Attacker dwell time: Ransomware’s most important metric

Ransomware remains one of the most pervasive and insidious security threats to enterprise organizations. In 2020 alone, dozens of brands, from Garmin to Jack Daniels, have been forced to disclose that their networks were breached and their data encrypted by a motley crew of global criminal organizations.

While much of the attention around ransomware attacks has focused on the methods by which threat actors worm their way inside the network, one critical aspect of these attacks is often overlooked: attacker dwell time, which represents the length of time an interloper remains undetected inside the network.

For the better part of the last decade, the majority of ransomware attacks were of the smash-and-grab variety in which the successfully deployed malicious file would encrypt as many files and machines as quickly possible before revealing itself in the form of a lock screen. More recently, ransomware operators are sticking around, lurking in the network shadows to conduct reconnaissance and patiently lying in wait in order to identify higher-value assets to compromise.

While the average attack dwell time for ransomware is relatively brief compared to other malware strains — 43 days on average for ransomware versus months or even years for more persistent threats — each passing day that it remains undetected presents an attacker with new opportunities to unleash their wrath and line their pocketbooks.

A New Generation of Emboldened Attackers
Over the past decade, ransomware has become the preferred malware vehicle for hackers and criminal organizations alike. Not only are there tens of thousands of variants that security teams need to defend against, but the threat actors themselves are no longer following the same playbook.

To read the complete article, visit Dark Reading.