We are witnessing the next step in the evolution of ransomware, according to new research from Secureworks, which shows that the dreaded malware variants are becoming faster and sharper than ever before – in direct response to the cybersecurity industry’s response to the threat.
In 2022, it took an average of 4.5 days between the first access and the deployment of the encryptor. Today, that number has dropped to less than one day. In fact, ransomware is deployed within a day in more than 50% of cases, and within five hours in 10% of cases.
The reason for this important change is the cybersecurity teams’ response to the ransomware threat. They’re getting better at spotting the early signs that could lead to ransomware, forcing hackers to act faster.
Faster than the defenders
“The driving force behind the reduction in average dwell time is likely due to cybercriminals’ desire to reduce the likelihood of detection,” said Don Smith, VP Threat Intelligence, Secureworks Counter Threat Unit.
“The cybersecurity industry has become much more adept at detecting activity that is a precursor to ransomware. As a result, threat actors are focusing on easier and faster-to-deploy operations, rather than large, enterprise-wide, multi-site encryption events that are significantly more complex. But the risk of these attacks is still high.”
Despite the change, cybercriminals still use the same methods to deploy the same variants. In most cases, they use scan-and-exploit, stolen credentials, or common malware distributed via phishing emails.
Through these channels they can deploy the usual suspects: LockBit, BlackCat and Cl0p. There are also newcomers to the market: emerging encryptors that are slowly making a name for themselves: MalasLocker, 8BASE and Akira are all newcomers that deserve attention, the researchers said. In fact, as of June 2023, 8BASE listed nearly 40 victims on the leak site, only slightly fewer than LockBit.
The full report from Secureworks can be found at this link.