Proofpoint closes acquisition of Tessian.

Request a demo
Request a demo
Request a demo
Request a demo
Request a demo

What is Ransomware? How is Ransomware Delivered?

Thursday, July 15th 2021
What is Ransomware? How is Ransomware Delivered?

Tessian Cloud Email Security intelligently prevents advanced email threats and protects against data loss, to strengthen email security and build smarter security cultures in modern enterprises.

Ransomware is a widespread, serious threat. So far in 2021, we’ve seen ransomware attacks on hospitals, gas pipeline operators, and software firms supplying thousands of businesses.

And the situation is getting worse. Research suggests that the overall cost of a ransomware attack doubled in the past year, rising from $761,106 in 2020 to $1.85 million in 2021—and that the global total cost of ransomware could exceed $265 billion per year by 2031.

This article will explain what ransomware is and how ransomware spreads. We’ll then analyze a recent ransomware attack to help you understand how this serious form of cybercrime works.

Types of ransomware attack

There are two main types of ransomware attacks. Both involve the victim downloading a malicious ransomware program.

In the first type of ransomware attack, the malicious program encrypts the victim’s files, rendering them unreadable and unusable. To decrypt their files, the victim must pay a ransom—or else they’ll never be able to access them again.

In the second type of ransomware attack, the malicious program transfers the victim’s files to the attacker. In this type of attack, the victim must pay a ransom to prevent their files from being published on the open web.

Either type of ransomware attack is avoidable. But ransomware can be devastating for any business, leading to extortion, recovery, and mitigation costs—not to mention a loss of your company’s time and reputation.

How is ransomware delivered?

For a ransomware attack to succeed, the threat actor must find a way to get the malicious ransomware program onto their target’s device. Let’s take a look at three keys ways of achieving this.

Social engineering attacks

Social engineering attacks—such as phishing, spear phishing, or Business Email Compromise (BEC)—are normally cited as the leading cause of ransomware infection. 

In a typical social engineering attack, the target receives a malicious email encouraging them to click a download link or download an attachment. While the email may look trustworthy, it contains a payload in the form of a ransomware file.

The notorious “Ryuk” strain of ransomware spreads mostly via social engineering attacks. Security experts estimate that the Ryuk ransomware has earned cybercriminals over $150 million in ransom payments from companies worldwide.

Remote Desktop Protocol

Remote desktop protocol (RDP) enables a third party to take remote control of a person’s computer

RDP has legitimate uses, including enabling IT support services to troubleshoot software issues. But once a cybercriminal has admin access to your system, they can do pretty much whatever they want—including carrying out a ransomware attack.

RDP was the root cause of several high-profile ransomware attacks, including the SamSam ransomware that forced Atlanta’s public authorities to pay out nearly $6 million in 2018.

Drive-by website download

A drive-by download attack occurs when a person downloads and installs a malicious file, for example via a website that has requested permission to download an executable file, Javascript applet, or ActiveX component.

When the victim clicks “Save” or runs the malicious download—whether due to carelessness or because they believe the file is legitimate—the ransomware installs itself and takes over their computer.

Analysis of a ransomware attack

Here’s a recent example of a ransomware attack, to help you understand this devastating form of cybercrime works.

On July 3, 2021, hours before the long Independence Day weekend started in the U.S., thousands of workers got a message on their computer screens: “Your computer has been infected!”

These infected computers had recently installed an update of IT management software Kaseya—an update that had been infected with the REvil ransomware. This type of “supply chain” attack is an increasingly common vector for malware.

Here’s the ransom note that workers saw (shortly before they’d planned to go home for the holidays):


Let’s break this message down. The message informs the ransomware victim that:

  • Their computer has been infected and their files have been encrypted (rendered unreadable)
  • They must purchase specialist decryption software from the cybercriminals. If they attempt to decrypt their files themselves, the files will be permanently deleted.
  • They must pay in a cryptocurrency called Monero (XMR). The price is 217.29 XMR (around ~$45,000) if they pay within six days, after which the price will double.

You might be surprised to see the level of sophistication involved in this attack. The victim is offered a “trial decryption”, “chat support”, and a guide to buying Monero. Ransomware is becoming a quasi-professional criminal industry.

And note that $45,000 is actually a relatively modest ransom. But the Kaseya attack appears to have affected thousands of companies, directly and indirectly—so the cybercriminals are likely to make millions of dollars. The gang is also demanding $70 million for a “global” decryptor.

Looking for more examples of ransomware? Check out this article.