Constella Intelligence

How Does Ransomware Spread in a Network?

ransomware spreads

Ransomware is on the rise. From 2020 to 2021, the FBI’s Internet Crime Complaint Center receives a 62% increase in ransomware reports. In June 2021 alone, there were 78.4 million recorded attempts.

When nearly two-thirds of the global population is connected to the web today, there is no excuse not to educate yourself and your staff on ransomware. Businesses can take proactive methods to adequately safeguard employees and executives from this malware.

As industry leaders in digital risk protection, the Constella team is here to ensure you understand how ransomware spreads in a network and what you can do to combat it. Keep reading for all the details, and be sure to see Constella in action by requesting a demo.

What Is Ransomware?

Ransomware is a type of malicious software that infects a computer system with the intent of preventing access to the data without the payment of a ransom.

When a ransomware attack occurs, there’s typically an on-screen alert popup message that explains the user’s system has been locked or their files have been encrypted. (Unlike other attacks that want to remain undetected for as long as possible, ransomware is the opposite–it announces itself once it’s installed).

However, many attacks now include a data theft component before the encryption of files. The intent is to offset the data backup capabilities that many organizations have deployed in response to previous ransomware threats. The attackers steal sensitive data (such as customer lists) and extort the user.

The ransom amount varies. For reference, in 2020, the average ransom payment for mid-sized businesses was $170,404.




Team Constella

What Is an Example of Ransomware?

Let’s take a look at businesses that have been the victims of ransomware.


In May 2021, chemical distribution company Brenntag paid a $4.4 million ransom in Bitcoin to DarkSide, a ransomware group behind several high-profile attacks.

Here’s what happened:

  • Brenntag’s ransomware attack affected their North American division.
  • DarkSide encrypted Brenntag’s devices and stole unencrypted files (approximately 150 GB in data).
  • DarkSide initially requested $7.5 million, but after negotiations, DarkSide and Brenntag settled for a $4.4 million ransom.

REvil hacker group targeted computer manufacturer Acer with ransomware in May 2021:

  • REvil hacked Acer’s Microsoft Exchange server to gain access to Acer’s files. They used these files to leak images of sensitive data that included bank balances, bank communications, and spreadsheets.
  • REvil demanded $50 million in ransom from Acer. The hacker group mentioned they would double the ransom if the $50 million was not paid on time.
  • Acer refused to confirm or deny being hit with a ransomware attack.

How Does Ransomware Spread on a Network?

There are various ways ransomware can spread throughout your organization, including:

1. Compromised Credentials

The easiest and fastest way for threat actors to penetrate your network is to use compromised credentials. With credentials easily available on the Dark Web or through Network Access Brokers (also known as Initial Access Brokers), threat actors can quickly impersonate an authorized user and gain access to critical systems and data.

2. Email Attachments

Ransomware can begin with phishing emails. Attackers may extensively research your employees and executives’ information available on the Surface, Deep, and Dark Web, as well as Social Media to build a credible-looking email that your staff members will feel compelled to open.

These phishing emails can contain malicious attachments. Once you open the attachment, the ransomware can encrypt your files.

3. Drive-by Downloading

A user visits an infected website, which triggers the download of malware without the user’s knowledge and does not require any human interaction. An employee simply needs to visit an infected site and the ransomware is injected into their devices.

4. Malicious Links

Malicious links may be embedded in phishing emails or smishing texts, compromised websites, and/or malicious social media profiles. These links are often accompanied by an urgent message, which encourages users to click on them. Once the user clicks on the link, ransomware is downloaded.

5. Malvertising

In malvertising, ransomware attackers purchase ad space on legitimate high-traffic websites. They then list ads that entice users to click on them. The ads are connected to an exploit kit, which target unpatched vulnerabilities on a device or application.

What Are the Consequences of Ransomware?

The consequences of ransomware typically entail four main areas:

1. Time

Businesses often experience extended downtime during a ransomware attack.  According to Statista, the average downtime of ransomware attacks is 22 days. This three-week delay can not only cripple your organization’s performance, impact your bottom line, and, in the case of industries like healthcare, potentially affect your customers’ lives.

2. Cost

Cost is the most quantifiable consequence of ransomware, whether from the initial operational disruption, the efforts to recover encrypted data or from paying the ransom. According to the 2021 State of Ransomware survey conducted by Sophos:

  • Remediation costs from ransomware attacks more than doubled within the past year. The average cost in 2020 was $761,106 and in 2021 it was $1.85 million, an increase of 143%.
  • The number of businesses that had to pay a ransom cost went from 26% in 2020 to 32% in 2021.
3. Safety

The safety of your employees, both rank-and-file and executives, is impacted by safety in a ransomware attack:

  • Employees: Ninety-two percent of executives have had their credentials exposed. When your staff’s data becomes exposed, this puts them (and even their families) at risk. Executives and VIP employees are most at risk, as they often possess the most confidential information.
4. Reputation

Your brand’s hard-earned reputation is on the line in the event of a ransomware attack—46% of businesses said they suffered reputation damages from cybersecurity attacks. Ransomware affects your operations which directly affects the experiences of your clients/customers.

How to Protect Your Business from Ransomware?

Over half (54%) of IT decision-makers believe cyberattacks today are too advanced for their IT team to manage. Fortunately, there is Constella Dome.

Constella Dome is a risk protection platform that protects your people, brand, and data from external threats. Let’s look at its key features:

  • Continuously monitor your business’ external footprint. Dome provides organizations with automated, continuous monitoring of thousands of public and proprietary data sources to provide unmatched visibility into your exposure to external risks. For example, Dome enables you to know in real-time when your users’ corporate credentials or PII have been exposed on the Dark Web.
  • Delivers relevant, context-rich alerts. You can tune the threat models in Dome to ensure you receive high-value, relevant alerts (instead of flooding your team’s inbox with noise). These alerts provide your team with specific, actionable insights so they can understand the criticality of the threat, the source, and how to mitigate it.
  • Investigates and attributes anonymous threat actors: Dome also gives you the ability to investigate and identify anonymous threat actors and insider threats. It can start with a single attribute, such as a username from an anonymous forum post, and by utilizing our automated discovery of related activity, connections, and credentials, help you gain insight into real-world identities and physical locations.
  • Scales to any size organization. Dome can monitor any size organization. It is meant to monitor your entire organization—not simply a few executives or departments.
  • Combines physical and cyber security. Ransomware can target IT systems that are critical for the operations of cyber-physical systems (CPS).  Gartner predicts that half of asset-intensive organizations will converge their cyber and physical teams under one department by 2025, and Dome delivers a unified view of external risks that can affect Operational Technology (OT) systems as well as traditional IT systems.

Constella Delivers Solutions for Ransomware

Constella provides businesses with state-of-the-art digital risk protection solutions that aim to:

  • Protect your employees, executives, brand, and data from external cyber threats.
  • Equip organizations with threat intelligence for continuous security monitoring and action steps.

Start taking action today by checking your exposure risk.