Ransomware is deployed faster as cybercriminals seek to avoid detection
Ransomware is being deployed within one day of initial access in more than 50 percent of engagements, according to research from Secureworks Counter Threat Unit.
In the last 12 months the median dwell time identified in the annual Secureworks State of the Threat Report has fallen from 4.5 days to less than one day. In 10 percent of cases, ransomware was even deployed within five hours of initial access.
"The driver for the reduction in median dwell time is likely due to the cybercriminals' desire for a lower chance of detection. The cybersecurity industry has become much more adept at detecting activity that is a precursor to ransomware. As a result, threat actors are focusing on simpler and quicker to implement operations, rather than big, multi-site enterprise-wide encryption events that are significantly more complex. But the risk from those attacks is still high," says Don Smith, VP threat intelligence at Secureworks Counter Threat Unit.
Among other findings, while familiar names like GOLD MYSTIC (LockBit), GOLD BLAZER (BlackCat/ALPV), and GOLD TAHOE (Cl0p) still dominate the ransomware landscape, new groups are emerging and listing significant victim counts on 'name and shame' leak sites. The past four months covered by the report have been the most prolific for victim numbers since name-and-shame attacks began in 2019.
The three largest initial access vectors (IAV) observed in ransomware engagements where customers engaged Secureworks incident responders are, scan-and-exploit (32 percent), stolen credentials (32 percent) and commodity malware via phishing emails (14 percent).
"Despite much hype around ChatGPT and AI style attacks, the two highest profile attacks of 2023 thus far were the result of unpatched infrastructure. At the end of the day, cybercriminals are reaping the rewards from tried and tested methods of attack, so organizations must focus on protecting themselves with basic cyber hygiene and not get caught up in hype," Smith adds.
Exploitation of known vulnerabilities from 2022 and earlier continues too and accounted for more than half of the most exploited vulnerabilities during the report period.
The full report including details of evolving nation state attacks and more is available from the Secureworks site.