Experts reveal the average ransomware attack takes just 3 days 

Today, IBM X-Force unveiled research that examined more than 150 ransomware engagements from the past three years and discovered there was a major decrease in the overall time between initial access and ransom requests. 

The study revealed there was a 94.34% reduction in the average duration of ransomware attacks between 2019 and 2021, from over two months to just a little more than three days. 

One of the main culprits for the increase in attack speed was found to be the initial access broker economy and ransomware-as-a-service (RaaS) industry. These provide cybercriminals with a repeatable ransomware attack lifecycle, with low-risk, high reward threats like the ZeroLogon vulnerability and CobaltStrike. 

This has been worsened by MalSpam campaigns like BazarLoader and IcedID that increase the speed of access that have given security teams even less time to react before data is encrypted or exfiltrated. 

Why are ransomware attacks on the rise 

The research comes shortly after the release of Verizon’s Data Breach Investigations Report (DBIR) revealed that ransomware increased by 13% this year, and made up a total of 25% of security incidents. 

As the RaaS industry becomes more developed, cybercriminals are developing highly effective and repeatable techniques they can use to break into enterprise environments, at a speed that most security teams cannot keep up with, particularly if they’re short-staffed or under-resourced. 

“The criminal economies that support ransomware have continued to operationalize the business of ransomware and we’ve seen large increases in efficiency through things like the ransomware-as-a-service model, which has significantly lowered the barrier of entry for criminals to join in on the ransomware business or the rise of the initial access broker economy, which has dramatically increased the number of potential victims,” said John Dwyer, head of research at IBM Security X-Force. 

Many enterprises are struggling to defend against these attacks because they do not have the ability to detect and respond to intrusions in time. 

Recent research from IBM found that the average breach lifecycle takes 287 days, with organizations taking 212 days to initially detect a breach and 75 days to contain it. 

How enterprises can respond to fast-tracked ransomware 

With the growth in these malicious campaigns, organizations need to take a more proactive approach to security if they want to keep ransomware attacks at bay. 

“The research reaffirms the need for businesses to adopt a Zero Trust architecture, to reduce the pathways we’re seeing adversaries currently used to execute these attacks and to make it harder and more time-consuming for them to succeed,” Dwyer said. 

Dwyer recommends that organizations prepare and practice their response process so they’re prepared for scenarios when security protections fail, with incident response playbooks to guide users on how to respond. 

It’s worth noting that the tools and techniques used to gain access to the environment focus on a handful of techniques; phishing, exploiting vulnerabilities, and stealing credentials. 

Enterprises can work to reduce the risk of intrusion by educating employees on security best practices, advising them not to click on links or attachments in emails from unknown senders, showing them how to select strong passwords and encouraging them to regularly patch the devices and applications they use.