Fast Ransomware: One Day to Infection, Report Says

CEO: MOVEit customers ‘happy’ with company’s response to hack

Ransomware is being deployed within one day of initial network access in more than 50% of cyberattacks, Secureworks said in a new report.

According to the security provider’s State of the Threat Report, dwell time has tumbled from 4.5 days to less than one day. Dwell time is the amount of time a cyber actor has access to an infected system before a threat is detected. In 10% of cases, ransomware was released within five hours of initial access, the data showed.

Those findings indicate both the determination of cyber defenders to detect network activity ahead of an infection, and that of cyber criminals to adapt to avoid detection, according to SecureWorks.

"The driver for the reduction in median dwell time is likely due to the cybercriminals' desire for a lower chance of detection,” said Don Smith, Secureworks counter threat unit vice president of threat intelligence. “The cybersecurity industry has become much more adept at detecting activity that is a precursor to ransomware. As a result, threat actors are focusing on simpler and quicker to implement operations rather than big, multi-site enterprise-wide encryption events that are significantly more complex. But the risk from those attacks is still high.”

Secureworks Spots New Ransomware Groups

Here are the top line findings from the report:

  • While some familiar names including GOLD MYSTIC (LockBit), GOLD BLAZER (BlackCat/ALPV), and GOLD TAHOE (Cl0p) still dominate the ransomware landscape, new groups are emerging and listing significant victim counts on "name and shame" leak sites.
  • The past four months of this reporting period have been the most prolific for victim numbers since name-and-shame attacks started in 2019.
  • The three largest initial access vectors observed in ransomware engagements where customers engaged Secureworks incident responders were scan-and-exploit, stolen credentials, and commodity malware via phishing emails.
  • Exploitation of known vulnerabilities from 2022 and earlier continued and accounted for more than half of the most exploited vulnerabilities during the report period.

LockBit, BlackCat Top the Most Active List

Here’s more detail on most active ransomware groups:

  • GOLD MYSTIC's LockBit remains the head of the pack in terms of the number of victims, with three times as many as the next most active group, BlackCat, operated by GOLD BLAZER.
  • New schemes have also emerged and posted numerous victims. MalasLocker, 8BASE and Akira (which ranked at number 14) are all newcomers that made an impact from Q2 2023.
  • 8BASE listed nearly 40 victims on its leak site in June 2023, only slightly fewer than LockBit.
  • Some of the victims go back as far as mid 2022, although they were dumped at the same time.
  • MalasLocker's attack on Zimbra servers from the end of April 2023 accounted for 171 victims on its leak site in May.
  • Victim numbers per month from April-July 2023 were the most since name and shame emerged in 2019.

"Despite much hype around ChatGPT and AI-style attacks, the two highest profile attacks of 2023 thus far were the result of unpatched infrastructure,” said Smith. “At the end of the day, cybercriminals are reaping the rewards from tried and tested methods of attack, so organizations must focus on protecting themselves with basic cyber hygiene and not get caught up in hype.”

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.