Ransomware groups have dramatically accelerated their attack speeds, according to new research by cybersecurity firm Huntress. The report reveals that these gangs now take an average of just 17 hours to encrypt systems after infiltrating a network, a sharp contrast to the weeks-long dwell times that were common in previous ransomware campaigns. Certain groups, like Akira and RansomHub, have even reduced this window to just 4-6 hours, adopting a “smash-and-grab” approach that leaves organizations with less time to detect and respond to the attacks.
The research also highlights how attackers are increasingly using advanced techniques to breach systems. Tools like Mimikatz and PowerShell scripts are being used to dump credentials and facilitate rapid lateral movement within compromised networks. Over 60% of ransomware incidents in 2024 were attributed to vulnerabilities in remote tools, such as ScreenConnect and CrushFTP, which allowed attackers to gain unauthorized access. In response, newer ransomware families like CryptNet have optimized their encryption methods to reduce encryption times by up to 70%, ensuring faster and more effective attacks.
The affiliate model driving ransomware attacks has evolved as well, with high payouts to affiliates encouraging more volume-focused attacks.
These payments have led to an increase in data extortion campaigns, where the attackers demand payment without encrypting the data. Huntress found that 38% of ransomware incidents in 2024 involved pure data extortion, with healthcare and education sectors bearing the brunt of these attacks. In the healthcare sector, for example, 45% of incidents involved Java-based remote access Trojans (RATs), while 24% of education-related incidents were tied to infostealers like Chromeloader.
To mitigate these evolving threats, the researchers recommend several defensive measures, including limiting access to Remote Monitoring and Management (RMM) tools, which have been exploited in a significant percentage of ransomware attacks. They also suggest blocking the execution of LOLBins (Living Off the Land Binaries) through registry modifications and enabling AES-NI hardware encryption to reduce the impact of partial-file encryption attacks. As ransomware continues to cause billions in damages worldwide, businesses must adopt a rapid-response security approach, including hourly backup validation and proactive threat mitigation, to safeguard their operations from these increasingly sophisticated attacks.
