Ransomware’s Midnight Surge: Why Cyberattacks Spike While We Sleep

by | Aug 20, 2024

In the silent hours of the night, while most people are deep in slumber, cybercriminals are actively orchestrating their next significant breach. According to the latest ThreatDown 2024 State of Ransomware report from Malwarebytes, the majority of ransomware attacks occur between 1 a.m. and 5 a.m. This timing is no coincidence; it is a strategic effort by malicious actors to capitalize on the off-hours when security personnel are typically less vigilant, leaving organizations exposed to potentially catastrophic breaches.

The report, derived from data collected by the ThreatDown Managed Detection and Response team, reveals a concerning 33% increase in global ransomware attacks over the past year. The United Kingdom and the United States have been particularly impacted, with known attacks surging by 67% and 63%, respectively. This alarming rise highlights the critical necessity for organizations to reevaluate their security protocols and ensure they are equipped to fend off attacks at any hour, not just during regular business hours.

Chris Kissel, Research Vice President at IDC’s Security & Trust Products group, underscores the gravity of the situation with a pertinent question: “Do you have someone prepared to stop an attack at 2 a.m. on a Sunday with your existing technology stack and staff resources?” Many organizations possess tools to detect an alert come Monday morning, but by then, the attackers have often already inflicted significant damage. Cybercriminals are becoming increasingly proficient at infiltrating networks, exfiltrating data, and deploying ransomware with alarming speed and efficiency.

Marcin Kleczynski, founder and CEO of Malwarebytes, stresses that ransomware gangs have both time and motivation on their side. “They constantly evolve to respond to the latest technologies chasing at their tails,” Kleczynski remarks. The adoption of technologies such as Endpoint Detection and Response (EDR) has enabled the identification of attackers before malware deployment, yet it has also driven ransomware groups to accelerate their actions and enhance their stealth techniques. This ongoing game of cat-and-mouse between attackers and defenders necessitates continuous vigilance and support to stay ahead of cybercriminals.

The report also highlights an intriguing trend: the increasing activity of smaller ransomware groups. The proportion of attacks executed by minor gangs outside the top 15 most active groups rose from 25% to 31% in the past year. This shift suggests that launching ransomware attacks is becoming more accessible even to less experienced attackers, partly due to the availability of AI technologies that lower the entry barrier. For example, Google Cloud analysts have cautioned that generative AI might be employed in call centers to facilitate ransomware negotiations, further complicating the cybersecurity landscape.

Additionally, the Malwarebytes report sheds light on the evolving dynamics within the ransomware ecosystem. LockBit, a prominent ransomware-as-a-service group, experienced a decline in its share of attacks from 26% to 20% over the past year, despite an increase in individual attacks. This reduction in dominance may be attributed to successful law enforcement actions, such as the U.K. National Crime Agency and the FBI disrupting access to LockBit’s website, a major hub for ransomware-as-a-service operations. However, LockBit quickly reestablished its operations on a different Dark Web address, illustrating the resilience and adaptability of these groups.

A noteworthy incident involved ALPHV, the second-most prolific ransomware group, which faced internal turmoil after a botched cyber attack on Change Healthcare. Failing to disburse their share of a $22 million ransom to an affiliate, the group faced exposure by the disgruntled affiliate. This led ALPHV to fake a law enforcement takedown and temporarily cease operations. With ALPHV’s exit and LockBit’s uncertain future, other ransomware gangs are likely to compete fiercely to attract affiliates and dominate the ransomware landscape.

The report also identifies the most frequently targeted industries for ransomware in the U.S. and globally. The services industry bears the brunt, accounting for nearly a quarter of global ransomware attacks. Critical national infrastructure sectors, such as water, energy, and food and agriculture, are prime targets due to the potential for widespread disruption. In the U.S., the education and healthcare sectors are heavily targeted, likely due to their financial resources and the urgency to pay ransoms to avoid regulatory penalties.

A particularly troubling trend noted by the ThreatDown MDR team is the rise of living-off-the-land techniques used by ransomware gangs. This involves using legitimate, pre-installed tools and software within a target environment to avoid detection. Such strategies reduce the complexity of the malware, making detection and prevention significantly more challenging. The M-Trends 2024 report from Google subsidiary Mandiant also observed an increase in these attacks, with the median dwell time of attackers within target environments dropping from 16 days in 2022 to 10 days in 2023.

As ransomware attacks grow in frequency and sophistication, organizations must remain ever vigilant and proactive in their cybersecurity endeavors. This entails ensuring round-the-clock monitoring and response capabilities, investing in advanced detection technologies, and continuously educating employees about emerging threats. The persistent threat of ransomware serves as a stark reminder that while cybercriminals may strike at any hour, our defenses must be perpetually alert and prepared.