How Ransomware Uses File Sharing to Spread

Ransomware doesn't arrive via brute force. It arrives via email. More specifically, it often arrives via a shared file link that looks completely legitimate — because it's hosted on a real, trusted platform.

The Trusted Platform Trick

Attackers upload malicious files — disguised as invoices, contracts, delivery notifications — to legitimate file sharing services. They then send a phishing email with a link to the file. The URL looks trustworthy (dropbox.com, onedrive.com, or any recognised domain), the link passes spam filters, and the recipient clicks it without suspicion.

This technique is called "living off trusted sites" — using platforms that companies have already allowed in their email security policies.

Common Disguises

• PDF named "Invoice_#12847.pdf" (actually an exploit document)
• ZIP named "Project_Files.zip" (contains malicious executable)
• DOCX with macros named "Contract_Draft.docx"
• HTML file that harvests credentials when opened

How to Protect Yourself

1. Never open files from unexpected sources — even if the hosting domain looks legitimate
2. Check the sender's email domain carefully — attackers use lookalike domains (clientco.com vs cl1entco.com)
3. Scan before opening — run downloaded files through your antivirus before executing them
4. Disable macros by default — Office documents should never need macros to display content
5. Verify out of band — if a colleague sends an unexpected file link, confirm via a separate channel before opening

For File Sharing Platform Users

Platforms like TiniDrop validate file formats and block executable file types that are commonly used as ransomware delivery vehicles. Combined with Cloudflare's network-level threat protection, malicious patterns are filtered before they reach recipients.