Ransomware Attackers Reduce Dwell Time to 5 Days, RDP Still Prevalent

The period during which ransomware threat actors remain undetected within compromised networks has shortened significantly, with the median dwell time dropping from nine days in 2022 to just five days in the first half of this year.

According to data from cybersecurity firm Sophos, the overall median dwell time for all cyberattacks was eight days in the first half of the year, down from ten days in 2022.

Sophos highlights that ransomware attacks constituted 68.75% of all cyberattacks documented by the company in the current year.

Interestingly, the median dwell time for non-ransomware incidents increased from 11 to 13 days in the same period. This suggests that while ransomware threat actors move swiftly, other cybercriminals engaged in network intrusions tend to linger, awaiting favorable opportunities.

Across all cases, the average dwell time stands at 15 to 16 days, with the longest observed dwell time this year exceeding three months.

Sophos’ observations reveal data exfiltration in 43.42% of cases, marking a 1.3% increase from the previous year.

Evidently, data theft is growing more prevalent; the company saw fewer such attacks, down to 31.58% in the first half of 2023 from 42.76% in 2022. This trend is supported by an uptick in incidents where confirmation exists that no data was exfiltrated, rising from 1.32% to 9.21%.

Further insights emerge when examining the days and times of attacks. Threat actors, including ransomware operators, tend to target organizations on Tuesdays, Wednesdays, and Thursdays, often during late local work hours. This strategic timing capitalizes on understaffed IT teams less likely to detect the intrusion and its progress on the network.

However, Sophos discovered that most ransomware incidents unfold on Fridays and Saturdays when companies respond more slowly due to difficulties in reaching tech teams.

One of the most exploited tools remains the remote desktop protocol (RDP), a feature embedded in most Windows versions. Sophos explains, “Combined with the fact that the use of compromised credentials is rampant, and that single-factor authentication is the norm, it’s no mystery why attackers love it.”

Statistics illustrate that RDP was employed in 95% of intrusions. Nevertheless, threat actors primarily utilized RDP for internal activities (93% of cases) and only in 18% of cases externally.

Given these trends, Sophos underscores the importance of prioritizing the security of RDP, as denying this form of access could force hackers to invest more time and effort to breach the system, subsequently increasing the chances of detection.

Maintaining data for a reasonable duration and conducting regular checks prove crucial, enabling the identification of threat actors present on the network before they progress to the final stages of an attack.

Additionally, this practice supplies valuable insights for defenders and incident responders, furnishing a comprehensive view of necessary actions and facilitating timely mitigation.