Fox-IT has encountered various ways in which ransomware is being spread and activated. Many infections happen by sending spam e-mails and luring the receiver in opening the infected attachment. In the past few months, FoxCERT was involved in several investigations where a different technique surfaced. The attackers got access to the servers by brute forcing usernames and passwords on remote desktop servers that are accessible from the internet. Underground markets exist where RDP credentials can be sold for an easy cash-out for the attacker.”]
Source: https://blog.fox-it.com/2016/05/02/ransomware-deployments-after-brute-force-rdp-attack/