Speed Demons: Ransomware Attackers' Dwell Time ShrinksSeeking Every Advantage, Most Ransomware Groups Attack Outside of Business Hours
Ransomware-wielding hackers are moving faster than ever to pull the trigger on malicious encryption - but they could be bumping up against the limits of how fast they can go, said security researchers from Sophos.
In the first half of 2023, the median dwell time for ransomware incidents fell from nine days to five days, the firm said in a report outlining trends over the first six months of the year. In contrast, the median dwell time for all non-ransomware incidents has risen slightly from 11 days to 13 days.
A likely reason why ransomware hackers are acting faster is pressure from improved endpoint detection, said Chester Wisniewski, field CTO, applied research at Sophos. "There was one attack that was 2 hours and 12 minutes from start to finish," he told Information Security Media Group.
Ransomware hackers who want to crypto-lock systems on a network must unleash their malware before defenders detect their intrusion and attempt to block it.
To lower the time required to move from intrusion to encryption, ransomware groups continue to explore tactics for moving more quickly, including using intermittent encryption, which only encrypts parts of files, and using encryption algorithms that work faster than typical workhorses such as AES. Even with such techniques, it's unlikely the bulk of ransomware-wielding hackers will be able to execute a double-extortion attack in less than five days, Wisniewski said.
"It takes a couple days in order to do the data exfiltration and set up the booby traps," he said. "I'm wondering if we've hit the peak efficiency from the criminals." Should median dwell time go down, "I suspect it's not going to decrease much from five days," he said.
Attackers don't just use technology to their advantage; they also use time. In 81% of ransomware attacks, Sophos researchers found that hackers had launched their final payload outside of the victim's traditional working hours. Of those that deployed during business hours, only a handful happened on a weekday.
"The number of attacks detected increased as the week progressed, most notably when examining ransomware attacks," the researchers said. "Nearly half (43%) of ransomware attacks were detected on either Friday or Saturday." Hitting a target on weekends or holidays when staffing levels are likely low remains a favorite hacker technique, because it increases the chance of a successful strike.
Targeting Active Directory
Having an uninterrupted weekend to navigate an enterprise network may be all the time an attacker needs. Analyzing attackers' behavior and tools in aggregate for the first half of 2023, Sophos researchers found attackers took less than a day - only about 16 hours, on average - to work their way from initial compromise through to Microsoft Active Directory access.
Numerous organizations employ Active Directory to manage employees' identities and access to resources. By accessing Active Directory, attackers can escalate their own system-level privileges, allowing them to simply log in to desired systems and unleash a wide variety of malicious activity.
From an offensive point of view, time is money, and hitting an organization's AD infrastructure makes sense, John Shier, a field CTO at Sophos, earlier told ISMG. Of all enterprise infrastructure, AD is typically the most powerful and privileged system of all, providing broad access to the systems, applications, resources and data that attackers need and want to exploit to reach their goal.
"When an attacker controls AD, they can control the organization. The impact, escalation and recovery overhead of an Active Directory attack is why it's targeted," Shier said.
Getting access to the AD server gives attackers multiple advantages, including the ability to linger undetected for longer while they plan their next moves. "Once they're ready to go, they can blast through a victim's network unimpeded," he said.
Also working in attackers' favor: Most AD servers are only protected using Microsoft Defender - and sometimes not at all, researchers found. Disabling Defender, and sometimes other security defenses as well, remains a favorite attacker tactic. Some of the most notorious ransomware strains now in existence, including LockBit 3.0, have Defender-disabling capabilities, the U.S. Cybersecurity and Infrastructure Security Agency warned earlier this year.
Sophos said it has seen a steady rise in attackers wielding this tactic.
With reporting from ISMG's David Perera in Washington, D.C.