Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

End of Bibblio RCM includes -->
04:50 PM
Connect Directly

Global Dwell Time Drops as Ransomware Attacks Accelerate

The length of time attackers remain undiscovered in a target network has fallen to 24 days, researchers report, but ransomware plays a role.

Attackers are spending less time inside target networks, researchers report, but the seemingly positive trend hides a concerning development: Ransomware attacks, which by nature have a shorter "dwell time," are growing more common and efficient, shrinking the average time frame for all attacks.

Related Content:

Inside the Ransomware Campaigns Targeting Exchange Servers

Special Report: How Data Breaches Affect the Enterprise

New From The Edge: How to Create an Incident Response Plan From the Ground Up

In their 2021 M-Trends threat report, Mandiant researchers note the global median dwell time, or the number of days an attacker is in an environment before detection, has fallen to 24 days. While median dwell time has consistently dropped from 416 days in 2011, this year's number marks a notable drop, says Steven Stone, senior director of advanced practices at Mandiant.

"Half the dwell time went away compared to last year," he notes. The 2020 M-Trends report found a global median dwell time of 56 days, making this year's number "a significant drop."

This decline could be explained by several factors, including continued improvement in threat detection capabilities, new policies, and higher security budgets. However, the attack landscape plays a critical role. As dwell time dropped last year, the number of ransomware cases rose: Twenty-five percent of Mandiant investigations involved ransomware, a sharp increase from 14% in 2019.

Credit: zephyr_p via Adobe Stock
Credit: zephyr_p via Adobe Stock

A breakdown of dwell time by attack type is more telling. The median dwell time for non-ransomware investigations was 45 days; for ransomware investigations, it was only five. These metrics combined brought the global median dwell time down to its new low of 24 days.

As researchers see more ransomware, they expect dwell time to continue shrinking. After all, the attackers deploying ransomware don't want to remain hidden for very long.

"We're seeing ransomware intrusions … move to ransomware much, much quicker than we have in previous years," Stone points out. "We think that's clearly a contributing factor."

In the past, ransomware operators would try to get into a target environment and typically spend more time trying to understand it before deploying ransomware at the end. Now they move quickly through the attack cycle. Many have adopted the technique of "multifaceted extortion," in which they also threaten to publish stolen data if the ransom isn't paid in time.

It seems attackers are growing more comfortable with ransomware compared with other forms of monetization. This, combined with increasingly higher payouts, is bad news for defenders. Today's ransomware operators are growing more comfortable with negotiating higher sums.

"We talk about intrusion like it's a machine, but it's ultimately people, and people tend to do what they're most comfortable with," Stone explains. "They need a mechanism to monetize the intrusion, and as they're learning more and more about how to do that with ransomware year over year, they're getting more comfortable in that space."

What Else Is In Attackers' Toolkits?
Of course, ransomware isn't the only threat Mandiant researchers investigated last year. Their responses to a range of security intrusions yielded several observations, including a preference for exploits (29%) over phishing attacks (23%) as an initial infection vector. Other common vectors included stolen credentials or brute force (19%) along with prior compromise (12%).

"It definitely sticks out to us," Stone says of the rise in exploits. "If anything, we're seeing that trend accelerate currently." Researchers are already two full quarters into what will be the next M-Trends report, "and we're actually seeing more exploits than we did when we wrote this report."

There was a time when exploits were dominant, he explains, but they began to trend down as phishing attacks grew. Now "they're back with a vengeance," he says. While researchers aren't sure what's driving the trend, Stone notes that exploit usage is different than it was in the past. More exploits are continuously dropping, and there are more groups taking advantage of them.

"In the past we would typically see an exploit targeted by one high-end group … now you'll see an exploit, and you'll see a range of groups in a very quick time frame either using that or converting that once it goes public," he adds.

The presence of offensive security tools in attackers' arsenals was another dominant trend. Beacon, a backdoor commercially available as part of the Cobalt Strike platform, was seen in 24% of incidents. Empire, a publicly available PowerShell post-exploitation framework, was seen in 8%. Rounding out the top five were Maze ransomware (5%), Netwalker ransomware (4%), and the Metasploit pen-testing platform (3%).

When they aren't using publicly available tools, attackers are relying on privately developed ones: Seventy-eight percent of malware families used in attacks were private; the rest =were public. The trend is consistent across the most advanced groups and lesser-skilled attackers, Stone explains. Many of these tools are easy to use, lowering the cost of entry and empowering attackers.

"We're seeing a number of lower-level skillset groups deploy custom malware along with these public tools," he says. "That makes incident response very challenging, and I think organizations need to be prepared for that."

One of the groups using Cobalt Strike Beacon is UNC2452, the name Mandiant has given to the group behind the supply chain attack that involved an implant in SolarWinds' Orion platform. This is "arguably the most advanced group we've ever dealt with," Stone says, and the fact it's deploying Beacon is very concerning.

While organizations face new threats, the process of preparing for these types of attacks hasn't changed, he continues.

"Be prepared for an intrusion. Be prepared to make smart decisions based on the actual threats you're seeing," says Stone. 

An attack from a group like UNC2452 and a ransomware attack are very different intrusions, he says, and organizations must respond and remediate differently. They have to be able to make the right call for a particular threat, versus a "one-size-fits-all" approach.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
[email protected],
User Rank: Apprentice
4/15/2021 | 11:31:12 AM
Ransomware protection
Really good article. Theses trends are scary as it shows the ransomware groups are very well organized. The first line of defense is also to be well organized and have response scenarios ready as well as educate your employees on security. Education, preparation and knowledge of these attacks can go a long way. Businesses need to segregate their network and be able to identify threats rapidly as attackers are moving even more faster. For businesses that can't or don't want to spend much on security, there is still hope as Cloud service providers offer great protection and can mitigate risks/impact of a ransomware attack to avoid any substantial interruption. An up to date and constantly monitored cloud infrastructure with secure and reliable backups can protect you.

Disclaimer: I work for V2 Cloud
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file