Recent studies uncover ransomware syndicates are hastening encryption timelines while embracing advanced evasion methods and data extortion tactics.
According to a 2025 risk analysis by cybersecurity company Huntress, ransomware groups now require just 17 hours on average to encrypt networks following the initial intrusion, with certain factions such as Akira and RansomHub functioning in only 4–6 hours.
This rapid encryption strategy differs significantly from the lengthy dwell times observed in previous ransomware operations, giving organizations less time for detection and response.
Moreover, the investigators at Huntress uncovered that assailants are utilizing advanced tools and tactics to infiltrate networks in various sectors, including healthcare, tech, education, government, and manufacturing.
How Do Attackers Hasten Encryption?
The perpetrators leverage tools like Mimikatz and PowerShell scripts to extract credentials from memory:
powershell Invoke-Mimikatz -Command "privilege::debug sekurlsa::logonpasswords"
This facilitates swift lateral movement within networks using pilfered domain admin accounts.
More than 60% of ransomware incidents in 2024 resulted from vulnerabilities in remote tools:-
- ScreenConnect (CVE-2024-1709): A path traversal flaw allowed unauthenticated RCE
- CrushFTP (CVE-2024-4040): An authentication bypass led to server compromise
.webp)
Newer ransomware variants like CryptNet optimize encryption velocity:-
python if file_size < 512KB: encrypt_full_file() else: encrypt_chunks(first_128KB, middle_128KB, last_128KB)
This method maintains cryptographic efficiency while reducing encryption duration by 70%.
Evolution of ransomware economic strategies:-
| Group | Average TTR | Payment to Partners |
|---|---|---|
| RansomHub | 6.4 hours | 85-90% |
| INC/Lynx | 7.7 hours | 80% |
| LockBit 4.0 | 17.8 hours | 75% |
The affiliate model incentivizes faster assaults, where large payouts prioritize quantity over precision. Notably, 38% of incidents now involve pure data extortion without encryption, as demonstrated in BianLian’s operations.
The healthcare and education sectors bore the brunt:-
- 45% of healthcare assaults employed Java-based RATs like STRRAT
- 24% of educational cases featured Chromeloader infostealers
.webp)
To enhance defenses against ransomware, organizations should restrict access to Remote Monitoring and Management (RMM) tools, as 74.5% of attacks exploited ConnectWise ScreenConnect.
Additionally, preventing LOLBin execution through registry adjustments can thwart the misuse of system-native utilities.
Utilizing AES-NI hardware encryption can help mitigate risks associated with partial-file encryption attacks, decreasing potential data losses. As underscored by Huntress researchers, “The 17-hour timeframe isn’t a grace period—it’s a countdown.”
With global ransomware incidents surpassing $30 billion, businesses must implement swift-response security measures, ensuring continual validation of backups and proactive threat mitigation.
The post Ransomware Gangs Encrypt Systems After 17hrs From Initial Infection appeared first on Cyber Security News.