In September 2023, MGM Resorts lost an estimated $100 million after a social engineering phone call — just one phone call — gave threat actors the foothold they needed to deploy ransomware across the company's entire infrastructure. Slot machines went dark. Hotel key cards stopped working. Reservation systems collapsed. All because someone convinced a help desk employee to reset a credential.

If you want to understand how ransomware spreads, forget the Hollywood image of a hoodie-clad hacker furiously typing code. The reality is far more mundane and far more dangerous. Ransomware spreads through predictable, repeatable paths — and every single one of them is preventable if you know where to look.

This post breaks down the seven most common propagation methods I see in real-world incidents, backed by data from the FBI, CISA, and the Verizon Data Breach Investigations Report. Whether you're a solo IT admin or a CISO with a team of fifty, these are the attack vectors you need to lock down right now.

The Scale of the Problem in 2024

The FBI's Internet Crime Complaint Center (IC3) reported that ransomware complaints increased significantly through 2023, with critical infrastructure sectors hit hardest. Healthcare, manufacturing, and government facilities topped the victim list. The FBI IC3 2022 report documented 2,385 ransomware complaints with adjusted losses exceeding $34 million — and those are only the incidents that were reported.

The Verizon 2023 DBIR found that ransomware was involved in 24% of all breaches. That number has held steady for two years, which tells me something important: organizations are not adapting fast enough. The attackers have their playbook dialed in. Let me show you what it looks like.

Path 1: Phishing Emails — Still the #1 Entry Point

I've investigated dozens of ransomware incidents, and phishing is the initial access vector in the majority of them. It's not glamorous. It works anyway.

Here's what actually happens: an employee receives an email that looks like a DocuSign notification, a shipping update, or a voicemail transcript. They click the link or open the attachment. A loader like Emotet, QakBot, or IcedID drops onto the workstation. That loader phones home, downloads a post-exploitation framework like Cobalt Strike, and the threat actor now has a beachhead inside your network.

From there, lateral movement begins. The attacker harvests credentials, maps Active Directory, identifies backup systems, and deploys ransomware across every reachable endpoint — sometimes within hours.

Why Phishing Simulations Actually Matter

Your employees are the first line of defense against this exact scenario. Regular phishing awareness training for organizations reduces click rates dramatically. I've seen companies go from a 30% click rate to under 5% within six months of consistent simulation programs. That's not a soft metric — that's a measurable reduction in the probability that a ransomware payload ever executes on your network.

Path 2: Remote Desktop Protocol (RDP) Exposure

RDP exposed directly to the internet is an open invitation. Threat actors use tools like Shodan to scan for open port 3389, then brute-force or credential-stuff their way in. Once they have an RDP session, they own that machine — and from there, the entire domain is in play.

The Dharma/CrySIS ransomware family made a career out of exploiting exposed RDP. So did Phobos. CISA has issued multiple advisories warning organizations to stop exposing RDP to the internet, yet as of early 2024, hundreds of thousands of RDP endpoints remain publicly accessible.

What To Do About RDP

  • Never expose RDP directly to the internet. Use a VPN or a zero trust network access (ZTNA) solution as a gateway.
  • Enforce multi-factor authentication on every remote access connection. No exceptions.
  • Implement account lockout policies to stop brute-force attacks.
  • Monitor RDP login events for anomalous activity — logins at 3 AM from foreign IPs should trigger alerts, not just log entries.

Path 3: Exploiting Unpatched Vulnerabilities

The Clop ransomware gang exploited a zero-day vulnerability in MOVEit Transfer (CVE-2023-34362) during summer 2023 and compromised over 2,000 organizations. They didn't send a single phishing email. They didn't need stolen credentials. They found an unpatched file transfer appliance and walked right in.

This is how ransomware spreads at scale — through known vulnerabilities that organizations fail to patch in time. The CISA Known Exploited Vulnerabilities (KEV) catalog maintains a running list of actively exploited flaws. If you're not using it as a patching priority list, start today.

The Patch Window Problem

Most organizations I work with have a 30-day patch cycle. Threat actors weaponize critical vulnerabilities in under 48 hours. That math doesn't work. For internet-facing systems — VPNs, firewalls, file transfer tools, email gateways — you need an emergency patching process that can deploy critical fixes within days, not weeks.

Path 4: Credential Theft and Access Brokers

There's an entire underground economy built around selling network access. Initial access brokers compromise organizations through phishing, info-stealers, or vulnerability exploitation, then auction off that access to ransomware affiliates on dark web forums.

Credentials stolen by info-stealer malware like RedLine or Raccoon Stealer end up in massive databases. If one of your employees reused their corporate password on a compromised personal site, that credential may already be for sale. The ransomware operator buys it, logs into your VPN, and the clock starts ticking.

This is why cybersecurity awareness training has to cover credential hygiene — unique passwords, password managers, and the real-world consequences of password reuse.

Path 5: Supply Chain and Managed Service Provider Compromise

The Kaseya VSA attack in July 2021 demonstrated what happens when a threat actor compromises a tool that has privileged access to thousands of downstream networks. REvil ransomware was deployed to approximately 1,500 businesses simultaneously through a single supply chain compromise.

Managed service providers (MSPs) are high-value targets because they hold the keys to dozens or hundreds of client networks. One compromised MSP admin account can cascade ransomware to every organization they manage.

Questions To Ask Your Vendors

  • Does the vendor enforce multi-factor authentication on all administrative accounts?
  • Do they conduct regular penetration testing and share results?
  • How quickly do they patch their own infrastructure?
  • Do they have a documented incident response plan — and have they tested it?

Path 6: Malicious Attachments and Drive-By Downloads

Microsoft finally disabled macros by default in Office documents downloaded from the internet in mid-2022. Threat actors adapted fast. They shifted to ISO files, LNK shortcuts, OneNote documents with embedded scripts, and password-protected ZIP archives designed to bypass email security gateways.

Drive-by downloads through compromised websites still work, too. A legitimate site gets injected with malicious code through a compromised ad network or a vulnerable WordPress plugin. Your employee visits the site, the browser is exploited or a fake update prompt appears, and now you have a loader on the network.

Web filtering, endpoint detection and response (EDR), and application whitelisting all help here — but none of them replace the need for employees who recognize suspicious behavior and report it instead of clicking through it.

Path 7: Lateral Movement — How Ransomware Spreads Once Inside

Getting inside the network is step one. The real damage happens during lateral movement. Here's the typical playbook once a threat actor has an initial foothold:

  • Credential harvesting: Tools like Mimikatz extract passwords and hashes from memory. One domain admin credential, and the game is over.
  • Active Directory reconnaissance: Attackers use BloodHound or ADFind to map trust relationships and identify the shortest path to domain dominance.
  • Disabling defenses: They uninstall or disable endpoint protection, delete shadow copies, and modify Group Policy to push their ransomware payload to every joined machine.
  • Data exfiltration: Before encrypting, most ransomware gangs now steal data for double extortion. They threaten to publish it if you don't pay.
  • Mass deployment: The final step — using PsExec, Group Policy, or a compromised management tool to deploy ransomware simultaneously across hundreds or thousands of endpoints.

This entire sequence can happen in under 24 hours. The Conti ransomware playbook leak in 2021 showed that their affiliates could go from initial access to full domain encryption in as little as two days.

What Is the Most Common Way Ransomware Spreads?

Phishing remains the single most common way ransomware spreads into organizations. According to the Verizon 2023 Data Breach Investigations Report, phishing was the top initial action in social engineering-related breaches, and email was the primary delivery vector for malware. Credential theft through phishing and exploitation of public-facing applications round out the top three initial access methods. Addressing all three requires a combination of technical controls, patching discipline, and ongoing security awareness training.

A Practical Defense Framework

Understanding how ransomware spreads is only useful if it changes what you do on Monday morning. Here's the framework I recommend:

1. Reduce the Attack Surface

  • Audit all internet-facing services. Close every port that doesn't need to be open. Put RDP behind a VPN with MFA.
  • Implement zero trust principles: verify every user, every device, every session. Trust nothing by default.
  • Remove local admin rights from standard user accounts. This single change stops most malware from installing.

2. Train Your People Relentlessly

  • Run monthly phishing simulations. Vary the scenarios — invoice fraud, credential harvesting, fake IT notifications.
  • Make reporting easy and rewarded. You want a culture where employees flag suspicious emails, not one where they're afraid to admit they clicked.
  • Enroll your team in structured cybersecurity awareness training that covers social engineering, credential theft, and ransomware-specific scenarios.

3. Detect and Respond Fast

  • Deploy EDR on every endpoint. Not just antivirus — behavioral detection that catches Cobalt Strike, credential dumping, and lateral movement.
  • Monitor for indicators of compromise: unusual PowerShell execution, new service installations, mass file renaming.
  • Have an incident response plan. Test it with tabletop exercises at least twice a year.

4. Protect Your Backups

  • Follow the 3-2-1 rule: three copies, two different media types, one offsite and offline.
  • Test your restore process quarterly. Backups that can't be restored are not backups.
  • Threat actors specifically target backup systems. Keep backup admin credentials separate from your primary domain and enforce MFA.

The Real Cost of Ignoring These Paths

IBM's Cost of a Data Breach Report 2023 pegged the average cost of a ransomware attack at $5.13 million — and that doesn't include the ransom payment itself. Downtime, legal exposure, regulatory fines, reputation damage, and customer churn compound fast.

Every one of the seven paths I described above has well-known, well-documented countermeasures. The organizations that get hit aren't usually facing sophisticated, novel attacks. They're getting hit by the same techniques that worked last year and the year before, because the basics weren't in place.

If you want to change that trajectory for your organization, start with the fundamentals. Enroll your team in phishing awareness training, lock down your remote access, patch your internet-facing systems, and build a security culture that treats every employee as a sensor — not a liability.

Ransomware spreads through people, protocols, and software. Defend all three, and you make your organization a hard target. That's what actually works.