Texture Side Right Grey 02


Attacker’s Top Choice for Cyber Extortion

Ransomware is one of the most active and profound threats facing organizations today, of all industries and sizes. Years after Wannacry attacks shuttered businesses across the globe, stealthy ransomware infections continue to dominate headlines and business discussions.

The term ransomware refers to the malware used for encrypting files and entire systems however it has largely transformed to indicate a category of financially motivated attacks by leveraging victim extortion.

The impact of a successful ransomware deployment includes both technical and non-technical challenges and can be crippling to business operations. Modern day attackers have developed advanced techniques that now require a holistic security risk mitigation strategy from the board to practitioners.

On Demand Webinar

Proactive Solutions to Stop Modern Ransomware in its Tracks

Holistic Security Risk Mitigation Strategy

Modern day attackers have developed advanced techniques that now require a holistic security risk mitigation strategy from the board to practitioners.

How We Can Help

Mandiant possesses incident response, threat intelligence and managed detection and response expertise that equips us with a deep understanding of how ransomware operators gain initial access, compromise credentials, and laterally move to stage and deploy ransomware for mass impact.

Mandiant offers ransomware solutions that bolster both your preparedness and your defenses to mitigate this proliferating attack vector. With our proactive assessments, response and remediation services, system hardening guidance, and threat hunting techniques, we help you outmaneuver ransomware attackers and stop them in their tracks.

Ransomware Attack Trends

The Evolution of Ransomware

The emergence of ransomware threats began in 2013 with CryptoLocker being the first form of this increasing threat today. Attackers are continuously adapting their methodologies from a distribution perspective, along with mimicking the tactics of one another to find which approach is most profitable.

The Evolution of Ransomware

Hear our expert discuss the history of ransomware from the emergence of this threat to modern day attack activity.

Ransomware Intrusion Activity

Ransomware involves a sophisticated collaboration of threat actors (actual people behind their keyboards) across an attack lifecycle. Who are these specific individuals behind the operation? Modern day ransomware has become to mirror an assembly line, with various people involved in different phases of the attack.

Ransomware Intrusion Activity Trends

Hear our expert describe intrusion activity around the MAZE ransomware attack.

Key incident response ransomware data points

The following trends are commonly seen by our frontline incident response experts when investigating and remediating ransomware.

Median Dwell Time for Ransomware Attacks (in Days)
Median dwell time for ransomware attacks

The median dwell time for ransomware attacks is 72.75 days, in comparison to all threats at 56 days (including ransomware).

Popular Days of the Week for Ransomware Deployment
Popular days of the week for ransomware deployment

Days of the week highlighted above represent when deployment and execution of the ransomware attack begins, not when the attacker gains initial access.

Minimize Risk and Reduce Ransomware Dwell Time
Managed Defense: Drop your Ransomware Dwell Time

Focus on attacker behavior to reduce the average dwell time of a strategic ransomware actor from 72 days to only 24 hours or less.

Common Ransomware Types and Deployment Methods

Three Types of Ransomware

  1. Indiscriminate attacks that leverage a self-propagation or worm-like capability to continually redeploy malware.
  2. Targeted attacks manually executed by criminal organizations and more sophisticated threat actors that typically follow the attack lifecycle and often leverage trusted applications that live in the customer environment to reduce risk of detection (i.e., PSEXEC, Powershell).
  3. Ideologically motivated attacks with the purpose to cause significant business disruption, but not a deep interest of collecting payment.

Top Deployment Methods

Installed Service
Manual via RDP

Related Resources

FireEye Blogs

Ransomware Blog Posts

Ready to get started?

Our security experts are standing by to help you with an incident or answer questions about our
consulting and managed detection and response services.

+1 888-227-2721 +32 28962867 +1 877-347-3393 +971 45501444 +358 942451151 +33 170612726 +49 35185034500 +353 (0)216019160 +39 0294750535 +81 3 4577 4401 +52 5585268207 +31 207941289 +48 223072296 +7 4954658084 +27 105008408 +34 932203202 +94 788155851 +46 853520870 +66 2787 3392 +44 2036087538 +842444581914