Understanding Ransomware Vectors Key to Preventing Attack

Recovering from a ransomware attack is costly and time-consuming, so it’s vastly preferable to avoid an attack in the first place. And the easiest way to prevent a ransomware attack is to understand how the malware works. The goal of ransomware authors is to get their malicious code onto potential victims’ computers and other devices, and there are several methods that they employ to achieve this.

Malicious email attachments and links

Spam has been an Internet problem for years, but ransomware authors have adopted it as the attack vector of choice for their malicious code.

It turns out that there have been no great innovations in the way ransomware authors tempt users to open malicious email attachments: Many common strains of ransomware use email subjects relating to account suspensions, unpaid invoices, or packages that can’t be delivered, to attract potential victims’ attention.

However, the authors of some strains appear to have made a greater than average effort to target their spam email geographically. For example, the TorrentLocker ransomware has been aimed at Australian and European users, and for each country targeted, the spam emails have been written in the appropriate language and appear to have been sent by a local company.

That means that Australian users have received messages that purport to come from Australia Post, with text such as, “Your package has experienced an exception and has been returned to the AusPost office. To collect the parcel please print out the shipment confirmation and visit AusPost facility.”

The email also warns that penalty charges will be incurred if parcels are not collected within 30 days to encourage recipients to click on the “shipment confirmation” link or attachment that triggers the TorrentLocker ransomware infection.

What’s interesting about some ransomware variants is that the authors appear to take great care to avoid spam filters by ensuring that the malicious emails are sent in inappropriate languages for the intended recipients, and by sending the malicious emails only to genuine email addresses rather than using the scattershot approach of sending hundreds of thousands of emails to random user names at a particular domain in the hope that some will be deliverable.

According to research carried out by security company Trend Micro, ransomware authors also take care to send their malicious emails in particular timeslots coinciding with business hours in the destination countries. For example, CryptoWall ransomware emails are sent between 5 a.m. and 9 a.m. EST, while TorrentLocker emails go out between 1 p.m. and 7 p.m. EST. The authors also appear to spread their emails out over these hours to ensure that only a relatively low volume is sent out at once, making it harder for spam filters to detect.

Other ransomware attack vectors

Compromised web sites

As an alternative to persuading potential ransomware victims to click on malicious links in emails, some ransomware authors use compromised web sites as a vector for attack. The advantage of this approach is that it does not require social engineering or other techniques to get potential victims to click on a malicious URL. Instead, users visit a web site out of their own volition – often one that they visit frequently. This may be a well-established company’s website, or the compromised site could be a popular blog running on a compromised blogging software platform.

In this scenario, a potential victim may visit a favorite blog, and immediately be redirected automatically to a page that says that the user’s current version of Firefox (or some other browser) is insecure and needs updating. The user is then prompted to download and run a software updater application. When this file is executed, it either activates the ransomware or runs an installer that downloads and runs the ransomware.


Another common way to infect a user’s computer with ransomware is to use malvertising. In this scenario, a potential victim visits a legitimate site that displays advertisements supplied by a third party advertising network.

If one of the displayed advertisements contains malicious code, it will attempt to exploit an unpatched vulnerability in the user’s browser (or even attempt to run a zero-day exploit for which no patch exists) to download the ransomware.

This type of attack vector is less likely to lead to a successful ransomware attack because it relies on the user having an unpatched vulnerability in their browser, but unlike the case with malicious attachments or links in emails, no action is needed on the part of the victim to become infected if they are vulnerable to the attack.

Exploit kits

Exploit kits are sophisticated pieces of software that are placed on malicious or compromised web sites. The kits scan any computer that visits the site for many different known vulnerabilities, exploiting any that they find to take control of the computer. These exploit kits are generally sold or rented to other criminals so they can compromise computers and use them for whatever purposes they choose.

Some criminals use exploit kits to steal passwords by installing malicious software such as the Zeus banking Trojan, and after this type of malware has had time to run, they often configure it to install ransomware as well.

In 2016, this was a definite pattern, with exploit kits like Angler, Neutrino and Magnitude delivering the CryptoWall ransomware, the Nuclear exploit kit delivering TeslaCrypt, and the Hunter exploit kit delivering Locky.

Infected file downloads

One other vector for ransomware attacks is file downloads initiated by unsuspecting users. Ransomware may be placed in music or movie files or “cracked” applications that are made available on illegal file-sharing sites. There has also been at least one incident when hackers have compromised the website of a legitimate application and substituted the file that visitors download to install the application with a malicious file containing ransomware.

Mobile application downloads

Infected file downloads in the form of applications can also affect mobile devices. Although both Apple and Google police their app stores for malicious files, these measures are not foolproof, and in any case jailbroken iOS devices and any Android device can be configured to download applications from other sources that are outside the control of Apple or Google.

The simplest type of Android ransomware involves a malicious application that uses the resetPassword API to change the user’s device password to a new value, effectively locking the user out of their device. (In the latest Android Nougat version of Android, the reset password API has been modified to make it harder for malware to change the password if a password already exists.)

Messaging apps

Sometimes criminals go to great lengths to infect victims with ransomware, and that is certainly the case with one initiative that uses Facebook Messenger as an attack vector. The criminals send messages over the messaging service to a wide range of users, and these messages contain an image in Scalable Graphics File (SVG) format that includes an embedded piece of malicious JavaScript. Opening the image directs victims to a video on a spoofed YouTube site that asks users to install a codec – in fact, a malicious Chrome extension – in order to be able to view the video. Installing the extension causes the Nemucod malware downloader to run, infecting the computer with various pieces of malware including the Locky ransomware.

For comprehensive information about preventing and dealing with ransomware attacks, see our main article, How to Stop Ransomware.

Paul Rubens
Paul Rubens
Paul Rubens is a technology journalist based in England, and is an eSecurity Planet contributor.

Top Products

Related articles