Ransomware gets deployed three days after an organization’s network gets infiltrated in the vast majority of attacks, with post-compromise deployment taking as long as 299 days in some of the dozens of attacks researchers at cybersecurity firm FireEye examined between 2017 and 2019.
In 75% of all ransomware incidents, as they found, the attackers will delay encrypting their victims’ systems and will use that time to steal Domain Admin credentials that they can later use to distribute the ransomware payloads throughout the compromised environment.
More recently, ransomware operators have also started to harvest and exfiltrate their victims’ data, later using it as leverage to make them pay the ransoms under the threat of leaking the stolen information.
While in most of the analyzed incidents the researchers observed post-compromise malicious activity was extensive and could take weeks, the ransomware operators behind GandCrab and GlobeImposter were a lot faster executing the payloads immediately after the initial infiltration event.
Enough time for defense in 75% of incidents
Since ransomware operators deploy their payloads after at least three days during 75% of all ransomware incidents FireEye investigated, organizations would have enough time to defend themselves if using appropriate mitigations.
“This pattern suggests that for many organizations, if initial infections are detected, contained, and remediated quickly, the significant damage and cost associated with a ransomware infection could be avoided,” the report says.
“In fact, in a handful of cases, Mandiant incident responders and FireEye Managed Defense contained and remediated malicious activity, likely preventing ransomware deployment.”
During some of the successfully thwarted attacks, subsequent investigations resulted in the discovery of ransomware payloads already having been dropped but not executed on some of a victim’s systems.
To infiltrate their victims’ networks, ransomware gangs have several favorite methods using RDP (LockerGoga), phishing emails with malicious links or attachments (Ryuk), and drive-by malware downloads (Bitpaymer and DoppelPaymer) as initial infection vectors.
“RDP was more frequently observed in 2017 and declined in 2018 and 2019,” the report reads. “These vectors demonstrate that ransomware can enter victim environments by a variety of means, not all of which require user interaction.”
After hours deployment during most attacks
As the FireEye research team also found, the ransomware was used to encrypt the victims’ systems after work hours in roughly 76% of all examined attacks, “on a weekend or before 8:00 a.m. or after 6:00 p.m. on a weekday” according to the target’s work week calendar.
This tactic allows the attackers to avoid having their actions noticed by the targeted organization’s security team until it is too late and to make sure that the incident responders will not be able to take all the measures needed to stop the attack as during their work hours.
“In other cases, attackers linked ransomware deployment to user actions,” FireEye found. “For example, in 2019 incidents at retail and professional services firms, attackers created an Active Directory Group Policy Object to trigger ransomware execution based on user log on and log off.”
To successfully defend against ransomware attacks, FireEye recommends addressing the infection vectors by enforcing multi-factor authentication, performing regular security audits, and using security solutions and email systems capable of detecting malware strains such as Trickbot, Emotet, and Dridex known for dropping ransomware payloads in multi-stage attacks.
Implementing security best practices like regular anti-phishing training, network segmentation, regular backups, restrict Local Administrators and use unique passwords for each of them, as well as ransomware infection cyber insurance could also help mitigate the effects of a ransomware infection.
“The good news is that particularly with post-compromise infections, there is often a window of time between the first malicious action and ransomware deployment,” FireEye concluded.
“If network defenders can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection.”