Security Experts:

Connect with us

Hi, what are you looking for?



Ransomware Is Mostly Deployed After Hours: Report

Most ransomware is deployed after hours, and usually several days after the initial compromise, newly published research from FireEye reveals.

Most ransomware is deployed after hours, and usually several days after the initial compromise, newly published research from FireEye reveals.

Over the past several years, ransomware has become a major threat to organizations of all sizes, from all types of sectors, across North America, Europe, Asia Pacific, and the Middle East. Seeking to increase their leverage against victims, ransomware operators are also threatening to leak data.

While performing an analysis of dozens of incidents between 2017 and 2019, FireEye discovered common characteristics related to infection vectors, dwell time, and time of day of ransomware deployment, while also identifying innovations that operators adopted to maximize profits.

The incidents, FireEye’s security researchers reveal, were attributed to financially motivated groups such as FIN6, TEMP.MixMaster, and dozens of other adversaries.

FireEye says its ransomware investigations went up 860% from 2017 to 2019, with most of the incidents being post-compromise infections. In some cases, however, ransomware was executed immediately (e.g. GANDCRAB and GLOBEIMPOSTER), but most were complex post-compromise deployments.

Observed infection vectors include Remote Desktop Protocol (RDP) attacks, phishing emails containing malicious links or attachments, and drive-by downloads.

The use of RDP to log into a system in the victim’s environment, FireEye says, was high in 2017, but declined in 2018 and 2019. The attackers either brute-forced credentials or immediately logged in using default/weak or acquired credentials, or RDP access purchased from another threat actor.

Observed phishing campaigns delivered prolific malware families in financially motivated operations, including TrickBot, Emotet, and FlawedAmmyy.

The researchers also noticed TEMP.MixMaster’s TrickBot infections leading to the Ryuk ransomware and tracked some infections to compromised websites leading to Dridex, FakeUpdates, and BitPaymer or DoppelPaymer malware.

The time elapsed until the attackers deployed ransomware would range between 0 and 299 days. For 75% of the attacks, at least three days passed between first access and the ransomware deployment. In some cases, ransomware was found in the victim’s environment but not yet executed.

In 76% of the incidents, the ransomware was executed after hours: either on weekends or between 6:00 p.m. and 8:00 a.m. on a weekday. The deployments were performed based on the time zone and customary work week of the victim organization, FireEye says.

“Some attackers possibly intentionally deploy ransomware after hours, on weekends, or during holidays, to maximize the potential effectiveness of the operation on the assumption that any remediation efforts will be implemented more slowly than they would be during normal work hours. In other cases, attackers linked ransomware deployment to user actions,” FireEye says.

Mitigation steps organizations should adopt include using strong security products to protect their network, email, and endpoints; remediate infections as soon as possible; perform regular audits to identify vulnerable and exposed systems; enable and enforce multi-factor authentication, and ensure after-hours coverage for fast response to incidents.

They should also carry out regular anti-phishing training, implement network segmentation, regularly backup critical data, restrict Local Administrator accounts, generate unique Local Administrator passwords for each system, and disallow cleartext passwords to be stored in memory.

“We expect that financially motivated actors will continue to evolve their tactics to maximize profit generated from ransomware infections. We anticipate that post-compromise ransomware infections will continue to rise and that attackers will increasingly couple ransomware deployment with other tactics, such as data theft and extortion, increasing ransom demands, and targeting critical systems,” FireEye concludes.

Related: Human-Operated Ransomware Is a Growing Threat to Businesses: Microsoft

Related: New Technique Allows Ransomware to Operate Undetected

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...