October 3, 2023

Ransomware Groups are moving faster than ever to pull the trigger on malicious encryption, but they could be bumping up against the limits.

During the first half of 2023, the median dwell time for ransomware incidents fell from nine days to five days, and the median dwell time for all non-ransomware incidents has risen slightly from 11 days to 13 days.

A likely reason why ransomware hackers are acting faster is pressure from improved endpoint detection. Ransomware attackers who want to encrypt systems on a network, using ransomware, have to gain the ability to unleash their malware before defenders detect their intrusion and attempt to block it.

To lower the time required to move from intrusion to encryption, ransomware groups continue to explore tactics for moving more quickly, including using intermittent encryption, which only encrypts parts of files, and using encryption algorithms that work faster than typical workhorses such as AES.


In 81% of ransomware attacks, researchers found that hackers had launched their final payload outside of the victim’s traditional working hours. Of those that deployed during business hours, only a handful happened on a weekday. Having an uninterrupted weekend to navigate an enterprise network may be all the time an attacker needs.

Through analyzing attackers’ behavior and tools in aggregate for the first half of 2023, Researchers found attackers took less than a day – only about 16 hours, on average – to work their way from initial compromise through to Microsoft Active Directory access.

Active Directory is the heart of the organization that manages employees’ identities and access to resources. By accessing Active Directory, attackers can escalate their own system-level privileges, allowing them to simply log in to desired systems and unleash a wide variety of malicious activity.


Getting access to the AD server gives attackers multiple advantages, including the ability to linger undetected for longer while they plan their next moves, and they can blast it.

Most AD servers are only protected using Microsoft Defender and sometimes not at all. Disabling Defender, and sometimes other security defenses as well, remains a favorite attacker tactic. Some of the most notorious ransomware strains now in existence, including LockBit 3.0, have Defender-disabling capabilities, the U.S. CISA warned earlier this year.

It is recommended to be vigilant, and defense in depth is strong enough, and effective monitoring is in place.

Leave a Reply

%d bloggers like this: