Ransomware Dwell Time Hits Low of 24 Hours
- Ransomware median dwell time has decreased from 4.5 days to less than 24 hours in a year.
- None.
Analysis from Secureworks annual State of The Threat Report shows ransomware median dwell time has dropped from 4.5 days to less than 24 hours in a year
"The driver for the reduction in median dwell time is likely due to the cybercriminals' desire for a lower chance of detection. The cybersecurity industry has become much more adept at detecting activity that is a precursor to ransomware. As a result, threat actors are focusing on simpler and quicker to implement operations, rather than big, multi-site enterprise-wide encryption events that are significantly more complex. But the risk from those attacks is still high," said Don Smith, VP Threat Intelligence, Secureworks Counter Threat Unit.
"While we still see familiar names as the most active threat actors, the emergence of several new and very active threat groups is fuelling a significant rise in victim and data leaks. Despite high profile takedowns and sanctions, cybercriminals are masters of adaptation, and so the threat continues to gather pace," Smith continued.
The annual State of the Threat report examines the cybersecurity landscape from June 2022 to July 2023. Key findings include:
- While some familiar names including GOLD MYSTIC (LockBit), GOLD BLAZER (BlackCat/ALPV), and GOLD TAHOE (Cl0p) still dominate the ransomware landscape, new groups are emerging and listing significant victim counts on "name and shame" leak sites. The past four months of this reporting period have been the most prolific for victim numbers since name-and-shame attacks started in 2019.
- The three largest initial access vectors (IAV) observed in ransomware engagements where customers engaged Secureworks incident responders were: scan-and-exploit, stolen credentials and commodity malware via phishing emails.
- Exploitation of known vulnerabilities from 2022 and earlier continued and accounted for more than half of the most exploited vulnerabilities during the report period.
Most Active Ransomware Groups
The same threat groups continued to dominate in 2023 as in 2022. GOLD MYSTIC's LockBit remains the head of the pack, with nearly three times the number of victims as the next most active group, BlackCat, operated by GOLD BLAZER.
New schemes have also emerged and posted numerous victims. MalasLocker, 8BASE and Akira (which ranked at number 14) are all newcomers that made an impact from Q2 2023. 8BASE listed nearly 40 victims on its leak site in June 2023, only slightly fewer than LockBit. Analysis shows that some of the victims go back as far as mid 2022, although they were dumped at the same time. MalasLocker's attack on Zimbra servers from the end of April 2023 accounted for 171 victims on its leak site in May. The report examines what leak site activity actually reveals about ransomware attack success rates — it's not as straightforward as it seems.
The report also reveals that victim numbers per month from April-July 2023 were the most prolific since name and shame emerged in 2019. The highest number of monthly victims ever was posted to leak sites in May 2023 with 600 victims, three times as many as in May 2022.
Top Initial Access Vectors for Ransomware
The three largest initial access vectors (IAV) observed in ransomware engagements where customers engaged Secureworks incident responders were: scan-and-exploit (
Scan-and-exploit involves the identification of vulnerable systems, potentially via a search engine like Shodan or a vulnerability scanner, and then attempting to compromise them with a specific exploit. Within the top 12 most commonly exploited vulnerabilities,
"Despite much hype around ChatGPT and AI style attacks, the two highest profile attacks of 2023 thus far were the result of unpatched infrastructure. At the end of the day, cybercriminals are reaping the rewards from tried and tested methods of attack, so organizations must focus on protecting themselves with basic cyber hygiene and not get caught up in hype," Smith continued.
The World of Nation-State Attackers
The report also examines the significant activities and trends in the behavior of state-sponsored threat groups belonging to
The war in
State of the Threat Report 2023
This latest State of the Threat Report is the seventh annual report from Secureworks providing a concise analysis of how the global cybersecurity threat landscape has evolved over the last 12 months. The information within the report is drawn from the Secureworks Counter Threat Unit's (CTU) firsthand observations of threat actor tooling and behaviors and includes real-life incidents. Our annual threat analysis provides a deep dive insight into the threats our team has observed on the front line of cybersecurity.
The Secureworks State of the Threat Report can be read in full here: https://www.secureworks.com/resources/rp-state-of-the-threat-2023
About Secureworks
Secureworks (NASDAQ: SCWX) is a global cybersecurity leader that secures human progress with Secureworks® Taegis™, a SaaS-based, open XDR platform built on 20+ years of real-world threat intelligence and research, improving customers' ability to detect advanced threats, streamline and collaborate on investigations, and automate the right actions. Connect with Secureworks via Twitter, LinkedIn and Facebook and Read the Secureworks Blog
View original content to download multimedia:https://www.prnewswire.com/news-releases/ransomware-dwell-time-hits-low-of-24-hours-301947675.html
SOURCE Secureworks, Inc.
FAQ
What is the median dwell time for ransomware attacks?
What are the key findings of the Secureworks State of the Threat Report?
Which ransomware groups dominate the landscape?
What are the top initial access vectors for ransomware?