2022-06-07

Analysis of Attack Ransomware Timelines

Level: 
  |  Source: 
IBM X-Force
Share:

Analysis of Attack Ransomware Timelines

Industry: N/A | Level: Tactical | Source: IBM X-Force

IBM X-Force has collected data from ransomware investigations analyzing attack timelines between 2019 and 2021. The combination of initial access broker economy and the proficiency of attackers in obtaining privilege access, often aided through vulnerabilities such as Zerologon, has greatly reduced the required time needed to initiate and complete ransomware attacks. Overall, a 94.34% reduction in the attack time was found from 2019 to 2021. In 2019 the average attack timeline took two or more months, and since has reduced to mere days. While in 2020 only 9.5 days was the average time needed and less than half in 2021 at 3.85 days. The ransomware most used was Mimikatz, Cobalt Strike, PsExec, with reliance also on RDP. While In 2021, Mimikatz was still relied upon, credential acquisitions were favored with Local Security Authority Subsystem Service (LSASS).

Anvilogic Use Cases:

  • Mimikatz
  • RDP Connection
  • RDP Logon/Logoff Event
  • Remote Admin Tools
  • ZeroLogon CVE-2020-1472
  • Common LSASS Memory Dump Behavior
  • Command Line lsass request
  • RDP Hijacking
  • Windows Admin$ Share Access
  • Windows C$ Share Access
  • Cobalt Strike Beacon
  • regsvr32 Execution

Chat with our team to receive a free maturity assessment

Get in Touch