Every ransomware attack that has ever happened exploits a fundamental advantage cybercriminals have over defenders—time.
Clock 1: Dwell Time
Three clocks are at work here. The first starts ticking from the moment of an initial compromise and stops at the second of ransomware execution. In cybersecurity parlance, this is known as the dwell time, or how long the attackers have been lurking on the network before executing the ransomware itself.
Recently we reported on a ransomware attack against a U.S. Government agency where forensic analysis later found that the dwell time had been months, which is not uncommon.
Of course, that was also a big window for detection during which the attack could have been stopped in its tracks.
Clock 2: Data Theft
In reality, detection is more complicated than that thanks to the second clock. This also starts ticking at the moment of compromise, but finishes when attackers exfiltrate data.
That clock often stops during dwell time, which means that even if defenders discover a compromise during that period, it might still be too late to stop data theft.
Stealing data is a recent fashion used to up the ante and pressure victims into paying a ransom even if they can overcome encryption.
Clock 3: Time-to-Encrypt
The third clock is how long it takes between the moment a ransomware attack executes at the end of dwell time and the point at which the malware has finished encrypting files.
Called time-to-encrypt (TTE), a recent analysis by Splunk of 10 common ransomware strains found that some are a lot faster at this than others, ranging from four minutes to three and a half hours, with a median speed of 43 minutes. (The fastest, LockBit, achieves this incredible pace because it encrypts only a 4KB portion of the file, just enough to render it unusable.)
Time-To-Ransom
What the combination of these three clocks adds up to is a total time known as time-to-ransom (TTR).
Interestingly, evidence is emerging from recent incidents that TTR is not only getting shorter, but is getting a lot shorter. According to the DFIR Report, the Quantum Locker ransomware strain discovered in 2021 recently executed its payload and completed its encryption phase during an attack in a mere 3 hours and 44 minutes.
They suspect that the quick-in-and-out attack design relied on email delivery of an infected attachment to initiate the attack, followed by hands-on use of the advanced Cobalt Strike penetration testing tool to move laterally inside the victim’s network.
And they’re not the only ones feeling the need for speed. Other ransomware types are reportedly being programmed as multi-threaded applications to speed up encryption, or launching multiple instances to spread the workload.
But why would attackers need to speed up attacks? That’s harder to say, but it’s possible that the defenses of the organizations targeted by Quantum have improved, and the attackers see speed as necessary to evade these barriers.
For defenders, the question then becomes whether the defences they have can match the TTR speeds that seem to be a new normal for ransomware. What matters is that each of the clocks outlined in this article offers the potential to act. Time is always on their side, but the success of ransomware is not a fait accompli.