Ransomware gangs extort victims 17 hours after intrusion on average

Ransomware gangs are operating much more quickly than before, leaving less time for organizations to detect them.

According to analysis of ransomware incidents over the past year, the average time-to-ransom (TTR) is around 17 hours; for some groups, it is as little as 4 to 6 hours. This pace is in stark contrast to how major ransomware groups operated before the double extortion trend took off several years ago, when they would lurk inside victim networks for days or weeks to build greater access and gain complete control.

A clear correlation also exists between a ransomware group’s average TTR and its number of victims, the analysis by managed detection and response firm Huntress shows. Groups that grew significantly in terms of activity in 2024, such as RansomHub, Lynx/Inc, Akira, and Play, have some of the lowest TTRs, under 8 hours.

Some of these groups are also adopting a smash-and-grab approach by targeting small and midsize businesses and offering their affiliates — the hackers who perform the intrusions and infections — very high percentages of the ransom amounts. This incentivizes affiliates to generate as many ransom payouts as possible.

Less opportunity to detect

Another trend of note is that some ransomware groups are focusing more on data theft extortion than on traditional data encryption methods — though most groups do both. Improvements in endpoint detection and response (EDR) tools and ransomware detection in general may be contributing to this shift, as well as successful law enforcement actions.

“While these defenses have thrived, data loss prevention (DLP) services have hardly made any advances and are often only installed in mature corporate environments,” the Huntress researchers wrote in their report. “Attackers are becoming more aware of these circumstances and are opting to steal data and hold it for ransom.”

It should be noted that TTR is not a perfect metric for gauging the pace of ransomware attacks given that variables often differ between incidents, including:

• The initial point of access for the attackers and the privileges it provided them
• How easy it is to reach other network segments and systems from the initially compromised asset
• Whether access into the environment was resold to a ransomware operator by an initial access broker
• Whether the attackers decided to operate only outside the victim’s regular business hours

Another important factor that Huntress analyzed was the number of actions attackers took inside the environment after the initial compromise. These include malicious actions such as network scans for reconnaissance, lateral movement, credential dumping for privilege escalation, running scripts, executing terminal commands, downloading additional payloads, and exfiltrating files.

This metric is important because the higher the number of malicious actions, the more chances there are to trigger an alert that would enable an organization to discover the intruders early during the attack. According to Huntress, the average number of malicious actions across investigated ransomware incidents was 18, but some groups took as few as six and others more than 30.

“Attackers focusing on extortion, data theft, and espionage tend to perform more actions, with pivoting, data harvesting, and exfiltrating being those extra activities,” the researchers wrote. “Attackers who rely on receiving ransomware payments for decryption tend to perform a lower number of actions as they’re basically smashing and grabbing.”

Shifting tactics

Ransomware represented almost 10% of all types of threats that Huntress detected or investigated, with the healthcare, technology, education, manufacturing, and government sectors seeing the highest rates of ransomware incidents. However, it’s worth noting that some of the other threats tracked separately, such as malware or scripts, are often delivery mechanisms for ransomware or are used by initial access brokers who then sell the access to ransomware groups.

For example, Huntress noted a significant spike in the abuse of remote monitoring and management (RMM) tools such as ConnectWise ScreenConnect, TeamViewer, and LogMeIn for both gaining and maintaining access to networks. Some ransomware groups have exploited zero-day vulnerabilities in RMM tools in the past.

There are also industry-specific shifts in tactics. The researchers noted that ransom incidents in the healthcare industry are shifting from traditional data encryption toward data theft.

“Attackers keep exfiltrating data right up to the point of ransoming a victim, with many attackers implementing RAR or ZIP to bundle up data and exfiltrate it to their C2 servers,” Huntress said. “We saw more sophisticated attackers starting to use encrypted P2P services like Cloudflare tunneling to not only exfiltrate but to deliver tools and malware.”