Regardless of the infection route, almost every type of ransomware follows a series of steps — often repeated steps — to attack users. Most recent ransomware infections of healthcare workstations could be traced to clinical staff web browsing from a workstation that was missing Flash player patches.

Ransomware can infiltrate a computer or device in a number of ways:

• Phishing emails
Legitimate-looking emails with malicious attachments or links to compromised websites are sent to employees. When clicked or opened, ransomware downloads and calls out to its command-and-control server

• Unpatched programs/drive-by downloads
Users with vulnerable programs (an outdated browser, software that’s missing a plug-in, or an unpatched third-party app) visit a compromised website, allowing an exploit kit to download and install.

• Compromised websites
A user visits a legitimate website whose security has been compromised, hiding malicious scripts. Those scripts redirect the user to an exploit kit, which installs on the user’s computer.

• Malvertising
Infected banner ads on legitimate sites can initiate an exploit kit that checks for vulnerabilities in the user’s system — without even being clicked — allowing malicious scripts to infect their workstation in seconds.

• Free software downloads
When a user willingly downloads a file, that file bypasses firewalls and email filters, and goes straight to the user’s hard drive.