In May 2021, a single compromised VPN password shut down the largest fuel pipeline in the United States. The Colonial Pipeline attack didn't start with some exotic zero-day exploit. It started with a stolen credential. That's the reality of how ransomware spreads — and it's almost never as sophisticated as the headlines suggest.

If you're searching for how ransomware spreads, you probably already suspect your organization has gaps. You're right. The Verizon 2024 Data Breach Investigations Report found that ransomware or extortion was involved in 32% of all breaches. Understanding every propagation method isn't academic — it's the difference between a normal Tuesday and a seven-figure incident response bill.

I've responded to ransomware incidents in organizations ranging from 15-person law firms to multinational manufacturers. The infection vectors repeat themselves with depressing predictability. Here are the seven paths I see threat actors exploit over and over again — and what actually stops them.

1. Phishing Emails: Still the #1 Way Ransomware Spreads

Every time I brief a leadership team, someone asks if phishing is really still that big a deal. Yes. It is the dominant initial access vector, full stop. CISA's ransomware guidance consistently identifies phishing as the top delivery mechanism for ransomware payloads.

Here's what actually happens. An employee receives an email that looks like a shipping notification, an invoice from a known vendor, or a shared document from a colleague. They click a link or open an attachment. A macro fires, a loader executes, and within minutes a threat actor has a foothold.

Why Phishing Simulations Aren't Optional

The organizations I've seen survive ransomware attempts have one thing in common: they test their people regularly. Not once a year during compliance season. Monthly or quarterly, with realistic scenarios that mirror current threat actor tactics.

If your organization hasn't built a phishing simulation program, our phishing awareness training for organizations gives you a structured starting point with real-world attack templates and reporting workflows.

2. Remote Desktop Protocol (RDP) Left Wide Open

RDP exposed to the internet is essentially an unlocked door with a neon sign that reads "come on in." Attackers scan for port 3389 continuously using automated tools. Once they find an open RDP endpoint, they brute-force credentials or use previously stolen passwords from credential dumps.

The Dharma, Phobos, and SamSam ransomware families all relied heavily on RDP as their primary entry point. I've personally investigated incidents where the compromised RDP endpoint had the username "admin" and a password that was the company name followed by "123."

What to Do About RDP

  • Disable RDP on any system that doesn't absolutely require it.
  • Never expose RDP directly to the internet. Put it behind a VPN with multi-factor authentication.
  • Enable Network Level Authentication (NLA) and account lockout policies.
  • Monitor for anomalous RDP login attempts — especially outside business hours or from foreign IP ranges.

3. Credential Theft and Initial Access Brokers

There's an entire underground economy built around selling access to compromised networks. Initial access brokers break in through stolen credentials, then auction that access to ransomware operators. Your employee's reused password from a breached fitness app becomes the key to your entire domain.

The FBI's Internet Crime Complaint Center (IC3) has repeatedly warned about this ecosystem in its annual reports. Credential theft feeds ransomware at scale.

Credential Hygiene That Actually Works

  • Enforce multi-factor authentication on every externally facing service. No exceptions.
  • Deploy a password manager organization-wide so employees stop reusing passwords.
  • Monitor breach notification services for your corporate domains.
  • Implement conditional access policies that block logins from impossible travel scenarios.

Security awareness plays a direct role here. Employees who understand why credential theft matters are far less likely to reuse passwords or ignore MFA prompts. Our cybersecurity awareness training covers credential hygiene in practical, non-technical language your entire workforce can absorb.

4. Exploiting Unpatched Vulnerabilities

WannaCry hit over 200,000 systems across 150 countries in 2017 by exploiting a known Windows SMB vulnerability — one that Microsoft had patched two months earlier. The organizations that got encrypted simply hadn't applied the update.

This pattern hasn't changed. Ransomware groups actively scan for unpatched VPN appliances, firewalls, and web-facing applications. The Cl0p ransomware gang exploited a zero-day in MOVEit Transfer in 2023, compromising hundreds of organizations through a single software vulnerability.

Patch Management Isn't Glamorous, but It Works

  • Prioritize patching internet-facing systems within 48 hours of critical CVE publication.
  • Maintain an accurate asset inventory — you can't patch what you don't know exists.
  • Subscribe to CISA's Known Exploited Vulnerabilities (KEV) catalog and treat every entry as urgent.
  • Test patches in a staging environment, but don't let testing become an excuse for delay.

5. Malicious Attachments and Drive-By Downloads

Not all ransomware arrives through targeted phishing. Some spreads through malvertising — malicious ads on legitimate websites that redirect browsers to exploit kits. Others arrive as trojanized software downloads from compromised or look-alike sites.

I investigated one incident where an employee downloaded what they thought was a PDF converter from a search engine result. The installer was bundled with a loader that pulled down Ryuk ransomware 72 hours later — long after the employee had forgotten about the download.

Reduce the Attack Surface

  • Restrict local admin privileges so employees can't install software freely.
  • Use application whitelisting or controlled folder access.
  • Deploy DNS filtering to block known malicious domains.
  • Disable Office macros by default via Group Policy for users who don't need them.

6. Supply Chain and Managed Service Provider Compromises

The Kaseya VSA attack in July 2021 demonstrated how ransomware spreads through trusted relationships. The REvil ransomware gang compromised Kaseya's remote management software, which was used by managed service providers (MSPs) to manage thousands of downstream clients. One breach became 1,500 breaches overnight.

Your security posture is only as strong as the weakest vendor with access to your network. This is where zero trust architecture stops being a buzzword and starts being a survival strategy.

Vendor Risk Controls

  • Require MFA and audit logging for all third-party remote access.
  • Segment vendor access so a compromised MSP can't pivot across your entire environment.
  • Include incident notification clauses in vendor contracts — you need to know within hours, not weeks.
  • Review vendor SOC 2 reports annually and ask hard questions about their patching cadence.

7. Lateral Movement After Initial Access

Here's what most articles about how ransomware spreads get wrong: they focus exclusively on initial access. But the damage happens during lateral movement. A threat actor who compromises one workstation is annoying. A threat actor who reaches your domain controller and deploys ransomware to every endpoint simultaneously is catastrophic.

Ransomware operators routinely spend days or weeks inside a network before detonating their payload. They use legitimate tools like PsExec, PowerShell, and RDP to move laterally, escalate privileges, and disable backups.

Slow the Kill Chain

  • Implement network segmentation — flat networks are a ransomware operator's dream.
  • Deploy endpoint detection and response (EDR) with behavioral analysis, not just signature-based detection.
  • Use tiered admin accounts: your domain admin credentials should never touch a standard workstation.
  • Monitor for suspicious use of legitimate admin tools. PsExec running at 2 AM from an accounting workstation is a red flag.

What Is the Most Common Way Ransomware Spreads?

Phishing emails remain the most common ransomware delivery method. According to CISA, phishing is consistently the top initial infection vector in ransomware incidents across all sectors. A single employee clicking a malicious link or opening a weaponized attachment gives threat actors the foothold they need. The second most common vector is exploitation of exposed remote access services like RDP. Together, these two methods account for the overwhelming majority of ransomware infections.

The $4.88M Lesson Most Organizations Learn Too Late

IBM's Cost of a Data Breach Report 2024 pegged the global average cost of a data breach at $4.88 million. Ransomware incidents frequently exceed that figure when you factor in downtime, incident response, legal costs, regulatory fines, and reputational damage.

The organizations that avoid becoming case studies share a few characteristics. They train their people relentlessly. They enforce multi-factor authentication everywhere. They patch aggressively. And they assume breach — building their architecture on zero trust principles so that a single compromised account doesn't cascade into a network-wide encryption event.

Build Defenses That Match the Threat

Knowing how ransomware spreads is the foundation. Acting on that knowledge is what separates resilient organizations from victims. Every propagation method I've described above has a corresponding defense that's within reach of organizations of any size.

Start with your people. Social engineering is the thread that runs through nearly every ransomware incident. Employees who can recognize a phishing email, who understand why MFA matters, and who know how to report suspicious activity are your most effective security control.

Our cybersecurity awareness training program covers ransomware, credential theft, social engineering, and the practical habits that keep organizations safe. For targeted anti-phishing exercises, our phishing awareness training lets you simulate real-world attacks and measure your organization's readiness over time.

Ransomware operators are running a business. They optimize for low effort and high return. Every defense you layer in — training, MFA, patching, segmentation, EDR — raises their cost of attack. Make your organization expensive enough to breach, and they'll move on to an easier target.

That's not hope. That's how attacker economics actually work. And it's the best leverage you've got.