In February 2024, Change Healthcare — the largest medical claims processor in the United States — was hit by the ALPHV/BlackCat ransomware group. The attack disrupted billing systems at hospitals and pharmacies nationwide for weeks. The entry point? Stolen credentials used on a remote access portal that lacked multi-factor authentication. One compromised login. That's all it took to trigger what UnitedHealth Group later estimated cost over $870 million in the first quarter alone.

If you want to defend your network, you need to understand exactly how ransomware spreads. Not in theory. In the real operational playbooks that threat actors use every single day. This post breaks down the seven most common propagation paths I've tracked across incidents, industry reports, and the organizations I've helped train.

How Ransomware Spreads: The Short Answer

Ransomware spreads when a threat actor gains initial access to a system — usually through phishing, exposed remote services, or compromised credentials — then moves laterally across the network before deploying encryption payloads. Most modern ransomware operations involve human operators, not just automated worms. They spend days or weeks inside your environment before pulling the trigger.

According to the Verizon 2024 Data Breach Investigations Report, ransomware and extortion accounted for 32% of all breaches. The median cost per incident continues to climb. Understanding the attack chain is the first step to breaking it.

Path 1: Phishing Emails — Still the Top Delivery Vehicle

I've reviewed hundreds of incident reports, and phishing remains the single most common initial access vector for ransomware. A well-crafted email with a malicious attachment or link lands in an employee's inbox. They open it. A loader like Qakbot or IcedID executes. Within hours, a ransomware operator has a foothold.

The social engineering behind these emails has gotten dramatically better. Threat actors now use thread hijacking — they compromise one mailbox, then reply to existing email conversations with malicious payloads. Recipients trust the message because it comes from a known contact in an ongoing thread.

This is exactly why phishing awareness training for organizations isn't optional anymore. Your people are the first detection layer, and simulated phishing exercises build the muscle memory they need to pause before clicking.

Path 2: Remote Desktop Protocol (RDP) Exposure

RDP exposed directly to the internet is like leaving your front door open with a sign that says "come in." Threat actors use brute-force attacks and credential stuffing to gain access. Once inside via RDP, they have an interactive session — they can browse the file system, disable security tools, and deploy ransomware manually.

CISA has repeatedly warned about this vector. Their #StopRansomware advisory program consistently identifies exposed RDP as a top initial access method across multiple ransomware families including LockBit, Royal, and Akira.

If you have RDP open to the internet, shut it down today. Use a VPN with multi-factor authentication. No exceptions.

Path 3: Exploiting Unpatched Vulnerabilities

Ransomware groups actively scan for known vulnerabilities in internet-facing systems. VPN appliances, firewalls, file transfer tools — anything with a CVE and a public exploit becomes a target within days of disclosure.

The Clop ransomware group's mass exploitation of the MOVEit Transfer vulnerability (CVE-2023-34362) in 2023 compromised over 2,500 organizations. They didn't send a single phishing email. They just exploited a SQL injection flaw in a widely deployed file transfer application.

Patch management isn't glamorous. It's essential. Every day a critical vulnerability sits unpatched is a day you're running with exposed flanks.

Path 4: Credential Theft and Access Brokers

Here's something that surprises a lot of people: ransomware operators often don't break in themselves. They buy access. A thriving underground market of Initial Access Brokers (IABs) sells stolen credentials, VPN sessions, and remote access to corporate networks. Prices range from a few hundred dollars to tens of thousands, depending on the target's size and industry.

Credentials get stolen through infostealer malware, phishing, data breaches at third-party services, and password reuse. This is why credential theft prevention matters so much. Enforcing multi-factor authentication across all remote access points neutralizes a huge percentage of these purchased credentials.

The Password Reuse Problem

Your employees reuse passwords. I know it, you know it, and threat actors definitely know it. When a credential dump from an unrelated breach contains an email/password combo that matches your VPN login, the attacker doesn't need a zero-day. They just log in.

Comprehensive cybersecurity awareness training drills this into every employee: unique passwords, password managers, and MFA everywhere. It's the baseline that too many organizations still haven't reached.

Path 5: Malicious Attachments and Drive-By Downloads

Beyond targeted phishing, ransomware spreads through weaponized documents, malvertising campaigns, and compromised websites that deliver exploit kits. A user visits a legitimate site that's been injected with malicious code. Their browser or a plugin gets exploited. A dropper installs silently.

This vector has decreased somewhat as browsers have hardened, but it hasn't disappeared. Threat actors now favor delivering payloads through OneNote files, ISO images, and other formats that bypass traditional email gateway filters.

Path 6: Supply Chain and Managed Service Providers

Attacking one managed service provider can give a ransomware group access to dozens or hundreds of downstream clients simultaneously. The 2021 Kaseya VSA attack by the REvil group demonstrated this at scale — one compromised software update mechanism pushed ransomware to roughly 1,500 organizations worldwide.

Your security posture isn't just about your own controls. It includes every third party with access to your systems. Zero trust architecture principles apply here: verify every connection, limit privileges, and segment access so a single compromised vendor can't reach your entire environment.

Path 7: Lateral Movement — How Ransomware Spreads Inside the Network

Initial access is just step one. What makes modern ransomware devastating is lateral movement. Once inside, operators use tools like Cobalt Strike, Mimikatz, and PsExec to move from machine to machine. They harvest domain admin credentials, map the Active Directory environment, and identify backup systems to destroy before encrypting anything.

This internal propagation is where the real damage happens. A single compromised workstation becomes a beachhead. Within days, the attacker owns your domain controllers, has exfiltrated sensitive data for double extortion, and is ready to deploy encryption across every reachable system.

Breaking the Kill Chain Internally

Network segmentation, endpoint detection and response (EDR), and least-privilege access policies are your best defenses against lateral movement. If a threat actor compromises one endpoint, proper segmentation ensures they can't reach your file servers, backup infrastructure, or domain controllers without hitting tripwires.

What Actually Stops Ransomware From Spreading

There's no single silver bullet. Effective defense is layered:

  • Security awareness training — your employees need to recognize phishing and social engineering tactics before they click. Regular simulated attacks build real detection skills.
  • Multi-factor authentication — on every remote access point, email account, and administrative console. This alone would have prevented the Change Healthcare breach.
  • Patch management — critical vulnerabilities patched within 48 hours, not 48 days.
  • Network segmentation — limit blast radius so one compromised system doesn't mean total encryption.
  • Offline backups — tested regularly. Ransomware operators specifically target backup systems. If your backups are online and reachable, assume they'll be encrypted too.
  • Zero trust principles — never trust, always verify. Every access request is authenticated and authorized, regardless of source.

The NIST Cybersecurity Framework provides a structured approach to building these layers. If you haven't mapped your controls against it, that's a practical next step.

Your People Are the First and Last Line

I've investigated environments with a $500,000 security stack that got breached because an accounts payable clerk opened a fake invoice PDF. And I've seen lean organizations with strong security awareness cultures catch sophisticated attacks that would have bypassed their technical controls.

Technology matters. But the human element is where most ransomware campaigns succeed or fail. Understanding how ransomware spreads gives your team the context they need to recognize threats in real time — not just in a slide deck.

Start building that awareness muscle now. Explore cybersecurity awareness training at computersecurity.us and run realistic phishing simulations for your organization. The cost of preparation is always less than the cost of recovery.