From weeks to hours: Why ransomware attacks are getting quicker
Businesses will need to adapt as ransomware gangs take less time to steal and encrypt data than ever before.
Ransomware gangs are taking less and less time to encrypt and steal data than ever before.
Recent incident response data from the ThreatDown Intelligence team reveals that the entire ransomware attack chain—from initial access, to lateral movement, to data exfiltration and then encryption—has decreased from weeks to hours.
“Over the past year or two, the time from initial ingress to ransomware execution has drastically decreased,” says Brad French, Malware Removal Specialist at ThreatDown. “Previously, this process took weeks to a month; now, it often occurs within hours. Although we don’t always pinpoint the exact moment of initial access, indicators suggest that it typically happens within 24 hours.”
But why are ransomware attacks happening in an ever-shortening time frame? And how can organizations prepare themselves against this shift in tactics? Let’s dive into it.
Motivated and automated
We believe that one reason ransomware attacks are getting shorter is that as companies improve their cybersecurity, attackers know they need to act within shorter timeframes to avoid detection.
“Many companies now have EDR, which makes threat actors more cautious,” says Taylor Triggs, Malware Removal Specialist at ThreatDown. “Attackers are forced to adapt to defensive technologies by executing their malicious activities more swiftly and efficiently.“
According to Marcelo Rivero, Senior Malware Research Engineer at ThreatDown, the rise of Ransomware-as-a-Service (RaaS) has also significantly reduced attacker dwell time.
“Previously, ransomware attackers had to manually execute commands and scripts, analyze network configurations, and exploit vulnerabilities, which was time-consuming and increased the risk of detection,” Rivero says. “RaaS kits, however, often include automated scripts and tools for scanning networks, harvesting credentials, exploiting vulnerabilities, and more, facilitating rapid lateral movement within compromised networks.”
In other words, not only are ransomware attackers more motivated than before to attack quickly, but they also have the means to do so thanks to the automated tooling included in many RaaS kits.
Examples of quick ransomware attacks
Let’s look at a few examples of quick ransomware attacks in action, taken from real incident response cases at ThreatDown.
Case 1: 7 hours and 30 minutes
A threat actor executed PowerShell commands to enable RDP on an admin’s laptop at 1:29 AM on June 11th, 2024. By 9 AM the same day, the attacker had accessed the customer’s email tenant, removed all protective software, and encrypted all systems.
The rapid execution was facilitated by an autorun
entry:
C:\USERS\ADMINISTRATOR\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\RUNWALLPAPERSETUPINIT.CMD
C:\USERS\DEFAULT\APPDATA\ROAMING\MICROSOFT\WINDOWS\START MENU\PROGRAMS\STARTUP\RUNWALLPAPERSETUPINIT.CMD
At 1:29 AM, PSExecSvc
issued instructions using cmd.exe to disable the firewall for RDP. By 2:32 AM, ThreatDown removals from endpoints began, indicating the attackers had accessed the Nebula portal to remove protections and allow their payloads to process.
Case 2: 19 hours
An attacker began system administrator activities around 9 AM on June 4th, 2024, and started encrypting data by 4:50 AM on June 5th.
On the 5th, scripts executed files on \\127.0.0.1
for endpoints using a bat
file. Data collection and archiving on systems occurred, along with Defender exclusions for %programdata%
and the disabling of Windows Defender.
The following command was used for shadow deletion:
cmd.exe /c "echo delete shadows all | diskshadow"
The file rbc.exe
was used for encrypting files. The encryption command:
Encrypt command - C:\ProgramData\rbc.exe --key zuIDTuXl6Q9B --hv --noselfdelete --noshadowdelete --log C:\ProgramData\MTGT2SVR_log0.txt
cmd.exe /c "choice /C Y /N /D Y /T 3" & del C:\ProgramData\rbc.exe
What quicker attacks means for businesses
In the past, security teams had at least a few days, if not weeks, to detect and boot off ransomware gangs lurking in their network. This meant that defense was less centered around “24×7 monitoring” and more about “monitoring” in general.
With ransomware gangs becoming more motivated and more automated, however, that picture has changed: Time is now of the essence. As we saw in our two case studies—where the average time to encryption was just 13 hours—defenders cannot afford to leave their networks unmonitored for even a few hours.
Availability is also of the essence: Attackers are always looking to strike when they know IT staff won’t be around, including weekends and early hours of the morning. Notice again how, in each of the two case studies, encryption events began when defenders are likely to be asleep—between the hours of 1 AM to 4 AM.
In other words, 24×7 monitoring by people with the skills to spot the early signs of a ransomware attack, and perform proactive threat hunting and incident response—is now all but required to nip ransomware attacks in the bud.
When it comes to great security and high ROI, MDR is tough to beat
Managed Detection and Response (MDR) is a cost-efficient way to reap the benefits of a 24×7 Security Operations Center (SOC) for organizations who lack the budget to set one up themselves.
With MDR, organizations have access to a round-the-clock team of experts to threat hunt, stay on top of the latest adversary tools, techniques, and procedures (TTPs), and quickly remediate threats as necessary.
Purpose-built for organizations with small (to non-existent) security teams that lack the resources to address emerging threats like Akira ransomware, the ThreatDown Ultimate Bundle includes award-winning technologies and 24x7x365 expert-managed monitoring and response from the ThreatDown MDR team.