This research was made possible through the data collection efforts of Maleesha Perera, Joffrin Alexander, and Alana Quinones Garcia.
Key Highlights
The average duration of an enterprise ransomware attack reduced 94.34% between 2019 and 2021:
2019: 2+ months — The TrickBot (initial access) to Ryuk (deployment) attack path resulted in a 90% increase in ransomware attacks investigated by X-Force Incident Response (IR) in 2019.
2020: 9.5 days — Increased initial access broker economy and RaaS industry built upon a repeatable ransomware attack lifecycle established in 2019. Efficiencies adopted such as the ZeroLogon vulnerability to obtain privileged access to Active Directory and CobaltStrike as the C2 framework.
2021: 3.85 days — Large scale malspam campaigns such as with BazarLoader and IcedID and increased speed to transition access to ransomware affiliates like Conti.
Overview
IBM X-Force analyzed the evidence from multiple ransomware attack investigations that occurred between 2019 and 2021. In each investigation, access to the victim network was obtained through an initial access broker (initial access brokers are cybercriminals who specialize in breaching companies and then selling the access to ransomware attackers). The emphasis of the research was to better understand the duration of the activities during the various stages of a ransomware attack.
The findings of this research revealed the average duration of an enterprise ransomware attack (time between initial access and ransomware deployment) reduced 94.34% between 2019 and 2021. This is a substantial reduction and while ransomware attack lifecycle time decreased significantly, the research did not reveal substantial changes in the tools, techniques and procedures used by threa ..
Support the originator by clicking the read the rest link below.
