreads is the first step. Building an organization that's resilient to these attacks is the work that follows.
Start today. Your next phishing email is already on its way.