Ransomware: from Entry to Ransom in Under 45 Minutes

Ransomware gangs are performing wide-ranging internet scans to find vulnerable systems and then accelerating attacks to just minutes to capitalize on COVID-19, Microsoft has warned.

Corporate VP of customer security and trust, Tom Burt, revealed the findings in a blog post introducing the firm’s Digital Defense Report yesterday.

He claimed that threat actors have “rapidly increased sophistication” over the past year, with ransomware the number one reason for Microsoft incident response between October 2019 and July 2020.

“Attackers have exploited the COVID-19 crisis to reduce their dwell time within a victim’s system — compromising, exfiltrating data and, in some cases, ransoming quickly — apparently believing that there would be an increased willingness to pay as a result of the outbreak. In some instances, cyber-criminals went from initial entry to ransoming the entire network in under 45 minutes,” Burt explained.

“At the same time, we also see that human-operated ransomware gangs are performing massive, wide-ranging sweeps of the internet, searching for vulnerable entry points, as they ‘bank’ access – waiting for a time that is advantageous to their purpose.”

Attackers have also become more sophisticated in performing reconnaissance on high-value targets so that they appear to know when certain factors like holidays will reduce the victim organization’s chances of patching, or otherwise hardening their networks.

They’re also aware of how billing cycles operate in certain industries, and thus when specific targets may be more willing to pay, Burt claimed.

In total, Microsoft blocked over 13 billion malicious and suspicious emails in 2019, over one billion of which contained phishing URLs. Phishing now comprises over 70% of attacks, although the volume of COVID-related threats has dropped significantly from a peak in March, it said.

This isn’t the only threat to home workers: Microsoft said it also saw an increase in brute force attacks on enterprise accounts in the first half of the year and urged widespread use of multi-factor authentication (MFA).

Burt said nation-state actors have also been changing their tactics of late, shifting targets to healthcare providers and vaccine researchers, public policy think tanks and NGOs. Although each group has their preferred techniques, reconnaissance, credential harvesting, malware and virtual private network (VPN) exploits were most common over the past year, said Burt.