We’re witnessing the next step in the evolution of ransomware, new research from Secureworks has claimed, saying the dreaded malware strains are getting quicker and sharper than ever before – in direct response to the cybersecurity industry’s reaction to the threat.
In 2022, it took ransomware operators 4.5 days on average between initial access and the deployment of the encryptor. Today, that number fell below a single day – and in fact, in more than 50% of engagements, ransomware gets deployed within a day, and in 10% of cases, it gets deployed within five hours.
The reason for this significant change is the cybersecurity teams’ response to the threat of ransomware. They’re getting better at spotting the initial signs that might lead to ransomware, forcing hackers to move faster.
Faster than the defenders
“The driver for the reduction in median dwell time is likely due to the cybercriminals’ desire for a lower chance of detection,” commented Don Smith, VP Threat Intelligence, Secureworks Counter Threat Unit.
“The cybersecurity industry has become much more adept at detecting activity that is a precursor to ransomware. As a result, threat actors are focusing on simpler and quicker to implement operations, rather than big, multi-site enterprise-wide encryption events that are significantly more complex. But the risk from those attacks is still high.”
Despite the change, cybercriminals are still using the same methods to deploy the same variants. In most cases, they go for scan-and-exploit, stolen credentials, or commodity malware distributed via phishing emails.
Through these channels, they get to deploy the usual suspects: LockBit, BlackCat, and Cl0p. There are also new entrants to the market – up-and-coming encryptors that are slowly making a name for themselves: MalasLocker, 8BASE and Akira are all newcomers worthy of attention, the researchers said. In fact, 8BASE listed nearly 40 victims on its leak site in June 2023, only slightly fewer than LockBit.
Secureworks’ full report can be found on this link.