7 Top Delivery Vectors for Ransomware

man on phone and laptop at the same time

In 2020, ransomware attacks increased by 485% compared to 2019. The majority (64%) of those attacks took place in the first two quarters of the year, reported Infosecurity Magazine.

Those findings highlight the impact that the early days of the pandemic left on the threat landscape. They’re also a testament to all the different types of delivery vectors that malicious actors can use to distribute their ransomware payloads. Here are seven that stand out.


I noted in a recent blog post that email is one of the most popular if not the most prominent means of delivering ransomware. Sometimes, this takes the form of phishers tricking recipients into clicking on a malicious link that redirects them to a fake login page. Other times, it involves digital attackers using suspicious email attachments to infect recipients with malware.

Exploit Kits

Exploit kits are malicious software packages that commonly lie in wait on the other end of a malvertising or drive-by download attack. In either scenario, users end up on a compromised website where the exploit kit scans for vulnerabilities in the visitor’s browser, operating system, or other software. If it comes across a supported flaw, it then executes its malicious code for the purpose of dropping ransomware or another payload.

Software Vulnerabilities

Ransomware actors’ weaponization of software vulnerabilities isn’t limited to just exploit kits. Take the recent supply chain attack involving Kaseya, as an example. For that incident, the REvil ransomware group misused a zero-day vulnerability to compromise what many SMB and managed service provider (MSP) customers considered to be a trusted and authorized software product. In doing so, the gang succeeded in infecting an untold number of businesses worldwide.

Pirated Software

Sometimes, digital attackers use pirated or cracked software to trick users into thinking they’ve found a bargain. What buyers don’t know is that pirated software often comes bundled with something like adware for the purpose of dropping a digital threat like ransomware. They also might not realize that many pirated software solutions lack the ability to receive updates remotely, thus creating vulnerabilities which nefarious individuals could potentially misuse.

Remote Desktop Protocol

The Remote Desktop Protocol (RDP) is a communications protocol that helps users to connect to other computers over a network connection. Malicious actors understand that RDP receives connection requests through port 3389, so they scan the Internet for machines with exposed ports. They then attempt to force their way in by exploiting security vulnerabilities or by brute-forcing the machine’s login credentials. At that point, they can deploy a ransomware payload.

Network Propagation

Many ransomware strains no longer stop at infecting a single machine. Some come with the ability to enumerate shares so that they can spread to other machines on the same network. Doing so enables the ransomware gang to encrypt a greater portion of the network and to demand a higher ransom, all the while creating a significant disruption for the affected entity so that they’ll be more inclined to pay up.

Removable Media

Finally, ransomware actors know that users get curious about USB drives and other removable media that they might find near their homes or places of work. They can misuse this curiosity to trick users into plugging in those media devices to their machines and thereby inadvertently infecting themselves with ransomware.

How to Partially Defend Against Ransomware 

The delivery vectors discussed above highlight the fact that organizations can’t defend themselves against ransomware in a single step. They need to take a multi-pronged approach that involves vulnerability management, security awareness training, and network segmentation. Such a strategy also requires the use of an email security solution that’s capable of scanning incoming messages for malware signatures, campaign patterns, and other threat indicators.

For more on the tactics the threat actors are using to exploit individuals and businesses, check out our Mid-Year Threat Report.