Share on:

What is ransomware dwell time — and why does it matter? Dwell time can be defined as the time between when a threat actor initially gains access to your environment and when they are detected.

In a ransomware attack, many organizations don’t detect threat actors until they have made themselves known by deploying ransomware, encrypting their files and locking them out until they pay a ransom.

Ransomware Dwell Time Shortens

These days, threat actors will throw in exploitation (threatening to either leak sensitive information publicly or destroy it) to help further incentivize and expedite ransom payment.

The bad news is, we’ve observed ransomware dwell time getting shorter and shorter, meaning it’s more critical than ever to identify real indicators of threat actor behavior early enough to stop an attack in progress. While the median dwell time for non-ransomware incidents was 45 days, ransomware incidents were only five days, according to Mandiant’s 2021 M-Trends report. This significantly narrows the window of time organizations have to defend against an attack.

Longer Response; Higher Costs

Time to security is more critical than ever – the longer it takes to contain a breach, the higher the financial impact. Breaches that took more than 200 days to identify and contain resulted in 35% higher cost for organizations, at $4.8 million on average, according to IBM’s Cost of a Data Breach report.

The overall financial impact of a ransomware breach extends far beyond just the ransom payment to include:

  • Business downtime and disruptions in operational processes
  • Damage to a company’s brand and reputation, resulting in customer churn
  • Investigation, remediation and containment costs
  • Legal costs or related fines due to compliance violations or leaked customer data
  • Customer communication, credit monitoring and identity protection services

We cover costs in more detail in Comparing the Cost of a Ransomware Attack vs. a Cloud SIEM.

Key Pre-Ransomware Detections

In Blumira’s own observations of real-life ransomware timelines, we have seen attackers deploy ransomware within three days after our platform initially detected threat actor behavior. But due to the vast amount of techniques attackers employ, it can be difficult to know what’s critical and urgent to respond to in a timely manner.

Here’s a few critical findings that have led to real ransomware attacks that your IT team should look out for:

Potentially Malicious PowerShell Commands – Windows PowerShell commands and scripts are often abused by threat actors during an attack, before ransomware infection. They can be hard to detect and blend into legitimate administrative behaviors. However, if you see this finding, it’s important to investigate immediately and reach out to Blumira (if we haven’t already contacted you) for additional help.

PowerShell Malicious Execution Detection: Cobalt StrikeCobalt Strike is software that was created for Adversary simulations and red team operations. While it’s not commonly seen outside of red team or penetration test engagements, parts of this software can be used for malicious purposes.

Authentications From Outside of the U.S. – While not quite as critical as detecting malicious PowerShell commands and Cobalt Strike software, paying attention to a large number of suspicious login attempts coming from outside of your typical geographical region (especially if you do not have international employees) can be an initial indicator of threat actors attempting to access your environment.

RDP Connection From Public IP – This is a common way for attackers to gain initial access to your network using Remote Desktop Protocol (RDP), a Microsoft standard used to connect to computers remotely. It’s one of the most popular ransomware attack vectors, used in 50% of ransomware deployment cases (Unit 42 report). However, if left unsecured and exposed to the internet, which may unintentionally happen due to misconfigurations, RDP connections can be easily exploited by attackers to gain direct access and control over your systems.

Improving Your Time to Respond

Many security solutions, including security information and event management (SIEM) tools, are so complex they can take several months to deploy, lack essential detection and response capabilities, and require highly-skilled security teams. As a result, organizations often give up on SIEM projects altogether, leaving critical security coverage gaps.

To help alleviate this problem, Blumira has released Cloud Connectors, a feature that speeds up typical SIEM deployment time from months to minutes, allowing small IT teams to set up cloud security quickly.

cloud connectors

We’ve made it easy to:

  • Focus on real security threats – Our detection engineers proactively write rules, test and pre-tune our platform to reduce the number of false positives and alert fatigue for your team. Our platform’s advanced threat detection prioritizes findings so you know what’s critical and urgent to focus on.
  • Respond faster in three steps – We send you pre-built playbooks with every finding to provide next steps for threat response, and automatically block known threats through dynamic blocklists. Our security operations team is available 24/7 for urgent priority issues to help you with investigation and guided response.
  • Get security expertise – Instead of building your own costly in-house SOC (security operations center), you can reach out to Blumira’s security operations team for ongoing advice and consultations to help you understand what you need to log for security visibility and how to continuously grow your overall security maturity.

Blumira is focused on providing better security outcomes by making security accessible to organizations of all sizes. Try it out today with a free trial.

Security news and stories right to your inbox!