The duration of ransomware attacks in 2021 averaged 92.5 hours, measured from initial network access to payload deployment. In 2020, ransomware actors spent an average of 230 hours to complete their attacks and 1637.6 hours in 2019.
This change reflects a more streamlined approach to make large attacks more profitable. As cyber threat actors become more organised, there attacks will grow in speed and size.
The increase in speed and organisation comes directly in response to big improvements in incident response and threat detection.
Previously, it took threat actors weeks, sometimes even months to sell access to compromised networks. But as they become more developed, threat actors are gaining control over more and more steps of the process - such as Conti taking over the TrickBot operation earlier in the year.
In terms of the tools used, they are much the same as 2019 with unsecured RDP continuing to be the most common lateral movement tool.
Clearly quicker detection is important to stop attacks from happening and the performance of threat detection systems has improved since 2019, however it isn't quite enough.
The most impressive development in this area is endpoint detection solutions. In 2019, only 8% of targeted organizations had such a capability, while in 2021, this percentage grew to 36%.
Ransomware adversaries have gotten faster at what they do. An example from April 2022 presented a case of an IcedID malware infection leading to Quantum ransomware deployment in just 3 hours and 44 minutes.
The main issue now is the encryption process. It is a lot quicker than it used to be, and once it has started it is often difficult to stop before too much damage is done.
The above research, conducted by IBM's XForce found that 5 fundamental security controls could be implemented to disrupt the ransomware lifecycle.
Restrict and Implement MFA and PAM for Privileged Accounts
Prohibit Workstation Logon with Domain Admin Credentials
Restrict SMB/RDP/RPC for Internal Communication
Implement Managed Service Accounts
Restrict Software Execution on Domain Controllers and Secure Administrative Systems
For more information including detailed info around the above 5 controls, you can read IBM's full research article here.