How does ransomware spread via email?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Email is still the most common initial vector for ransomware. The reason is straightforward: it's hard to block entirely, and it relies on human behavior that security tools can't fully control.
The typical delivery mechanism is a malicious attachment: a Word document with a macro that downloads ransomware when enabled, a ZIP archive containing an executable, or a PDF with an embedded link to a download. The social engineering that gets people to open these attachments is usually one of three things: it looks like a missed delivery notification, a financial document (invoice, receipt, wire confirmation), or an internal document from a colleague or manager. These are things people legitimately receive and open regularly.
The malicious link approach routes through a similar pattern. A link in the email goes to a legitimate-looking but compromised website. When the victim visits the page, an exploit kit silently tries known browser or plugin vulnerabilities. If one succeeds, malware gets installed without the victim doing anything beyond visiting the URL.
Once ransomware executes on one machine, it typically scans the local network and cloud storage for writable files and attempts to spread. This is why a single person opening a phishing attachment can result in entire file server directories being encrypted.
Why email-based delivery persists despite filters: attachment scanning is imperfect, particularly for encrypted or password-protected archives. Link-based delivery can use URLs that aren't blocklisted at delivery time because the malicious content is only staged after the email passes filters. And macro-based delivery relies on a legitimate application feature (Word, Excel macros) that many organizations still need.
For organizations: disabling macros by default for email-delivered documents, training staff to verify unexpected attachments through a separate channel before opening them, and enabling MFA on email accounts are the most impactful defenses.
For more on this, see What are email security awareness programs.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.