Dive Brief:

• The median dwell time for ransomware attacks fell in the first half of 2023, down to 5 days from the 2022 average of 9 days, according to Sophos research released Wednesday.
• The majority of ransomware attacks are taking place during the work week, yet outside standard business hours, Sophos found. The bulk of 80 cases its incident response team worked on during the first half of 2023 took place between 11 p.m. and 8 a.m. in the target’s time zone. Attackers also strongly favored a “late hour at the end of the week” to launch an attack.
• “Monitoring and reactions have to be 24/7 these days,” said Chester Wisniewski, field CTO of applied research at Sophos. “The criminals are striking when we’re not sitting at the keyboard waiting for them.”

Dive Insight:

Threat actors are moving faster to avoid detection. The resulting decline in ransomware dwell times is almost entirely negative for defenders.

“It’s 90% bad but 10% good is really looking for the light at the end of the tunnel,” Wisniewski said.

“Anytime that number goes down it can’t be perceived as anything but bad because it’s just less time for the defenders,” Wisniewski said.

There’s only so much time a threat actor can shrink from current median dwell times without changing their tactics entirely, according to Wisniewski.

“In a full-suite attack the dwell time is not going to get much shorter than five days because it takes them that long to suss out all the things that they usually do, like disabling backups and adding more admin accounts and copying all the data,” Wisniewski said.

Full-scale attacks often take days, but attackers are keenly aware of what they must achieve in the early stages to escalate privileges and broaden malicious activities.

Sophos report is based on data from its incident response team and 88% of the dataset was derived from organizations with fewer than 1,000 employees.