Ransomware groups have significantly ramped up their attack speeds, a recent study by cybersecurity firm Huntress has revealed. The report indicates that these malicious groups now take an average of only 17 hours to encrypt systems after infiltrating a network, a stark departure from the prolonged dwell times usually seen in previous ransomware campaigns. Some groups, such as Akira and RansomHub, have managed to shorten this timeframe even further, down to just 4-6 hours, employing a quick “smash-and-grab” strategy that gives organizations very little time to detect and counter the attacks.
Furthermore, the study sheds light on the fact that attackers are increasingly utilizing sophisticated techniques to breach systems. Tools like Mimikatz and PowerShell scripts are being employed to dump credentials and enable swift lateral movement within compromised networks. More than 60% of ransomware incidents in 2024 were linked to vulnerabilities in remote tools like ScreenConnect and CrushFTP, which provided unauthorized access to attackers. In response to this, newer ransomware variants like CryptNet have fine-tuned their encryption methods to slash encryption times by up to 70%, ensuring faster and more impactful attacks.
The ransomware landscape has also seen a shift in the affiliate model that fuels these attacks, with lucrative payouts to affiliates encouraging a spike in attacks geared towards higher volumes. Consequently, there has been a rise in data extortion schemes, where attackers demand payment without actually encrypting the data. Huntress found that 38% of ransomware incidents in 2024 involved pure data extortion, with the healthcare and education sectors bearing the brunt of these assaults. Within the healthcare sector, 45% of incidents were related to Java-based remote access Trojans (RATs), while in education, 24% of incidents were associated with infostealers such as Chromeloader.
In order to combat these evolving threats, the researchers suggest several defensive strategies. These include restricting access to Remote Monitoring and Management (RMM) tools, which have been frequently exploited in ransomware attacks. They also recommend blocking the execution of LOLBins (Living Off the Land Binaries) through registry modifications and enabling AES-NI hardware encryption to mitigate the impact of partial-file encryption attacks. With ransomware causing billions in damages globally, businesses are urged to adopt a proactive security stance that includes hourly backup validation and proactive threat mitigation to safeguard their operations from these increasingly sophisticated attacks.
In conclusion, as ransomware groups continue to evolve and refine their tactics, organizations must stay vigilant and proactive in defending against these insidious threats. By implementing robust security measures and staying ahead of the curve, businesses can effectively protect themselves from the damaging effects of ransomware attacks.