Spot the spread of ransomeware before it’s activated…:
Ransomware gets deployed three days after an organization’s network gets infiltrated in the vast majority of attacks, with post-compromise deployment taking as long as 299 days in some of the dozens of attacks researchers at cybersecurity firm FireEye examined between 2017 and 2019.
In 75% of all ransomware incidents, as they found, the attackers will delay encrypting their victims’ systems and will use that time to steal Domain Admin credentials that they can later use to distribute the ransomware payloads throughout the compromised environment.
More recently, ransomware operators have also started to harvest and exfiltrate their victims’ data, later using it as leverage to make them pay the ransoms under the threat of leaking the stolen information.
While in most of the analyzed incidents the researchers observed post-compromise malicious activity was extensive and could take weeks, the ransomware operators behind GandCrab and GlobeImposter were a lot faster executing the payloads immediately after the initial infiltration event.
Enough time for defense in 75% of incidents
Since ransomware operators deploy their payloads after at least three days during 75% of all ransomware incidents FireEye investigated, organizations would have enough time to defend themselves if using appropriate mitigations.
“This pattern suggests that for many organizations, if initial infections are detected, contained, and remediated quickly, the significant damage and cost associated with a ransomware infection could be avoided,” the report says.