Researchers at IBM’s X-Force team are reporting a 94% reduction in the duration of an enterprise ransomware attack from 2019 to 2021. Though the overall time was reduced, the attacker’s tools appeared to remain mostly the same. Research showed that ransomware operators were most efficient against enterprises “who have not implemented effective measures to combat the threat of ransomware.”
The average duration of an enterprise ransomware attack reduced 94.34% between 2019 and 2021:
- 2019: 2+ months — The TrickBot (initial access) to Ryuk (deployment) attack path resulted in a 90% increase in ransomware attacks investigated by X-Force Incident Response (IR) in 2019.
- 2020: 9.5 days — Increased initial access broker economy and RaaS industry built upon a repeatable ransomware attack lifecycle established in 2019. Efficiencies adopted such as the ZeroLogon vulnerability to obtain privileged access to Active Directory and CobaltStrike as the C2 framework.
- 2021: 3.85 days — Large scale malspam campaigns such as with BazarLoader and IcedID and increased speed to transition access to ransomware affiliates like Conti.
Similar to the Quantum ransomware attack with a rapid TTR in April, the speed and the use of network as the attack vector is of special concern. Network security has become especially vulnerable for most businesses as infrastructure investment has lagged due to COVID-19 and work from home policies. Governments and enterprises should look to urgently bolster security across 3rd party infrastructure, remote access and sensitive partner connections using advanced techniques from the military space like managed attribution and payload dispersal. These make network resources hard to detect and virtually impossible to breach, protecting against even sophisticated bad actors.
The Cloud and Edge networking world can and should borrow proven principles from the military and RF space such as spread spectrum and frequency hopping to alleviate such concerns and make the environment quantum resistant at multiple levels.