Attackers are getting quicker at launching ransomware attacks against enterprises, with new IBM X-Force research finding that the average duration of enterprise ransomware attacks quickened 94 percent - from two months to under four days - between 2019 and 2021.
The maturing underground cybercrime economy has spurred this change, with initial access brokers and affiliate models helping ransomware operators quicken their attack lifecycles. This lifecycle encompasses different stages of ransomware attacks, including initial access, lateral movement, the obtaining of privileged access to the Microsoft Entra ID and, finally, the deployment of ransomware at scale.
“Considering the trends observed through the analysis of ransomware attack timelines, X-Force maintains that ransomware attacks will continue to increase in speed and efficiency throughout 2022,” said John Dwyer, head of research with IBM Security X-Force, on Thursday. “X-Force recommends organizations properly invest in protection, detection, and response efforts to effectively combat the increasing speed of the attack lifecycle.”
The average ransomware attack duration was over two months in 2019; these longer timelines were primarily due to the TrickBot-Ryuk partnership, where the TrickBot gang gained initial access to environments for a significant duration before passing that access to a ransomware operator, which would then deploy the Ryuk ransomware. While these attacks lasted weeks due to a longer transfer of access, the TrickBot-Ryuk relationship was significant as it introduced the concept of a repeatable ransomware attack lifecycle, which helped cybercriminal groups better streamline their attacks.
In 2020, this repeatable ransomware attack lifecycle continued to become more efficient with the flourishing of the initial access broker economy and dramatic increase in ransomware-as-a-service (RaaS) activity, driving the average attack duration to 9.5 days. This economy allowed ransomware operators to become more efficient in gaining privileged access to Microsoft Entra ID via unpatched instances of vulnerabilities, such as ZeroLogon.
“X-Force recommends organizations properly invest in protection, detection, and response efforts to effectively combat the increasing speed of the attack lifecycle.”
“From these engagements, Sodinikibi/REvil prevailed to be the most common ransomware variant involved,” said Dwyer. “X-Force analysis of the 2020 incidents revealed, evidence of initial access was obtained through various initial access malware including IcedID, Gootkit, Valak, TrickBot, QBot, and Dridex indicating more RaaS affiliates opting to purchase initial access rather than obtaining independently.”
In 2021, the average ransomware attack duration then dropped to 3.85 days, with researchers observing "significant reductions in both how quickly access was transferred from the broker to the ransomware operator, and how rapidly the ransomware operator was able to obtain privileged access to Microsoft Entra ID." This was driven in part by the explosion of Conti’s affiliate model program and its relationship with access brokers, and also by large malspam campaigns, including ones involving BazarLoader and IcedID.
The increased speed of ransomware attacks puts further pressure on enterprise security defense teams, reducing their time to react once an attack hits. At the same time, researchers found that while enterprises’ detection capabilities increased between 2019 and 2021, it appears to have had little impact in slowing down this ransomware attack lifecycle.
“X-Force discovered that responders were able to recover more alerts within existing security tools (including EDR) over the years between 2019 and 2021 indicating that security tooling has increased in volume and ability to detect ransomware operators prior to deploy of the ransomware but victims did not build out effective response policies and procedures to act on these detections,” said Dwyer.
Researchers recommended that enterprises adopt five security controls that are “specifically targeted to disrupt the ransomware attack lifecycle.” These include restricting and implementing multi-factor authentication and privileged access management for privileged accounts; prohibiting workstation logon with domain admin credentials; restricting SMB/RDP/RPC for internal communication; implementing managed service accounts; and restricting software execution on domain controllers and secure administrative systems.
“A critical first step within this control is to establish a least privilege model within the organizations to prevent privilege escalation and credentials harvesting which is often to a critical step in a domain-wide compromise,” said Dwyer. “X-Force recommends all organizations remove local administrator rights for all accounts unless absolutely necessary.”