Upon gaining initial access to a network, malicious hackers spend an average of 48 minutes finding and accessing critical assets. A few more hours, and they will be gone with stolen data, and they rarely bother to encrypt it, an Annual Cyber-Threat report by ReliaQuest has found.
AI and automation are helping attackers to supercharge their attacks. Last year, ransomware operators, upon gaining initial access, achieved lateral movement in an average of 48 minutes.
Then, threat researchers at ReliaQuest saw what they called “the quickest exfiltration time” of just 4 hours and 29 minutes.
“This leaves defenders with even less time to detect and respond before critical data is stolen,” the report reads.
“Cyber threats are now faster than ever.”
Only one in five ransomware attacks end up with data encryption because time to lock the systems is longer compared to data theft, and in 80% of cases threat actors are only interested in data exfiltration. The fastest encryption time in 2024 was six hours.
The researchers explain that advanced security tools and robust backups diminish the importance of encryption in cyberattacks. Encryption involves technical complexities, while data exfiltration allows attackers to strike quickly, inflict maximum harm, and maintain leverage over the victim.
“When most people think of ransomware, they picture locked systems, black screens, and ransom notes – but that’s no longer always the case,” they said.
Ransomware groups weaponize stolen data for extortion, resale, and access to additional targets while preying on organizations’ fears of reputational damage.
The researchers also observed that in 60% of cyberattacks, attackers send the stolen data to legitimate cloud storage platforms such as Google Drive, Mega, or Amazon S3.
They expect that ransomware attacks will take even less time in 2025, and organizations need to rethink their recovery strategies.
“Affiliates splintered into smaller groups, while leaked ransomware source code on cybercriminal forums sparked a wave of new attackers on the scene, with many focused entirely on data exfiltration. The result is more fragmented, but no less dangerous, ransomware ecosystem” the report reads.
Most (85%) breaches involve compromised service accounts, allowing attackers to operate under the radar for an extended period. Victims most often fail to control unmanaged devices and external exposure.
“Forty-five percent of hands-on-keyboard intrusions began with abuse of external remote services like VPNs,” the researchers said.
Phishing and drive-by compromise remain the main techniques for attackers to gain initial access.
Your email address will not be published. Required fields are markedmarked