This is how long hackers will hide in your network before deploying ransomware or being spotted

Any time is too long, but hackers are finding ways to wander through networks unseen for longer than you might expect.

Cyberattackers on average have 11 days after breaching a target network before they're being detected, according to UK security firm Sophos – and often when they are spotted it's because they've deployed ransomware.

As Sophos researchers note in a new report, that's more than enough time for an attacker to get a thorough overview of what a target network looks like, where its weaknesses lie, and for ransomware attackers to wreck it. 

Sophos' data, based on its responses to customer incidents, suggests a much shorter "dwell time" for attackers than data from FireEye's incident response team, Mandiant. Mandiant recently reported the median time-to-detection was 24 days, which was an improvement on previous years. 

SEE: Network security policy (TechRepublic Premium)

Sophos explains the relatively short dwell time in its incident response data is because a whopping 81% of incidents it helped customers with involved ransomware – a noisy attack that immediately triggers alarms for tech departments. So while shorter dwell times might indicate an improvement in so-called security posture, it might also be just because file-encrypting ransomware is a disruptive attack compared to data theft. 

"To put this in context, 11 days potentially provide attackers with approximately 264 hours for malicious activity, such as lateral movement, reconnaissance, credential dumping, data exfiltration, and more. Considering that some of these activities can take just minutes or a few hours to implement, 11 days provide attackers with plenty of time to do damage," notes Sophos in its Active Adversary Playbook 2021 report. 

The vast majority of incidents Sophos responded to were ransomware attacks, suggesting the scale of the problem. Other attacks include stealing data, cryptominers, banking trojans, data wipers, and the use of penetration testing tools like Cobalt Strike.

Another notable point is the widespread use by attackers of Remote Desktop Protocol (RDP) with about 30% of attacks starting with RDP and 69% of subsequent activity being conducted with RDP. Phishing, on the other hand, was the entry point for just 12% of attacks, while 10% of attacks involved exploiting an unpatched system. 

Attacks on RDP endpoints have long been used to initiate ransomware attacks and are far more common than exploits against VPNs. Several security firms ranked RDP as the top intrusion vector for ransomware incidents in 2020. Security firm ESET reported remote working had seen a nearly 800% spike in RDP attacks in 2020.     

"RDP played a part in 90% of attacks. However, the way in which attackers used RDP is worth noting. In incidents that involved RDP, it was used for external access only in just 4% of cases. Around a quarter (28%) of attacks showed attackers using RDP for both external access and internal movement, while in 41% of cases, RDP was used only for internal lateral movement within the network," Sophos threat researchers note. 

Sophos also compiled a list of the most widely observed ransomware groups. DarkSide, a newish but professional ransomware service provider that started activity in mid-2020, only accounted for 3% of cases Sophos investigated through 2020. It's in the spotlight because of the attack on Colonial Pipeline, which reportedly paid $5 million to the group

DarkSide offers its ransomware as a service to other criminal groups who distribute the ransomware, much like the REvil ransomware gang does. REvil was in the spotlight last year because of attacks on government and healthcare targets plus for its high ransom demands that averaged about $260,000.  

SEE: This malware has been rewritten in the Rust programming language to make it harder to spot

According to Sophos, REvil (aka Sodinokibi) was the most active ransomware threat in 2020 along with Ryuk, which, according to some estimates, has earned $150 million through ransomware

Other significant ransomware players including Dharma, Maze (defunct), Ragnarok, and Netwalker (defunct).  

US president Joe Biden last week said he discussed the Colonial ransomware attack with Moscow, and suggested Russia should take "decisive action" against these attackers. The US believes DarkSide is based in Russia but not connected to the Russian government.  

"We have been in direct communication with Moscow about the imperative for responsible countries to take decisive action against these ransomware networks," said Biden on May 13.