Time to Ransomware Infection Drops from Days to Hours


October 5, 2023

World map

New reporting indicates ransomware operators have reduced the time to infection after initial compromise from an average 4.5 days to a matter of hours.

SecureWorks assessed that in more than of their customer incident response engagements, the attackers had successfully infiltrated the network and deployed a ransomware payload within a shockingly short 24 hour period – and in some cases it took just a few hours.

“The driver for the reduction in median dwell time is likely due to the cybercriminals’ desire for a lower chance of detection. The cybersecurity industry has become much more adept at detecting activity that is a precursor to ransomware,” The Record reports.

“As a result, threat actors are focusing on simpler and quicker to implement operations, rather than big, multi-site enterprise-wide encryption events that are significantly more complex. But the risk from those attacks is still high.”

Takeaway: The findings in the report are concerning, as this significant reduction in dwell time and time to infection means defenders have an even smaller window with which to work in order to detect and respond to these stealthy attacks.

That said, we would disagree with the assessment that this is evidence ransomware operators are moving away from bigger targets that require a more complex attack sequence simply to try to avoid detection.  

There are several other factors that are most likely driving this sharp reduction in time to infection. First, the barriers to entry in the ransomware attack game have all been eliminated. RaaS offerings have become so mature that nearly anyone who can operate a computer can try their luck at being a cybercriminal.

This means we have more than a few low-skilled miscreants out there hitting smaller targets that do not require the technical chops that are needed to compromise a large organization with a more mature security program. They simply don’t have the skills to carry out more advanced attacks.

Another factor is that attackers are increasingly taking advantage of unpatched vulnerabilities and misconfigurations by automating aspects of their attack progressions. Automation means ransomware operators can simply hit more victims faster.

For example, hundreds of organizations have been hit by the Cl0p ransomware gang this year as they continue to exploit known vulnerabilities in the MoveIT and GoAnywhere MFT software. We also saw signs of automation in attacks exploiting a host of other known, patchable vulnerabilities throughout 2023.

In early April, researchers published an analysis of a new semi-autonomous ransomware strain dubbed Rorschach, noted for its automation, fast encryption speed, and stealthy DLL side-loading for security evasion and persistence.

Later in April, the Vice Society ransomware gang was observed using Living-off-the-Land (LotL) techniques with a custom PowerShell-based tool that automates data exfiltration on targeted networks, and the Play ransomware gang also developed two new custom data exfiltration tools. There are plenty of examples of advancements in automation of ransomware operations out there.

Activity like initial ingress, persistence, credential acquisition, and lateral movement on the targeted network usually takes weeks at best, so automating aspects of the attack sequence allows threat actors to compromise more targets faster.  

Automation also means selecting targets that are the low hanging fruit, such as those which can be identified by simply scanning the web for indications that an organization is vulnerable to an exploit, then initiating the automated attack sequence.  

While the ransom payouts may be lower for each victim, automation allows for more victims to be compromised in a shorter time period. Ransomware attacks started out as a clumsy spray-and-pray spam operation that targeted mostly individuals, or individual devices.  

The attack sequences became more APT-like, and we saw the whaling trend commence where the ransomware operators were going after the biggest organizations with the ability to pay the highest ransom demand.

Now the pendulum is swinging back the other way where it is just a numbers game again where the sheer volume of attacks is what drives profits versus putting in a lot of work for one big payday, and it is automation that is driving this trend.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile (PDF).