What can time based analysis say in Ransomware cases?
While mispifying the InfoGuard CSIRTs cases, we were intrigued if a time based analysis could be done and what that could say about the different ransomware groups as well as their operators.
Looking at the data, we decided to define lateral movement as “a series of operations an attacker takes to compromise the network”. Having done so, we were able to identify at least 2 clear moments during the attack. An initial access moment and a “movement to compromise” moment.
The initial time based analysis of the ransomware cases highlights the existence of access brokers.
Moreover, a prudent interpretation, knowing that the sample cases is small, seems to enable a distinction between initial compromises via RDP/VPN and via email.
These observations were based on IR cases from October 21 to January 22 and presented at an internal workshop in February 2022. Should the submission be accepted we would expand the analysis to include all cases until August 2022 to identify possible additional trends.