Other issues in this category (12)
Those who do not sleep
We’d like to draw your attention to the latest statistics on when malware attacks occur:
In 76% of incidents ransomware was executed in victim environments after hours, that is, on a weekend or before 8:00 a.m. or after 6:00 p.m. on a weekday, using victims' time zone As many as 49% of the attacks occurred overnight during the work week, and 27% took place on weekends.
Ransomware attacks by hour.
It is important to note that threat actors can orchestrate their malware campaigns outside of formal business hours, and for companies that operate with no interruptions, they can easily keep track of specific events and user activity. Thus, in one of the examples, criminals created an Active Directory Group Policy Object to trigger ransomware execution based on user log on and log off.
Interestingly, when it comes to targeted attacks—when threat actors penetrate a network to achieve specific objectives—the actual malware deployment was often delayed for three days.
Number of days between intrusion and ransomware execution
Obviously, those figures are relevant for attacks targeting specific organisations or individuals. When random infections occur, ransomware can spring into action instantaneously.
Of course, the machines in your local network should run anti-virus software. However, if an attacker has already gained a foothold in your network—for example, by accessing the environment remotely via RDP—that won't be enough. Restrict user permissions and make sure that no known vulnerabilities, which can be exploited to elevate privileges, remain unpatched.
- If a malicious file is detected, disconnect the machine from the infrastructure and take steps to remediate the infection—the file can be executed at any moment and your access password may have been compromised.
- If possible, divide your network into subnets to prevent an infection from spreading across the network environment.
- Back up your critical business data and, if possible, store the backups offsite because backups are often prime targets for attack.
- Make sure that only specific logon types are available under local administrator accounts.
- Set strong passwords.
- Deny user access to systems during off-hours. Make sure that you are able to receive notifications about infection and malware execution attempts while you are out of the office.