How does ransomware get on people's computers?

According to the IBM X-Force Threat Intelligence Quarterly Report, fourth quarter 2015, the primary sources of ransomware attack are unpatched vulnerabilities, drive-by infections, and spear-phishing emails:

Primary vectors are the source of ransomware infections.

Source: IBM X-Force

How to prevent ransomware attacks

User education

Educate your users not to download files from unknown contacts. Usually ransomware is sent in emails claiming pending invoices with Word documents. When you open the document, ransomware will get installed and start doing its job.

Scanning and filtering mail servers

Scan your mail servers to stop phishing attempts reaching intended recipients.

Backup data regularly

Make sure to back up your critical data regularly and secure them. This will help you avoid paying the ransom, and reduce recovery time.

Vulnerability? Patch critical software and OS right away

Patch your critical software like your browser, browser plugins, email clients and operating systems right after you get a notification. Did you know that the Panama Papers leak (2.6 TB of data) happened because of vulnerable web servers and mail servers?

Look at the ransomware growth in the last three years:

Number of samples of ransomware

Source: McAfee Labs, 2015.


While the measures you describe in your question are not wrong, they are not correct either:

  • Documents are not safe to open either.

    • Often times, exploits come in the form of interestingFile.txt.exe.

      Windows hiding the .exe by default leads users to think that's just a text file when indeed they execute code.

      There are other ways to keep executable code from being recognized as such by the user as well. For example using Unicode and the Right-To-Left mark as well, as PlasmaHH suggested in the comments.

    • There is a variety of macro malware for Office products.

  • Drive-by exploits

    Those are an actual threat to everyone not just using 2-3 websites and everyone blindly following links.

    This is especially true as there are (many?) zero day exploits that are unknown to the public and hence not yet fixed. There are even events like pwn2own, showing such exploitations live - going to a prepared website, that can be it.

In fact, as Philipp points out correctly in the comments, infections can happen on any website basically, that included content from somewhere else - for example ads.

The other part of your question tends to be

Why is there so much ransomware now and there weren't so many infections before?

Well, because ransomware tends to be more profitable than using infections to establish a bot net - which usually went unnoticed to most users (as that was the point).

So there has been no real increase in infections - just an increase in visibility of the infections.


To address the operating system question from the comments

Windows is usually - as it has the biggest market share - targeted the most often (by all malware), but ransomware does also exist for *NIX flavours. This includes Mac OS X and Linux.

Mac OS X being drive-by exploited has been shown in this years Pwn2Own if I'm not mistaken.


Are you safe from ransomware just by not downloading suspicious files?

Unfortunately, it is a mistake to assume that you are safe from ransomware just by not downloading files from suspicious websites.

As an example, just last month, the OS X version of the popular BitTorrent client Transmission (v2.90) was infected with ransomware. This infected version of Transmission was distributed through Transmission’s official website (their main server was compromised) for a day or two, so anyone who downloaded it then would have been infected. Surprisingly enough, attepting to update within the app (Transmission uses the Sparkle framework) would have been safe, since the attackers apparently didn’t update the checksum for Sparkle in the compromised version, causing the (potentially automatic) in-app update to fail with a signature mismatch.

Unfortunately, I was almost caught by this ransomware. Due to a vulnerability in the Sparkle framework that was recently disclosed at the time, I was manually updating all my applications that used the Sparkle framework instead of updating them in-app, and that included updating to Transmission v2.90 by manually downloading it from the official website. I only managed to get away unscathed thanks to downloading it a few days before the server compromise happened. Honestly, I was pretty scared once I found out about the compromise a few days later. I’d say I learned a valuable lesson here, which was that you can never blindly trust an application you’ve downloaded from the Internet, even from developers you trust (unless you vet the source code yourself).

Mitigating the Damage of Ransomware

The issue with ransomware is that it encrypts all of your files. If you have a way to prevent applications from being able to read or write to any arbritrary file on your system (by running all downloaded applications in a sandbox, for example), that should essentially make the ransomware benign. On Windows, you can sandbox applications with Sandboxie. On OS X, you can intercept all read and writes from applications running on your system with Hands Off! (demonstrated here).

Another solution is to use Qubes OS, which is an operating system that essentially lets you sandbox different activities/applications inside different virtual machines in a very elegant way. It also supports using Windows 7 inside one of those virtual machines as well.