The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Ransomware Groups are Accelerating Their Attacks with Dwell Time Falling to Just 5 Days

Posted By on Aug 28, 2023

Ransomware groups have accelerated their attacks and are now spending less time inside victims’ networks before triggering file encryption, according to the 2023 Active Adversary Report from Sophos. The data for the report came from the first 6 months of 2023 and was gathered and analyzed by the Sophos X-Ops team.

The median dwell time for ransomware groups fell from 9 days to 5 days in the first half of 2023, which the researchers believe is close to the limit of what is possible for hackers. They do not expect the median dwell time to fall below 5 days due to the time it typically takes for the hackers to achieve their objectives. On average, it took 16 hours from initial access for attackers to gain access to Microsoft Active Directory and escalate privileges to allow broad access to internal systems. The majority of ransomware groups do not rely on encryption alone and also exfiltrate data so they can apply pressure to get victims to pay up. Oftentimes, backups of data exist so recovery is possible without paying the ransom, but if there is a threat of data exposure, ransoms are often paid. On average, it takes around 2 days for ransomware gangs to exfiltrate data.

The reduction in dwell time is understandable. The longer hackers remain in networks, the greater the probability that their presence will be detected, especially since intrusion detection systems are getting better at detecting intrusions and malicious activity. One of the ways ransomware groups have accelerated their attacks is by opting for intermittent encryption, where only parts of files are encrypted. The encryption process is far quicker, which means there is less time to detect and stop an attack in progress, but the encryption is still sufficient to prevent access to files.

Ransomware gangs often time their attacks to reduce the risk of detection. In 81% of attacks analyzed by the researchers, the encryption process was triggered outside normal business hours such as at the weekend or during holidays when staffing levels are lower. 43% of ransomware attacks were detected on a Friday or Saturday. While the dwell time for ransomware actors has reduced, there was a slight increase in the dwell time for non-ransomware incidents, which increased from an average of 11 days to 13 days in H1 2023.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

In many cyberattacks, a vulnerability was exploited that allowed hackers to use a remote service for initial access, such as vulnerabilities in firewalls or VPN gateways. The exploitation of vulnerabilities in public-facing applications has been the leading root cause of attacks for some time followed by external remote services; however, in H1, 2023, these were reversed and compromised credentials were the root cause in 50% of attacks, with vulnerability exploitation the root cause of 23% of attacks.

Compromised credentials make attacks easy for hackers especially when there is no multi-factor authentication. Implementing and enforcing phishing-resistant MFA should be a priority for all organizations, but the researchers found that in 39% of cases investigated, MFA was not configured. Prompt patching should also be a goal as this reduces the window of opportunity for hackers. The researchers suggest following CISA’s timeline for patching in its Binding Operational Directive 19-02 of 15 days for critical vulnerabilities and 30 days for high-severity vulnerabilities as it will force attackers into a narrower set of techniques by removing the low-hanging fruit.

Previous reports have highlighted the extent to which Remote Desktop Protocol (RDP) is abused. in H1, 2023, RDP was used in 95% of attacks, up from 88% in 2022. In 77% of attacks involving RDP, the tool was used for internal access and lateral movement, up from 65% in 2022. Only 1% of attacks involved RDP for external access. Due to the extent to which RDP is abused, securing RDP should be a priority for security teams. If attackers are forced to break MFA or import their own tools for lateral movement, it will cause attackers to expend more time and effort, which provides defenders with more time to detect intrusions and increases the probability of malicious activity being detected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist