Cybercrime gangs now deploying ransomware within 24 hours of hacking victims

Cybercriminals are now deploying ransomware within the first day of initially compromising their targets, a dramatic drop on the 4.5 days that the task had been taking last year, according to a new threat report.

Cybersecurity company Secureworks warns that “2023 may be the most prolific year for ransomware attacks to date” with three times as many victims listed on leak sites in May this year as there were in the same month a year ago.

Leak sites are a poor metric for assessing the size of the ransomware problem, the company’s report notes, pointing out that the leak site for Hive — which was disrupted by law enforcement earlier this year — listed only around 10% of the total victims law enforcement knew about.

Read more: Knocking down Hive: How the FBI ran its own ransomware decryption operation

“Leak site data should therefore be used with caution. In aggregate though it is clear from the continued activity that ransomware and data-theft extortion remain a viable criminal business model and a substantial threat to businesses,” the report states.

Secureworks said that in more than 50% of its incident response engagements, the hackers had managed to execute their malware within just 24 hours of breaking into the victim’s computer network.

The median dwell time has plummeted from 4.5 days last year, and in 10% of cases its team saw ransomware deployed within just five hours of initial access.

“The driver for the reduction in median dwell time is likely due to the cybercriminals’ desire for a lower chance of detection. The cybersecurity industry has become much more adept at detecting activity that is a precursor to ransomware,” said Don Smith, VP threat intelligence at Secureworks Counter Threat Unit.

“As a result, threat actors are focusing on simpler and quicker to implement operations, rather than big, multi-site enterprise-wide encryption events that are significantly more complex. But the risk from those attacks is still high,” added Smith.

“While we still see familiar names as the most active threat actors, the emergence of several new and very active threat groups is fuelling a significant rise in victim and data leaks. Despite high profile takedowns and sanctions, cybercriminals are masters of adaptation, and so the threat continues to gather pace.”