Most of the ransomware attacks targeting the enterprises occur outside working hours, during the nighttime or during the weekend.

Security experts from FireEye published an interesting report on the Ransomware deployment trends, it revealed that most of the attacks (76%) against the enterprise sector occur outside working hours.

FireEye compiled the report using data from dozens of ransomware infections that it has investigated from 2017 to 2019.

49% of the ransomware deployments take place during nighttime over the weekdays, and 27% taking place over the weekend.

The timing of the ransomware attacks is not casual, attackers attempt to deploy the malware when the presence of the IT staff is reduced and the likelihood to be detected is low. Outside working hours the victims spend more time reacting to the intrusion.

The ransomware deployments are usually the result of a prolonged network compromise and intrusion, in many cases after the threat actors gain access to the network attempt lateral movements to infect the largest number of systems as possible.

The cybersecurity firm says that ransomware gangs breach a company’s network, spend their time moving laterally to as many workstations as possible.

“The majority of these incidents appeared to be post-compromise infections, and we believe that threat actors are accelerating use of tactics including post compromise deployment to increase the likelihood of ransom payment.” reads the report published by FireEye. “We also observed incidents in which ransomware was executed immediately, for example GANDCRAB and GLOBEIMPOSTER incidents, but most of the intrusions examined were longer duration and more complex post-compromise deployments.”

The report also reveals that the ‘dwell time,’ (the time between the first evidence of malicious activity compromise and the actual ransomware attack) is on average three days.

If initial infections are quickly detected and contained, the cost associated with the infection could be avoided.

Experts also analyzed initial infection vectors across multiple ransomware incidents, including RDP, phishing attacks, and drive-by-download of malware. The experts noticed that RDP attacks were more frequent in 2017, but declined in 2018 and 2019.

“Ransomware is disruptive and costly. Threat actor innovations have only increased the potential damage of ransomware infections in recent years, and this trend shows no sign of slowing down. We expect that financially motivated actors will continue to evolve their tactics to maximize profit generated from ransomware infections.” concludes the report. “We anticipate that post-compromise ransomware infections will continue to rise and that attackers will increasingly couple ransomware deployment with other tactics, such as data theft and extortion, increasing ransom demands, and targeting critical systems.”

Pierluigi Paganini