Chris Swagler | June 15th, 2022

In 2021, ransomware attacks lasted on average around 92.5 hours, which is measured from initial network access to payload deployment. Ransomware threat actors spent 230 hours on average to complete their attacks in 2020 and 1637 hours in 2019. The change represents threat actors creating a more simplified approach that evolved throughout the years to improve the profitability of large-scale ransomware operations. Improvements in incident response and threat detection have forced threat actors to move quicker, leaving defenders with a narrower reaction margin.

Researchers gathered data from incidents analyzed in 2021 and discovered initial access brokers and ransomware operators collaborating with each other. Network access brokers previously waited numerous days or weeks before finding a buyer for their network access. Additionally, several ransomware groups have direct control over the initial infection vector, one example being Conti assuming control of the TrickBot malware operation. Malware that infiltrates companies’ networks is promptly exploited to enable the attack’s post-exploitation stages, which can take minutes to complete its objective.

(Source: IBM)

When it comes to tools and methods used by ransomware threat actors, Cobalt Strike is commonly used for interactive sessions, RDP for lateral movement, Mimikatz and LSASS dump for credentials, and SMB + WMIC and PsExec are commonly used for spreading payloads on the network hosts.

(Source: IBM)

In 2019, ransomware threat actors used the same tools, but to various degrees.

(Source: IBM)

According to researchers, in 2021, threat detection and response systems’ performance improved compared to 2019, however, this was not sufficient. Endpoint detection solutions, such as SpearTip’s ShadowSpear Platform, are the most impressive development in this area. Only 8% of targeted companies possessed the capabilities, however, in 2021, the percentage grew to 36%. When it comes to security tool alerts, data shows in 2019 that 42% of attacked companies received timely warnings. In 2021, companies were notified in 64% of network intrusion cases.

(Source: IBM)

Even though the numbers suggest that detection is improving, there’s still a significant gap that threat actors can exploit.

Despite the improvements in security, ransomware remains a substantial threat as actors focus more on highly targeted approaches, relying on manual breaching to move within the victims’ networks, and keeping a low profile until the attack’s final stage, system encryption. According to a case study in April 2022, an IcedID malware infection resulted in the Quantum ransomware development in just 3 hours and 44 minutes. This is an indication that ransomware threat operators have improved their speed and the encryption process is much faster. It’s often difficult to prevent ransomware once it’s been launched and before it does significant damage.

With ransomware groups significantly improving their attack tactics and techniques to reduce encryption time, it’s more critical for companies to remain alert to the latest threat landscape and regularly update their network security infrastructure. At SpearTip, our certified engineers perform gap analysis to discover blind spots in companies that can lead to significant compromises and critical recommendations by exposing vulnerabilities in software, people, and processes. Our penetration testing allows our experts to enhance your team’s ability to remediate any uncovered gaps to make your system less vulnerable. We give extra effort to validate important findings and reduce false positives, providing your organization with accurate findings and the high-level executive information required by leadership to eliminate risks to the environment. ShadowSpear threat hunting evaluates the effectiveness of companies’ current security measures, including email systems, to determine the overall health of their environment and prevent breaches.

If your company is experiencing a breach, call our Security Operations Centers at 833.997.7327 to speak directly with an engineer.