Ransomware Threat Operators Speed Up Attacks: RDP Still Poses Persistent Risk

In the ever-evolving landscape of cyber threats, a significant shift has been observed in the tactics employed by ransomware threat operators, including Remote Desktop Protocol (RDP). According to data from a cybersecurity company, the dwell time – the duration threat operators remain undetected within compromised networks – has plummeted to just five days in the first half of this year, down from nine days in 2022. This acceleration in attack speed is a cause for concern, emphasizing the need for swift and robust countermeasures. Notably, the abuse of the Remote Desktop Protocol (RDP) remains a persistent issue, contributing to the vulnerabilities that threat actors exploit.

The Shrinking Dwell Time

The report reveals a noteworthy decline in threat operators’ dwell time, which now stands at a mere five days during the first half of this year. Compared to the ten-day median dwell time recorded in 2022, this sharp reduction highlights the increasing efficiency of ransomware threat actors. The rapid pace of attacks underscores the urgency of fortifying cybersecurity measures to promptly detect and respond to threats.

Ransomware Dominance

Ransomware attacks continue to dominate the cyber threat landscape, constituting an overwhelming 68.75% of all cyberattacks tracked by Sophos this year. This statistic underscores the prominence of ransomware as a favored tool among cybercriminals. However, while ransomware actors are swift in their actions, other cybercriminals tend to adopt a more patient approach, extending their dwell time for potential opportunities to arise.

Divergent Dwell Times

A peculiar trend emerges when considering the dwell times for non-ransomware incidents. While ransomware threat actors are increasingly agile, non-ransomware attackers exhibit an extended dwell time, which has grown from 11 to 13 days in the current year. This dichotomy suggests that while ransomware threat operators exploit quick wins, other cybercriminals adopt a more persistent strategy, potentially waiting for exploitable moments.

Data Exfiltration and Theft

The findings reveal that data exfiltration has occurred in 43.42% of cases, marking a 1.3% increase from the previous year. The data points toward an emerging pattern of heightened data theft incidents. Paradoxically, the number of data theft attacks has decreased, dropping to 31.58% in the first half of 2023 from 42.76% in 2022. This trend is supported by a rise in incidents where confirmation of non-exfiltration was obtained (up from 1.32% to 9.21%).

Temporal Trends and Remote Desktop Protocol Vulnerabilities

Further insights are gained when analyzing the temporal aspects of attacks. The data reveals that threat actors, including ransomware operators, prefer striking organizations on Tuesdays, Wednesdays, and Thursdays. This strategy capitalizes on understaffed organizations during late local workdays, enabling the intrusion to develop undetected. Notably, ransomware incidents peak on Fridays and Saturdays, taking advantage of reduced responsiveness over the weekend. The report underscores the persistence of the Remote Desktop Protocol (RDP) as a favored tool among attackers. A staggering 95% of intrusions involved the exploitation of Remote Desktop Protocol vulnerabilities. However, it’s vital to note that while RDP was predominantly used for internal activities (93% of cases), only 18% of attacks utilized it externally. This pattern underscores the critical importance of securing RDP to mitigate potential risks.

Mitigation Strategies for Remote Desktop Protocol 

Considering these trends, the cybersecurity company recommends prioritizing the security of Remote Desktop Protocol. By denying unauthorized access via RDP, organizations can effectively thwart threat operators and force them to expend more significant effort and time breaking into networks. This delay can significantly enhance the chances of detecting and responding to intrusions. Furthermore, maintaining a vigilant approach to data storage and regular checks can aid in identifying threat actors within the network’s early stages, enabling a proactive response.

The cyber threat landscape continues to evolve, with ransomware actors showcasing heightened attack agility. The decreasing dwell time accentuates the urgency of implementing robust cybersecurity measures. As the abuse of Remote Desktop Protocol remains a persistent concern, organizations must prioritize its security to minimize vulnerabilities. By understanding emerging attack patterns and adopting vigilant practices, organizations can enhance their defense mechanisms and proactively safeguard against the ever-adapting threat landscape.

At SpearTip, our firewall review allows our certified engineers to analyze the configurations and interactions of companies’ network infrastructure with the expertise of a skilled penetration tester. Our team helps discover vulnerabilities in firewall systems and enables companies to dedicate their resources to evaluate and prioritize fixes. We provide remediation steps for all uncovered weaknesses to ensure a strengthened security posture, including for people, processes, and technology within the security environment. Our team’s extensive experience gained through responding to tens of thousands of security incidents and our consulting team’s expertise in researching the most modern security practices will improve their operational, procedural, and technical control gaps based on security standards.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.