The average attack time for a ransomware attack in 2021, measured from initial network access to payload deployment, was found to be 92.5 hours.
In 2020, ransomware attackers needed an average of 230 hours to complete an attack; in 2019, they needed 1637.6 hours.
This change speaks to a more streamlined approach that has gradually developed over the years to make larger operations more profitable.
At the same time, improvements in incident response and threat detection are forcing attackers to act more quickly, reducing the reaction margin of defenders.
From access broker to encryption
This data was gathered from incidents analyzed in 2021 by researchers from IBM’s X-Force team, who also found closer cooperation between early access brokers and ransomware operators.
Previously, network access brokers would wait days or even weeks before finding a buyer for network access.
Some ransomware organizations are also taking direct control of the initial infection vector, such as Conti, which took over the operations of the TrickBot malware.
Malware that infiltrates corporate networks is quickly leveraged to enable the post-exploit phase of an attack, sometimes achieving its objective in just a few minutes.
As for tools and techniques used by ransomware attackers, Cobalt Strike for session maintenance, RDP for lateral movement, Mimikatz and LSASS dump for credentials, SMB + WMIC and Psexec for deploying payloads on network hosts are commonly to deploy payloads on network hosts.
Faster detection, but not enough
Threat detection and response system performance in 2021 was better than in 2019, but this was not enough, he said.
One of the most impressive developments in this area has been endpoint detection solutions, where only 8% of eligible organizations had such capabilities in 2019; by 2021, this percentage had increased to 36%.
As for alerts generated by security tools, IBM X-Force data shows that in 2019, 42% of attacked organizations received timely alerts. Last year, alerts were delivered in 64% of network intrusions.
Despite improvements in defenses, ransomware continues to pose a significant threat. This is because attackers employ a highly targeted approach, switching to manual hacking to gain entry into the victim’s network and keeping a low profile until the final stage of the attack: system encryption.
Ransomware attackers are clearly acting more quickly: an April 2022 case study describes how the IcedID malware went from infection to Quantum ransomware deployment in just 3 hours and 44 minutes.
Also, the encryption process is getting faster these days. Once started, it is often very difficult to stop before considerable damage is done.