background image


How does Ransomware Spread?


Ransomware has been a hot topic the past couple of years. The software is wreaking havoc on organizations that are not prepared for it. Before understanding how to respond to a ransomware attack, it is extremely important to first understand how the different strains spread in the environment they are unleashed in. Once understood, security controls can be implemented to limit the impact of the attack and reduce recovery times.

Ransomware Spreading: The Strains

New ransomware strains are continuously released. The current top eight have been selected below, detailing whether or not the data could be easily recovered through exposed decryption keys. While decryption keys may be available, the impact to your organization may still be high due to recovery time.

  • WannaCry: Affected over 200,000 systems across 150 countries. Exploited the EternalBlue vulnerability, which was stolen from the National Security Agency (NSA). Decryption Keys: While the keys are not publicly available, there are free tools that are available to find the private key within the memory process of the ransomware with certain caveats. It only applies to certain Windows operating systems and computers must not have been rebooted.

  • NotPetya: Affected more than 600,000 businesses worldwide (together with WannaCry), and puts the estimated global cost of NotPetya at around $1.2 billion. Decryption Keys: Unavailable.

  • Bad Rabbit: Though not as widespread as WannaCry or NotPetya, but has caused severe disruptions in businesses located all over Eastern Europe and some minor infections in the U.S. Decryption Keys: Unavailable.

  • Cerber: One of the first ransomwares to be distributed as a service. At this ransomware’s peak in 2017, it accounted for 26% of all ransomware worldwide. Decryption Keys: Publicly available but at a cost through Trend Micro’s Ransomware File Decryptor Tool.

  • Dharma: Once also known as Crysis has been around since 2016 and releases new versions regularly. Most famous for crippling operations in Altus Baytown Hospital for November 2018 and causing havoc in various small to medium sized business in Europe and the United Kingdom. Decryption Keys: Publicly available through Kaspersky’s free ransomware decryptors.

  • GandCrab: News of infection starts as early as January 2018 with over 48,000 infected systems in the span of one month, and newer version has become the most prevalent ransomware of 2019. Decryption Keys: Publicly available through Bit Defender’s decryptor tool.

  • Katyusha: First observed in October 2018, and actively threatens its victims to release sensitive data to the public. While not as widespread as WannaCry or NotPetya, it’s been known to severely hinder businesses. Decryption Keys: Unavailable.

  • Ryuk: First observed in August 2018, and has since made 3.7 million in bitcoin through targeting medium to large enterprises. Decryption Keys: Unavailable.

How is Ransomware spreading?

Each strain propagates through the system or network in a predictable manner. The predictability allows for the root causes to be identified to assist in future prevention. The table below was created to help visualize the root causes and how each misconfiguration or missing security patch allows for the specific ransomware strains to propagate.


Server Message Block (SMB) – Uses the SMB service to compromise hosts remotely without authentication through networks.

Windows management Interface Command (WMIC) – Used to modify security settings on remote machines after obtaining credentials.

Bruteforce – Uses hardcoded credentials to gain authorized access to more laterally

Powershell – Uses Powershell to issue sensitive system commands

Credentials – Uses credentials obtained by the system to laterally move

Limit Ransomware Spreading: Preventative Measures

By knowing the strains and how they propagate, preventative measures can be implemented to reduce the likelihood and impact of a successful ransomware attack. Below are the top measures that your organization can implement.

  • Provide employees with regular security awareness training which includes phishing exercises. It only takes one employee to impact the entire business. The phishing exercise should also test the anti-spam and anti-virus capabilities of your email system.

  • Have backups for all systems that would cause an impact to the business if offline.

  • Check firewall rules for loose egress and ingress rules. If traffic is allowed to come in and out freely, the malware can exfiltration data more easily.

  • Remove the ability to issue Powershell, psexec, wmic commands for users that would not need it.

  • Remove local administrative privileges for non-IT staff. If users are unable to install software, ransomware will not work.

  • Patch your systems according to risks. Patches related to addressing ransomware risks should take first priority.

  • Review access control privileges to ensure users only have access to what they need. The principle of lease privilege should be implemented.

  • Disable macro usage for office related files. Malware can be hidden within those macros.

How we can help

Packetlabs offers a ransomware simulation service that assesses your risk level against ransomware and identifies incident response capabilities. The service includes:

  • Phishing to identify weaknesses in security awareness and perimeter defenses

  • Propagating through the network identical to how ransomware would to identify vulnerable systems

  • Identification of affected shares, and potentially impacted data

  • A table-top exercise to identify if recovery capabilities are well documented

Contact us if you would like to assess your ransomware security controls.