How Does Ransomware Spread? 6 Common Entry Points

Most ransomware attacks are not sophisticated. They don't require nation-state resources or zero-day exploits. They succeed because attackers find an unlocked door — and in most South African businesses, several doors are unlocked at once.

Understanding how ransomware gets in is the first step to closing those doors. Here are the six entry points responsible for the overwhelming majority of ransomware incidents in South African businesses.

1. Phishing Emails

Phishing remains the single most common ransomware delivery method globally, and South Africa is no exception. A staff member receives a convincing email — an invoice from a familiar-looking supplier, a courier delivery notification, an HR document requiring urgent attention — and clicks a link or opens an attachment. That single click is enough.

Modern phishing emails are difficult to distinguish from legitimate correspondence. They use real company logos, plausible sender names, and professionally worded content. The tell-tale signs of obvious spam — poor grammar, generic salutations, implausible scenarios — are increasingly rare in targeted attacks.

What makes this worse for SA businesses: Many South African organisations have not implemented email authentication standards (SPF, DKIM, DMARC) that make it harder for attackers to spoof legitimate domains. An email that appears to come from your own company's domain may not be flagged by your email gateway.

What to do: Train staff to verify unexpected requests through a second channel before clicking. Implement email authentication. Use a mail gateway that scans attachments in a sandbox before delivery.

2. Exposed Remote Desktop Protocol (RDP)

Remote Desktop Protocol allows employees and IT administrators to connect to Windows machines remotely. During and after the COVID-19 pandemic, RDP exposure exploded as businesses rushed to enable remote access. Many of those configurations were never reviewed or secured afterwards.

An RDP port left open to the internet is one of the most reliable ransomware entry points available. Automated scanning tools operated by criminal groups probe millions of IP addresses daily, looking for exposed RDP services. When they find one, they attempt to log in using credential lists compiled from previous data breaches. If a user's password has appeared in any prior breach — and billions of credentials are publicly available — the attack can succeed in minutes.

What makes this particularly common in SA: Many smaller South African businesses rely on RDP for remote support from IT providers, and ports are left open permanently as a convenience measure. This is an unacceptable risk.

What to do: If RDP is required, place it behind a VPN so it is not directly internet-facing. Enforce strong, unique passwords and multi-factor authentication on all remote access. Audit your firewall rules and close any RDP ports that are open to the internet without a VPN requirement.

3. Unpatched Software and Operating Systems

Software vulnerabilities are discovered constantly. When a vulnerability is disclosed, the vendor releases a patch. In the window between disclosure and patching, attackers actively exploit the known weakness.

For businesses running outdated operating systems — Windows 7, Windows Server 2012, unpatched versions of Windows 10 — the attack surface is enormous. These systems have known, documented vulnerabilities with freely available exploit code. Attackers do not need to develop their own tools; they simply use what is already publicly available.

What makes this worse: Many South African SMEs run business-critical software — accounting packages, ERP systems, legacy databases — that is incompatible with modern operating systems, creating pressure to keep old systems running indefinitely. Those systems become permanent vulnerabilities.

What to do: Maintain a patching schedule that applies security updates within 72 hours of release for critical vulnerabilities. For legacy systems that cannot be updated, isolate them from the rest of the network and implement compensating controls. Plan migration away from end-of-life systems as a business priority, not an IT wish-list item.

4. Compromised Credentials

Ransomware groups frequently purchase access rather than earning it. Stolen username and password combinations from previous data breaches are bought and sold on criminal marketplaces for trivial sums. A valid set of VPN credentials for a South African business might cost a few hundred rand.

Once an attacker has working credentials, they can log in as a legitimate user. They don't trigger intrusion alarms. They don't need to bypass security controls. They are, as far as your systems are concerned, an authorised employee.

The password reuse problem: If a staff member uses the same password for their work email as for a breached online service, their work credentials are compromised. This is extremely common — surveys consistently find that more than 50% of people reuse passwords across multiple services.

What to do: Enforce multi-factor authentication (MFA) on every system that supports it — email, VPN, cloud services, administrative consoles. MFA means that stolen credentials alone are not sufficient to gain access. Also implement a policy against password reuse and use a password manager to support it.

5. Malicious Downloads and Drive-By Infections

Staff browsing the web as part of their work can inadvertently download malware through:

• Fake software download sites (a search for a free PDF converter may land on a site distributing malware)
• Compromised legitimate websites that have been injected with malicious code
• Pirated software that has been bundled with ransomware
• Browser extensions from untrusted sources

This entry point is particularly difficult to defend against purely through staff training, because some drive-by infections require no action beyond visiting a website.

What to do: Use a web filtering solution that blocks access to known malicious sites and categories. Restrict browser extension installation to approved extensions. Enforce a policy against installation of unlicensed software. Ensure endpoint protection is up to date and includes web protection.

6. Third-Party and Supply Chain Access

If a supplier, contractor, or IT service provider has access to your network and their systems are compromised, that compromise can propagate directly to you. Several high-profile ransomware incidents have originated through managed service providers — the attackers compromised one provider and used that access to attack all of the provider's clients simultaneously.

Smaller SA businesses that rely on external IT support often grant those providers broad, persistent access to their environments — sometimes through shared administrator accounts with no MFA. That access is only as secure as the provider's own security posture.

What to do: Review all third-party access to your environment. Enforce MFA for all external access. Use time-limited or just-in-time access rather than permanent standing access. Include security requirements in contracts with IT providers and ask them directly how they protect access to client environments.

---

None of These Are Inevitable

Each of these entry points has practical, affordable countermeasures. You do not need an enterprise security team to address them. What you do need is a clear picture of where your current exposure lies.

Our free security assessment evaluates your organisation against these and other key risk factors and gives you a prioritised list of improvements — ranked by impact and effort. Most businesses that complete it identify at least two or three critical gaps they weren't aware of.

The other half of the equation is what happens if prevention fails. Immutable, off-network backup means that even a successful ransomware attack doesn't end your business — you restore from a clean copy and continue operating. Prevention and recovery work together, not as alternatives.