Cybercriminals exfiltrate data in just three days
In 56% of Sophos managed detection and response (MDR) and incident response (IR) cases, attackers gained initial access to networks by exploiting external remote services, including edge devices such as firewalls and VPNs, and by leveraging valid accounts.
Compromised credentials remain the top cause of attacks
The combination of external remote services and valid accounts aligns with the top root causes of attacks. For the second year in row, compromised credentials were the number one root cause of attacks (41% of cases). This was followed by exploited vulnerabilities (21.79%) and brute force attacks (21.07%).
When analyzing MDR and IR investigations, the Sophos X-Ops team looked specifically at ransomware, data exfiltration, and data extortion cases to identify how fast attackers progressed through the stages of an attack within an organization. In those three types of cases, the median time between the start of an attack and exfiltration was only 72.98 hours (3.04 days). Furthermore, there was only a median of 2.7 hours from exfiltration to attack detection.
The lack of visibility for files moving around the network – and of missing logs – also contributes to exfiltration statistics. In 2024, analysts were able to confirm that exfiltration occurred in 27% of cases. Including evidence of data staging and possible exfiltration, this rises to 36%. Ransomware victims had their data exfiltrated in 43% of the incidents investigated. An additional 14% had possible exfiltration or evidence of data staging.
“Passive security is no longer enough. While prevention is essential, rapid response is critical. Organizations must actively monitor networks and act swiftly against observed telemetry. Coordinated attacks by motivated adversaries require a coordinated defense. For many organizations, that means combining business-specific knowledge with expert-led detection and response,” said John Shier, field CISO.
Ransomware deployments spike outside business hours
The median time between attackers’ initial action and their first (often successful) attempt to breach Active Directory (AD) – arguably one of the most important assets in any Windows network – was just 11 hours. If successful, attackers can more easily take control of the organization. 62% of the compromised servers were running operating systems that were out of mainstream support.
In 2024, 83% of ransomware binaries were deployed outside the target’s local business hours; the all-time statistic stands at 88%. While it appears that ransomware deployments only come out at night, there does not however seem to be any lingering preference in days of the week.
Akira was the most frequently encountered ransomware group in 2024, followed by Fog and LockBit (despite a multi-government takedown of LockBit earlier in the year).
Overall, dwell time – the time from the start of an attack to when it is detected – decreased from 4 days to just 2 in 2024, largely due to the addition of MDR cases to the dataset.
Dwell time in IR cases remained stable at 4 days for ransomware attacks and 11.5 days for non-ransomware cases. Dwell time in MDR cases was only 3 days for ransomware cases and just 1 day for non-ransomware cases, suggesting MDR teams are able to more quickly detect and respond to attacks.
Lack of MFA is putting organizations at risk
Remote desktop protocol (RDP) detections continue to top the chart of abused Microsoft tools. In 2024, it was used by attackers in 84% of cases, with 67% being used only for internal lateral movement and 3% being used only externally.
In 2022, researchers observed 22% of victims did not have MFA configured. That proportion nearly tripled to 63% in 2024. This is one area where there was no meaningful distinction between IR and MDR cases.
MFA was unavailable in 66% of IR cases and 62% of MDR cases. This highlights one way in which even the most capable detection and response program can still leave organizations vulnerable to attack.
Security practitioners are not only fighting the battle against the threats posed by external adversaries, but an internal struggle with business processes and change management.