Automation Speeds Ransomware Time to Infection


February 6, 2024

World map

In December 2022, researchers observed ransomware operators exploiting a Remote Desktop Protocol (RDP) instance, a favored infection vector. Within just a few hours from initial access, the attackers had already exfiltrated data and executed ransomware across the entire network.

“The threat actors employed a batch script to exfiltrate data, and dropped a series of other batch scripts that could hinder defensive measures, establish a user account, grant access through the firewall for RDP, and automate other intrusion actions,” the researchers stated.

“It appears the threat actor in this case has highly customized the instance of Netscan to use it as a centralized command tool to automate many actions, including removing Antivirus, adding new users, and modifying the firewall, all using PSEXEC. They have ‘Application’ commands available to run if the user already has elevated rights or versions of the commands that can be supplied credentials later if elevation is required and obtained in later stages.”

Takeaway: The majority of organizations simply cannot defend against these well-resourced, motivated attackers who are increasingly observed leveraging a wide variety of advanced attack methodologies and automated attack sequences.

Ransomware attacks on critical infrastructure providers and other organizations have risen to the level of outright cyberterrorism, and the government needs to stop treating these attacks as a corporate IT issue.

Ransomware operators are flush with cash and regularly invest a lot of resources into improving their TTPs including finding novel ways to gain initial access, establish persistence, compromise credentials, and move laterally through the targeted network – and they are automating a good deal of these operations.

This is trend is more than evident in the observed increase in the exploitation of known vulnerabilities, the surprising use of zero-days for ransomware attacks, the use of more advanced techniques like DLL side-loading and Living-off-the-Land techniques to abuse of LoLBins, as well as the creativity observed in establishing new infection vectors.

We see evidence of this automation in the thousands of organizations that have been hit by the Cl0p ransomware gang in rapid succession. Threat actors will continue to automate more aspects of their attack sequences for efficiency.

Just in the last year we have seen ransomware operators improve efficiencies in the attack progression across the board for initial compromise, improved stealth, bypassing endpoint protection, as well as in payload delivery methods and exponentially improving encryption speeds.

In fact, recent reporting indicates ransomware operators have reduced the time to infection after initial compromise from an average 4.5 days to a matter of hours.

This is concerning, as such a significant reduction in time-to-infection means defenders have an even smaller window with which to work to detect and respond to these disruptive attacks. We also saw signs of automation in attacks exploiting many other patchable vulnerabilities throughout 2023.

In early April, researchers published an analysis of a new semi-autonomous ransomware strain dubbed Rorschach, noted for its automation, fast encryption speed, and stealthy DLL side-loading for security evasion and persistence.

Later in April, the Vice Society ransomware gang was observed using Living-off-the-Land (LotL) techniques with a custom PowerShell-based tool that automates data exfiltration on targeted networks, and the Play ransomware gang also developed two new custom data exfiltration tools.

There are plenty of examples of advancements in TTPs of ransomware operations out there, and we are seeing more tactics and techniques employed that were previously only observed in state-sponsored APT operations.

The US government needs to stop telling American companies that they have to just to just fend for themselves. We need intervention to protect organizations from what are known to be nation-state threat actors who freelance as cybercriminal attackers on the side.

We need more than guidelines, frameworks and proclamations. Ransomware attacks against critical infrastructure such as healthcare providers should be considered cyberterrorism, and the U.S. government should be addressing these attacks as such. is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.