Ransomware vs Other Breaches: Similarities & Key Differences


Ransomware attacks are similar to most other breaches in that many of the same tactics, techniques, and procedures are used. One of the main differences between ransomware attacks and “stealthier” intrusions, is that ransomware dwell time is significantly lower. Ransomware TA’s tend to spend only a median of 11 days vs. 34 days for other breaches, due to the “smash ‘n grab” nature of the attacks. The objectives of a ransomware attack differ slightly from other attacks, as well. For example, APT groups may work their way onto the network as stealthily as possible, learn as much as possible about the network, and slowly exfil data. On the other hand, ransomware groups generally get in, quickly recon to find high-value targets, and exfil as much data as possible through Mega.nz, FTP, or other “loud” methods. Ransomware groups also cause damage to the network by encrypting files to force victims to pay them directly, rather than stealing the data and selling it to a third party. Lastly, ransomware investigations will have an additional threat actor communication aspect that is not a factor in most other breaches. To get data decrypted or to prevent the threat actor from leaking data, organizations will have to reach out to them and negotiate payment to do so.