TTPwire Vol. 1 · MITRE ATT&CK·Tagged

← All stories

Huntress

Time to Ransom is Money

2025-05-13 · Read original ↗

ATT&CK techniques detected

18 predictions
T1003.001LSASS Memory
100%
"the first evidence that something was amiss was on december 22, when an attacker - controlled workstation had access to an account for over nine minutes. six days later, on december 28, an admin account was seen moving fast, dumping credentials, and encrypting endpoints. during t…"
T1486Data Encrypted for Impact
98%
"by certain signals, like a triggered ransomware canary indicating that data has been encrypted on a machine, or suspicious arguments via wmi that could indicate lateral movement. while these gave us an understanding of where the ransomware actor was at that point in time during t…"
T1486Data Encrypted for Impact
98%
"black basta carried out fewer than 10 actions, on average. many times, these differences can be explained by threat actors ’ motives and how they approach attacks. actors like play and ransomhub, for instance, go into an environment knowing exactly what they need to do to move as…"
T1486Data Encrypted for Impact
98%
", where we hunted through activity logs to : - identify events linked to ransomware and then find the point of initial access or first signs of observed malicious activity — whether that ’ s through unauthorized account access via stolen credentials or through brute force attacks…"
T1486Data Encrypted for Impact
97%
"how they strategize and prepare for these types of attacks. what time - to - ransom tells us about ransomware groups why is time - to - ransom important to track? let ’ s take a step back and look at what this metric actually tells us. time - to - ransom is measured in the averag…"
T1486Data Encrypted for Impact
95%
"time to ransom is money ransomware actors have one primary goal — bringing in money. but the way that they do it varies from attack to attack. before they actually trigger the ransomware payload, some threat actors might try to make it harder to root out their activity or kick th…"
T1486Data Encrypted for Impact
92%
"have smaller networks. that might impact the timeframe for ransomware incidents that we see : lateral movement, for example, looks different on a smaller network compared to how it might look on bigger enterprise networks. no incident is alike, and differences within the attacks …"
T1486Data Encrypted for Impact
90%
"after ransomware attacks at us businesses was 24 days. that means an hours - long attack could lead to a weeks - long disruption on a victim ’ s end. as we ’ ve laid out above, many ransomware actors rely on tried - and - true methods for their attacks, and businesses need to be …"
T1550.002Pass the Hash
81%
"- to - ransom frame. in this incident, the threat actor targeted a technology company and deployed the akira ransomware. the first inklings of activity linked to the threat actor was from a legitimate account with stolen credentials, from a known, attacker - controlled workstatio…"
T1657Financial Theft
80%
"time to ransom is money ransomware actors have one primary goal — bringing in money. but the way that they do it varies from attack to attack. before they actually trigger the ransomware payload, some threat actors might try to make it harder to root out their activity or kick th…"
T1486Data Encrypted for Impact
73%
"- to - ransom frame. in this incident, the threat actor targeted a technology company and deployed the akira ransomware. the first inklings of activity linked to the threat actor was from a legitimate account with stolen credentials, from a known, attacker - controlled workstatio…"
T1080Taint Shared Content
72%
", where we hunted through activity logs to : - identify events linked to ransomware and then find the point of initial access or first signs of observed malicious activity — whether that ’ s through unauthorized account access via stolen credentials or through brute force attacks…"
T1003OS Credential Dumping
64%
"- to - ransom frame. in this incident, the threat actor targeted a technology company and deployed the akira ransomware. the first inklings of activity linked to the threat actor was from a legitimate account with stolen credentials, from a known, attacker - controlled workstatio…"
T1021.001Remote Desktop Protocol
63%
"- to - ransom frame. in this incident, the threat actor targeted a technology company and deployed the akira ransomware. the first inklings of activity linked to the threat actor was from a legitimate account with stolen credentials, from a known, attacker - controlled workstatio…"
T1078Valid Accounts
49%
", where we hunted through activity logs to : - identify events linked to ransomware and then find the point of initial access or first signs of observed malicious activity — whether that ’ s through unauthorized account access via stolen credentials or through brute force attacks…"
T1078Valid Accounts
44%
"- to - ransom frame. in this incident, the threat actor targeted a technology company and deployed the akira ransomware. the first inklings of activity linked to the threat actor was from a legitimate account with stolen credentials, from a known, attacker - controlled workstatio…"
T1490Inhibit System Recovery
39%
"time to ransom is money ransomware actors have one primary goal — bringing in money. but the way that they do it varies from attack to attack. before they actually trigger the ransomware payload, some threat actors might try to make it harder to root out their activity or kick th…"
T1021.001Remote Desktop Protocol
33%
", where we hunted through activity logs to : - identify events linked to ransomware and then find the point of initial access or first signs of observed malicious activity — whether that ’ s through unauthorized account access via stolen credentials or through brute force attacks…"

Summary

During ransomware attacks, the average time-to-ransom for attackers is almost 17 hours. Learn more about what this means for businesses.