Threat actors are becoming increasingly adept at executing blitzkrieg-like attacks, hitting businesses, and deploying malware within hours. In an alarming example, cyber actors were able to go from initial compromise to domain-wide deployment in three hours and 44 minutes. It was the fastest Quantum ransomware attack observed by The DFIR Report.
To put that in perspective, the median dwell time for ransomware attacks was five days. That means typically; it could take you around that number of days to discover that your network has been compromised. Once the ransomware has been executed, it will only take minutes to encrypt your data.
So, how did ransomware attacks go from five-day dwell times to just a few hours?
In the 4-hour Quantum ransomware incident mentioned above, it was found that the IcedID payload was contained within an ISO image likely delivered via email. The malware was hidden as a file titled “document,” which would execute once you click it.
Once the malware was executed, it ran numerous discovery tasks leveraging various built-in Windows utilities. Then, just roughly two hours after the initial compromise, it deployed Cobalt Strike, which allowed hackers to begin “hands-on-keyboard” activity.
Afterward, the cybercriminal started rummaging through the network to identify each host within the environment and the victim organization’s active directory structure. That allowed the threat actor to connect to other servers within the environment, deploy Quantum ransomware to each host, then execute them remotely.
It only took three hours and 44 minutes from the initial compromise to cause that much damage. And it gets worse. Because as quick as that attack was, recent incidents have shown that ransomware attacks have only been accelerating. It’s becoming the new trend, and security professionals are sounding the alarm.
In a SecurityWeek article, Tanium’s threat intelligence team shared that “this type of accelerated ransomware is becoming increasingly common.” However, they also added that “this recent Quantum ransomware attack isn’t breaking any records and won’t be the first, or last time we see something similar.”
Protect Your Network from Ransomware Attacks
Ransomware attacks are happening much faster and more frequently, making them harder to detect until you receive that dreaded ransom note. Thankfully, there are ways to protect your network and prevent intruders from getting inside. However, it’s not going to be easy. You will need to invest in reliable cybersecurity solutions and exercise good cyber hygiene.
At ITS, we’ve helped hundreds of businesses protect their networks from all kinds of threats, including ransomware. If you want to learn more, check out our guide on how to protect your business from ransomware.
