The main way companies get infected with ransomware is through the use of phishing emails. Whether they are normal phishing emails or spear phishing emails. Once the email is delivered the next most common thing to happen is for the end user to click on a link or attachment and allow it to run. After the file is allowed to run, the ransomware is unleashed on the network and begins crawling the network looking for files, servers, and backups. Public-facing servers are also a common point of breach. If a public facing server isn’t patched properly, or configured properly, or protected in some way there is a chance it could be breached by a bad actor. Once a bad actor has access to the server they may be able to use it as a pivot point to get further into the network. Software vulnerabilities are a huge attack vector for ransomware. This is why keeping software and hardware up to date as possible is critical. Some of the most devastating exploits are several years old and there are still systems affected by them that haven’t been updated either due to necessity or incompetence.

Droppers and loaders are some methods used to deploy malware. Droppers are “dropped” into an environment and when executed perform the actions of downloading the malicious payloads from a specified source and then executing the files. Some droppers, like with the ransomware Ryuk, delete themselves after the drop is done to make analysis by security researchers harder to do. Loaders can be paired with droppers. A loader is what loads malware onto the device. It can also be paired with smaller files that bypass detection or other files to draw attention away from the actual payload.