Research: Most ransomware strikes more than three days after infection

Ransomware strikes 75 percent of the time more than three days after an infection. Research by security company FireEye shows that most companies will be affected after that time. Also, most ransomware strikes outside working hours.

FireEye’s study looked at ransomware infections at businesses between 2017 and 2019. The researchers studied how the malware behaved once it infected systems. In most cases, the ransomware first tries to map the network and, for example, steal admin passwords to get deeper into the system. That’s why a ransomware attack rarely strikes right away. In three quarters of the cases this took at least three days, FireEye writes.

However, there were also infections where the ransomware only struck after 299 days. According to FireEye, companies have a good chance of combating an infection if they can detect it at an early stage by isolating and removing the virus. It should be noted that FireEye itself sells products that do this.

The company also found that ransomware strikes outside office hours in 76 percent of cases. That happened on weekends, or in the evening or at night. This also happened, for example, at Maastricht University, which was hit by ransomware just before Christmas Eve. The investigation showed that this was most likely done deliberately, because fewer people are working at that time who can stop the attack. FireEye also says that most ransomware infections come in via the Remote Desktop Protocol, and that the majority still comes through phishing emails.