A large proportion of ransomware attacks take place on weekends and nights

According to cybersecurity firm FireEyes, the majority of ransomware computer attacks usually take place during off-duty hours, either overnight or over the weekend.

In its report released last Thursday, the U.S. computer security firm revealed, after compiling several information following an investigation into the issue as well as the returns of several incidents between 2017 and 2019, that 76% of ransom system infections typically occur outside work hours. As a result, 49% of these attacks take place at night and over the weekend it counted 27%.

This article will also interest you: Ransomware: Snake, the new enemy of factories

The reasons for this announcement are quite simple to understand. Indeed, cyber-alarms trigger the processes of encrypting targeted systems and files during the night and at the weekend because usually there are no employees on the premises, or very little manpower assigned to this sector, so that even if the attack could be easily detected, there would be no one to trigger an alert or react in case of an alert , at the right time. This makes it easier for cyber criminals to complete their encryption process and permanently hold the system they target. in the morning the attack is observed but it is almost too late to do anything except 'apply the resilience measures.

However, things don't go so simply: "This type of attack is usually the result of prolonged network compromise: hackers break into a company's network, move sideways from one station to another to infect as many workstations as possible, manually install ransomware and then trigger infection. The time between the beginning of the compromise and the initiation of the attack and ransom – the so-called "dwell time" – is on average three days. according to FireEyes.

The cybersecurity firm also noted that ransomware is becoming less and less installed automatically by network infection, but manually by attackers. This automatically changes the modus operandi to, then making it the most difficult to detect hackers. This practice has become widespread, leaving the majority of attackers who now prefer to control the strain of their malware, in order to carefully choose the appropriate time to proceed with triggering the encryption process. A process microsoft has described as "human-operated ransomware attacks" in French, "ransomware attacks by humans. ». Redmond's firm, for its part, has itself in a report giving some recommendations for the implementation of rules and in the detection of cyber-malveillance during the "dwell time", in order to prevent and prevent them from triggering the final phase.

FireEyes has reported that these directly human attacks have grown by 860% in just three years, i.e. since 2017. And this has been observed all over the world, whether for American companies, Asian institutions or even Europeans. The most common attack vectors used in this type of context are:

– Brute force attacks on desktops, especially the Remote Desktop Protocol (RDP) ports that are connected to the Internet. This allows them to take control of some terminals important to their plan.

– Phishing or harpooning of a company's employees. By which infected employees will continue to spread the malware system

– Drive-by downloads. Actions often committed by employees who tend to visit unsecured sites perform malware downloads.

Both the cybersecurity firm and Microsoft have encouraged companies to invest in detection solutions, especially during pre-infective times. "If network advocates can quickly detect and remedy the initial compromise, it is possible to avoid significant damage and the cost of a ransomware infection," said the US computer security firm.

Now access an unlimited number of passwords: