Ransomware hackers dwell time drops to 5 days, RDP still widely used

Ransomware threat actors are displaying a reduced dwell time within compromised networks, with security solutions triggering alerts more swiftly. In the first half of this year, the median dwell time for hackers decreased to five days, down from nine in 2022.

Statistics compiled by cybersecurity firm Sophos reveal that the overall median dwell time for cyberattacks of all types was eight days in the first half of this year, down from ten in 2022.

Of particular note, ransomware attacks constituted a substantial 68.75% of all cyberattacks documented by Sophos this year.

Additionally, Sophos reports an increase in the median dwell time for non-ransomware incidents, rising from 11 to 13 days this year. This suggests that while ransomware threat actors are moving swiftly, other cybercriminals engaged in network intrusions appear to “linger” and wait for opportune moments.

Across all cases, the average dwell time stands at 15-16 days, with the longest observed dwell time this year extending beyond three months.

Sophos also observed data exfiltration occurring in 43.42% of cases, marking a 1.3% increase from the previous year. It appears that data theft is on the rise, even though there were fewer such attacks, declining to 31.58% in the first half of 2023 from 42.76% in 2022. Supporting this trend is an increase in incidents where there was clear confirmation of no data exfiltration, rising from 1.32% to 9.21%.

Examining patterns in Sophos data concerning days and times, intriguing insights emerge. Threat actors, including ransomware operators, seem to favor targeting organizations on Tuesdays, Wednesdays, and Thursdays. They tend to strike late in the local workday, capitalizing on the likelihood of IT teams being understaffed and less likely to detect intrusions and network developments promptly.

However, an interesting observation made by Sophos is that most ransomware incidents tend to occur on Fridays and Saturdays. During these days, companies may exhibit slower response times due to the challenges in reaching their tech teams promptly.

One of the persistently exploited tools in these attacks is the remote desktop protocol (RDP), which comes integrated into most Windows versions. Sophos underscores the prevalence of compromised credentials, as well as the widespread use of single-factor authentication, as contributing factors to why attackers favor RDP.

Statistics reveal that RDP played a role in a staggering 95% of intrusions. However, it’s noteworthy that attackers predominantly utilized RDP for internal activities, accounting for 93% of cases, and only in 18% of instances did they employ it externally.

Given these insights, Sophos emphasizes the importance for companies to prioritize the security of RDP. By fortifying this avenue of access, organizations can potentially deter attackers who might be discouraged by the increased time and effort required to breach the system, thereby affording more time for detection of any intrusion.

Furthermore, maintaining data for a reasonable duration and conducting regular checks assume significance. This practice can aid in identifying threat actors already within the network, potentially before they advance to the final stages of an attack. Additionally, it can equip defenders and incident responders with valuable insights, offering a clear roadmap for prompt and effective mitigation measures.