Forgot password?


7 Common Ransomware Attacks

Ransomware attacks are becoming increasingly more common, and they’re showing no signs of slowing down. As the dangers of losing access to data, devices, and services continue to compound, it’s more important than ever for organisations to take preventative measures to safeguard against these types of attacks. 

While backups and other recovery techniques can be useful, they aren’t always sufficient when attackers are holding sensitive corporate and customer data over your head. The genuine answer to ransomware lies in prevention rather than cure.  

In this blog post, we’ll explore seven common ways that ransomware can infect your organisation and what you can do to protect yourself against them. 

Breaches Through Phishing and Social Engineering 

One of the most common methods used by hackers to initially infect an endpoint with ransomware is through phishing emails. In fact, The NCSC (National Cyber Security Centre) estimate that 95% of attacks originate from a phishing email. 

These emails are becoming increasingly targeted, personal, and specific, as hackers use information to craft emails that gain trust and trick potential victims into opening attachments or clicking on links to download malicious files.  

They can look indistinguishable from normal files, and attackers may take advantage of a default Windows configuration that hides the file’s true extension. It’s imperative that organisations conduct regular cyber awareness training and managed phishing campaigns so that staff can spot a phishing email. Staff are your front-line defence when it comes to phishing attacks.  

Infection Via Compromised Websites 

Compromised websites are easy places to insert malicious code. All it takes is for an unsuspecting victim to visit the site, perhaps a site they frequent.  

The compromised site then reroutes to a page that prompts the user to download a newer version of some software, such as the web browser, plugin, or media player.  

Web redirections like this are particularly difficult for users to spot without digging into the code underneath every site they visit. If the site has been primed to deliver ransomware, the malware could be either activated directly or more commonly run as an installer that downloads and drops the ransomware.  

Malvertising and Browser Breach 

If a user has an unpatched vulnerability in his or her browser, a malvertising attack can occur.  

Using common advertisements on websites, cybercriminals can insert malicious code that will download the ransomware once an advertisement is displayed.  

While this is a less common ransomware attack vector, it still poses a danger since it doesn’t require the victim to take any overt action such as downloading a file and enabling macros. 


Angler, Neutrino, and Nuclear are exploit kits that have been widely used in ransomware attacks.  

These frameworks are a type of malicious toolkit with pre-written exploits that target vulnerabilities in browser plugins like Java. Microsoft Internet Explorer and Microsoft Silverlight are also common targets.  

Ransomware like Locky and CryptoWall have been delivered through exploit kits on compromised sites and through malvertising campaigns. 

Infected File and Application Downloads 

Any file or application that can be downloaded can also be used for ransomware.  

Cracked software on illegal file-sharing sites are ripe for compromise, and such software is as often as not laden with malware.  

There is also potential for hackers to exploit legitimate websites to deliver an infected executable. All it takes is for the victim to download the file or application and then the ransomware is injected. 

Messaging Applications 

Through messaging apps like WhatsApp and Facebook Messenger, ransomware can be disguised as scalable vector graphics (SVG) to load a file that bypasses traditional extension filters.  

Since SVG is based on XML, cybercriminals can embed any kind of content they please. Once accessed, the infected image file directs victims to a seemingly legitimate site.  

After loading, the victim is prompted to accept an install, which if completed distributes the payload and goes on to the victim’s contacts to continue the impact. 

Brute Force Attacks 

Cybercriminals often employ ransomware, such as SamSam, to directly target endpoints by using brute force attacks on internet-facing Remote Desktop Protocol (RDP) servers.  

RDP allows IT administrators to remotely access and manage a user’s device, but it also presents an opportunity for hackers to exploit it for nefarious purposes. 

To identify vulnerable machines, attackers can use tools like Shodan and port scanners such as Nmap and Zenmap. Once identified, the attackers may gain access by brute-forcing the password and logging on as an administrator. This is facilitated by using default or weak password credentials along with open-source password-cracking tools such as Aircrack-ng, John the Ripper, and DaveGrohl. 

After gaining access as an administrator, the attackers can execute various malicious activities such as dropping ransomware and encrypting data. They may also be able to disable endpoint protection, delete backups to increase the likelihood of payment, or pivot to accomplish other goals. 

What can organisations do to protect themselves? 

The landscape of ransomware is constantly evolving, with the rise of ransomware-as-a-service as a popular trend. This involves malware authors selling tailor-made ransomware to cybercriminals, who determine the targets and delivery methods. This separation of responsibilities has resulted in more targeted malware, innovative delivery methods, and an increase in ransomware attacks. 

Given the risk of data extortion, it is crucial for organisations to prioritise cyber security to prevent breaches from occurring in the first place.  

While the threat of ransomware may seem daunting, defending against these attacks is achievable. What organisations must remember is that it never pays to pay. There is no guarantee that stolen data will be returned. While the temptation to give in to a ransom is strong – particularly for smaller businesses with fewer in-house resources to monitor for threats and remediate gaps in security – paying up only serves to further incentivise bad actors.  

Instead, organisations should be looking to adopt a range of proactive cybersecurity measures, such as properly implemented cyber hygiene, phishing training and simulations for employees, vulnerability scanning, and penetration testing. This is only way to limit the likelihood of a successful ransomware attack.  

However, if the worst does happen, having a security partner on hand to support with remediation is vital. Outsourcing to a fully managed Security Operations Centre (SOC), for example, ensures 24/7/365 proactive and reactive support from cybersecurity professionals to minimise the impact of any potential ransomware attacks. 

Cyber Security Experts

Accredited and regulated, we're in the top 1% of cyber security agencies globally

Crown Commercial Service Supplier Cyber Essentials Plus ISO 27001 BSI ISO 9001 CHECK NCSC Cyber Incident Response CREST

We’re trusted by the UK Government as Crown Commercial Service providers as well as being accredited by two of the leading cyber security governing bodies. Our ISO9001 certification means you can rest assured our processes and approach are market leading.

Protect Your Business & Your Reputation.

With a continued focus on security, you can rest assured that breaches and exploits won't be holding you back.

Speak To An Expert


Get In Touch

[contact-form-7 id="5" title="Contact Us Form"]