Cyber-criminals have been observed disabling or wiping out logs in 82% of incidents. The findings come from the latest report from Sophos, which dissected the intricacies of these attacks, shedding light on the speed with which ransomware assaults are now executed, often within hours.
The report, published today and based on 232 Sophos incident response (IR) cases across 25 sectors from January 1 2022 to June 30 2023, provides an overview of the tactics, techniques and procedures (TTPs) deployed by active adversaries.
“Time is critical when responding to an active threat; the time between spotting the initial access event and full threat mitigation should be as short as possible. The farther along in the attack chain, an attacker makes it, the bigger the headache for responders,” said John Shier, field CTO at Sophos.
“Missing telemetry only adds time to remediations that most organizations can’t afford. This is why complete and accurate logging is essential, but we’re seeing that, all too frequently, organizations don’t have the data they need.”
In their analysis, Sophos categorized ransomware attacks based on dwell time, with attacks lasting five days or less labeled as “fast attacks,” constituting 38% of the cases examined. The remaining 62% are categorized as “slow” attacks, with a dwell time exceeding five days.
Upon closer inspection of both fast and slow ransomware attacks, minimal variations were observed in the tools, techniques and deployment of living-off-the-land binaries (LOLBins) by attackers.
Read more on similar attacks: Ransomware Campaigns Linked to Iranian Govt’s DEV-0270 Hackers
This suggests that defenders may not need to overhaul their defensive strategies as dwell time decreases. However, defenders must also recognize that swift attacks and a lack of telemetry can impede rapid response times, potentially leading to increased damage.
“Cyber-criminals only innovate when they must, and only to the extent that it gets them to their target. Attackers aren’t going to change what’s working, even if they’re moving faster from access to detection,” Shier added.
The executive mentioned that organizations can maintain their current defensive strategies as attackers accelerate, as the same defenses effective against fast attacks apply universally. This includes comprehensive telemetry, robust protections and widespread monitoring.
“The key is increasing friction whenever possible – if you make the attackers’ job harder, then you can add valuable time to respond, stretching out each stage of an attack,” Shier concluded.