Ransomware attacks on enterprises take place mostly over the weekend or after working hours, as per a new FireEye study.
The latest report from cyber-security firm FireEye reveals that 27% of all ransomware attacks take place during the weekend or the night. Nearly 50% of ransomware attacks targeting the enterprise sector occur after working hours during weekdays. The vast majority occur outside normal working hours, during the night or over the weekend.
The report found that 76% of all ransomware infections in the enterprise sector take place outside working hours. The ransomware attack report was compiled from dozens of ransomware incident response investigations from 2017 to 2019. The report cited the unavailability of the majority of IT staff working at night or over the week as the biggest reason for ransomware attacks occurring during those times.
As per the report, the majority of these ransomware attacks are usually owing to a prolonged network compromise and intrusion. The “dwell-time” which is the time from initial compromise to the actual ransomware attack is three days on average. All the cases of the ransomware attacks were triggered by the attacker and not automatically once a network is infected. The majority of ransomware attackers are in full control of their ransomware strains and they tactfully decide the most suitable time to lock down a network. According to the report, human-operated ransomware attacks have gone up 860% since 2017. These incidents have affected major sectors across the globe.
Some of the most common infections via ransomware attacks were:
- Brute-force attacks against workstations with Remote Desktop Protocol (RDP)
- Spear-phishing against employees and using one infected host to spread it further
- Employees visiting a malicious website and downloading malware-infected files
FireEye is urging companies to invest in deploying detection rules for spotting attackers during their “dwell time.” A report from Emisoft revealed that ransomware cyber-attacks recorded a surge of 41% in 2019, with 205,280 enterprises having lost access to hacked files. In order to reduce the damages and cost of a ransomware infection, network defenders need to detect and remediate the initial compromise at the earliest.