How long can hackers stay hidden before deploying ransomware or being spotted?

Have you ever wondered how long it may take to spot hackers wandering around within your network? According to Sophos, a UK security firm, cyber intruders on average spend almost 11 days trifling through a network before ever being caught. Often these detections are due to ransomware or another malicious tool being deployed. The longest known time attackers remained undetected was over 15 months, or 439 days to be exact. The Sophos report goes into depth on how these 11 days will be used by the attackers, for example, credential dumping, lateral movement, data exfiltration, reconnaissance, and so on. 264 hours, 11 days, is more than enough time for hackers to get an overall view of the target network, its weaknesses, and the best possible ways to cause lasting damage or chaos. Considering these malicious activities take only a few minutes or at most a few hours to get running, 11 days provides intruders with more than enough time to exploit the network.

FireEye, a US-based security firm, suggests an even longer detection time of almost two weeks. The shorter detection time reported by Sophos is due to the vast majority (81%) of incidents referenced in the report involved ransomware. While a shorter dwell time might seem an enhancement in security posture, it might also be contributed to file-encrypting ransomware being a much more noticeable attack in comparison.

According to their own report, a large portion of incidents Sophos responded to were ransomware attacks, while the rest included various attacks, such as banking trojans, crypto miners, data theft, data wipes, and breaches using pen-testing tools like Cobalt Strike.  

Sophos researchers also noted how remote desktop protocol (RDP) played a major part in almost 90% of attacks. The report suggested that in 4% of cases RDP was used for external access only. Whereas around 28% of attacks showed intruders using RDP for both internal and external movement, and in 41% of cases RDP was used only for internal lateral movement within the victims’ network. Phishing was the starting point for around one in eight attacks, which correlates to 12% of the attacks, while another 10% of the total attacks were primarily due to out-of-date systems.

Several security organizations ranked RDP as the top intrusion method for ransomware incidents in 2020. Attacks on RDP endpoints have been around for a long time, they are often used to initiate ransomware attacks, and are far more repeated than attacks against VPNs.

The report also comprised a list of the most common and widely renowned ransomware groups. According to the report, there are 37 different identified groups. Some of the top adversary groups seen in 2020 were Revil/Sodinokibi, Ryuk, Dharma, Maze, Ragnarok, Netwalker, Cuba and LockBit.

Cybercrime is a lucrative business, and at any time your organization may become the next target. Cybersecurity professionals must remain vigilant and must continue to defend their organizations with rigorous monitoring to probe any suspicious activity within their network.

Read the Sophos report here.

For more news and updates, visit

You can also reach us out on Facebook, & LinkedIn or Contact us.

Comments are closed
Our team knows the importance of the work we do for our clients. We know that our efforts have a direct impact on your productivity, profitability and success, so we take our tasks seriously! We look forward to providing your company with strong
ROI and value.