How Ransomware is Reducing the Window of Response - Image by Pete Linforth from PixabayRansomware attacks are now increasingly politically, as well as economically, motivated. We have seen major attacks against both The Guardian broadsheet newspaper and The Royal Mail postal service over the past six months. While some ransomware groups target businesses with over £20 million in cash-in-the-bank assets, there‘s also been an uptick in those targeting the low-hanging fruit of small businesses.

These reasons are why the UK is going against the universal trend that has seen ransomware attacks fall. Two reports chart an increase in attacks on UK organisations. The 2023 SonicWall Cyber Threat Report found that ransomware dipped 21% globally. However, it rose in Europe by 70% and in the UK by a staggering 112%. Similarly, the UK Ransomware Trends: Lessons for 2023 report found that UK attacks were up 17% in 2022, with initial signs indicating the rise is set to continue through 2023.

Perhaps most alarmingly of all is the news that attackers are getting faster and more focused. The ransomware window, that is the time taken from the initial compromise to the deployment of the ransomware and encryption of data, has shrunk from five days in 2021 to 4.5 days in 2022.

Additionally, dwell time, i.e. the time spent on the company network, has halved from 22 days to 11, according to the Zero to ’22 Emerging Threats Report. It means that ransomware operators are getting much more efficient at getting in and getting out. But it also has repercussions for defence. It means that organisations will have less time to detect and mitigate these attacks. So, how is ransomware changing, and what can businesses do to shrink their Mean Time To Respond (MTTR) and beat back these attacks?

The commercialisation of ransomware

Ransomware is big business. Ransomware-as-a-Service (RaaS) enables operators to buy access to networks and payloads. It lowers the barriers to entry, allowing less skilled attackers to carry out successful ransomware attacks. Estimates suggest the average ransomware payout is between 1.4-2% of company turnover (although there are other indirect costs and impacts such as loss of revenue and loss of customers. It makes ransomware costly to the business and highly lucrative for the attacker.

On the dark web, ransomware strains can easily be purchased using a license valid for one, two or six months. Its move to the mainstream has seen complex botnets and DIY off-the-shelf software such as Cobalt Strike fall out of favour. Instead, ransomware groups collaborate to develop new loaders to deliver ransomware within payloads.

There are also now multiple ways to monetise the data beyond simply holding it ransom (single extortion). Attackers can threaten to publish the data publicly (double extortion). They may also contact the victims named or affected by the sensitive data in their possession with the threat of going public (triple extortion).

The operator may even resort to threatening to take down their public-facing servers as well (quadruple extortion). Some attackers may seek to auction off confidential data on the dark web. Adversarial nation-states have been known to blend ransomware with destructive attacks to disrupt operations.

Focus not on the group but on the TTPs

Keeping on top of ransomware developments means monitoring the dominant malware strains and their tactics, techniques and procedures (TTPs) rather than focusing on ransomware groups that can tend to rise, fall or regroup.

According to the Cyber Security Report 2022, the top strains last year were Emotet, Formbook and AgentTesla. Interestingly, Bazaar, a near real-time site, listed the top variants as AgentTesla, Formbook and Snakelogger at the time of writing. These are all info-stealers. They seek to capture sensitive data such as credentials and user actions by recording screens, keylogging or stealing credentials from browsers and mail clients. The data is then exfiltrated using various techniques to evade detection.

The rise of the popular AgentTesla is due to its ability to extract data from numerous browsers and mail clients. It also utilises various protocols to exfiltrate the data. The malware is typically spread via phishing attacks. It uses email attachments such as MS Office documents with malicious macros or Remote Code Execution (RCE) to known common vulnerabilities and exposures (CVEs). It also adopts obfuscation techniques such as software packing [MITRE ATT&CK T1027.002] and encoded payloads [T1027] to evade defence.

Following download, AgentTesla uses persistence. It places itself in start-up folders or under Registry RUN keys to ensure it maintains access to systems. That allows it to defy defensive measures such as system restarts, changed user credentials or other interruptions.

It then scrolls through a list of browsers, mail and VPN clients. When it finds one, it goes about exfiltrating the data held within. Ransomware usually tries to repackage data and send it via specific channels to evade detection. In the case of AgentTesla, these channels take the form of SMTP, FTP, Telegram and Discord.

Ransomware attack cycles

All ransomware attacks cycle through the same set of stages:

  • Initial access
  • Execution
  • Persistence
  • Privilege escalation
  • Defence evasion
  • Credential access
  • Discovery
  • Lateral movement
  • Exfiltration of data to a Command and Control centre using a web channel.

Therefore, understanding the behaviour of malware and its infection chain can enable the organisation to detect and mitigate the attack at these various stages.

Once the behaviour has been detected, alerts can be automatically generated and sent to users. It enables them to halt the virus’s propagation. At the same time, the security team will want to isolate the infected systems from the network, remove the ransomware, and then restore operations using secure backup. But doing this manually is nigh impossible. It requires the team to identify an attack from a sea of alerts coming into the SIEM and to take action before the attack can unfold.

Detecting indicators of compromise

Prevention through user education is the ideal when it comes to battling ransomware. But the reality is that these attacks have a massively high success rate. 71% of companies were affected by attacks last year worldwide. Because of this human fallibility, organisations must pour their efforts into automated detection to arrest the attack. Time really is of the essence.

Technology such as Security Orchestration, Automation and Response (SOAR) can greatly accelerate response times. SOAR solutions centralise all cyber incidents and associated data in one location, correlating that data with contextual threat intelligence.

While much of this data is collected internally, external inputs can also be incorporated. These come from third-party sources, open-source, industry and government, and commercial providers. It offers security analysts and CISOs a complete picture of the threat landscape, including evolving ransomware threats.

SOAR playbooks help to deal with attacks

SOAR uses predefined playbooks, which are continually revised and updated to deal with specific threat scenarios. For instance, in the case of an AgentTesla ransomware attack, this would trigger a playbook to hunt, contain and terminate the threat.

The playbook runs through a series of automated actions, from identifying incident parameters (file hash, IP, domain, sender, receiver, and subject) to querying the Security Incident and Event Management (SIEM) solution. In concert with the SIEM, it can identify affected endpoints, isolate them and block the ransomware before terminating associated processes and services and resetting user credentials.

Given the increasingly rapid way in which ransomware operators can execute these attacks, not to mention their specific focus on the UK, it is clear that organisations will need to up their game. Security teams must automate response using SOAR integrated with the SIEM to decrease MTTR.

Automated defence enables an instantaneous response that can make all the difference between surviving or succumbing to an attack. In doing so, it prevents the business from becoming just another one of those worrying statistics.

Logpoint is the creator of a reliable, innovative cybersecurity operations platform — empowering organisations worldwide to thrive in a world of evolving threats. By combining sophisticated technology and a profound understanding of customer challenges, Logpoint bolsters security teams’ capabilities while helping them combat current and future threats.

Logpoint offers SIEM, UEBA, SOAR and Business-Critical Security technologies in a complete platform that efficiently detects threats, minimises false positives, autonomously prioritises risks, responds to incidents, and much more.

Headquartered in Copenhagen, Denmark, with offices around the world, Logpoint is a multinational, multicultural, and inclusive company. For more information, visit


Please enter your comment!
Please enter your name here