Ransomware attackers are accelerating faster through the stages of a ransomware attack, according to recent research by IBM. The findings also revealed an increase in the use of Initial Access Brokers (IABs), which are helping to reduce the time it takes for a ransomware criminal to encrypt the network, to four days on average.

Underscoring the need for organizations to build strong ransomware risk management programs, specifically for the cloud, the findings reiterate that ransomware is undeniably the biggest threat to cybersecurity today. 

Organizations need to take proactive steps to shore up their security posture – because when a ransomware criminal gets into the network, time is of the essence.

Usage of Initial Access Brokers and Ransomware-as-a-Service (RaaS) is increasing

The researchers found that the rise of ransomware-as-a-service (RaaS) and Initial Access Brokers (IABs) are driving the velocity of ransomware attacks in 2022. 

Today, cyber criminals have built-in affiliate deals now that feed into RaaS, which essentially is a business model where ransomware gangs offer their malware code to other parties, known as affiliates, in exchange for a large cut of the ransom payment. 

These operators work closely with Initial Access Brokers (IABs), who offer footholds and stolen credentials into targeted networks.

Cyber criminals and IABs alike are amassing footholds by using easy-to-execute TTPs, including phishing campaigns, vulnerability exploitation, and remote services attacks. 

IABs sell stolen credentials and remote access services, like virtual private networks (VPN), remote desktop protocol (RDP), and web shells, with malware installed to establish footholds in victim networks. 

These footholds are then sold off to the highest bidder on the dark web, who may be an affiliate, and may attack right away or quietly lurk in the network.

The researchers found that while the lifecycle of a ransomware attack has decreased since 2021, the time that it takes for an IAB to transfer access to an interactive session that’s ready to carry out the ransomware attack has decreased significantly. 

The researchers also found that on average, ransomware operators are moving faster once inside the network to reach domain control to deploy the ransomware.

Ransomware attacks are evolving

Ransomware attacks have evolved over the years. The earliest ransomware simply encrypted data and asked for ransom in exchange for decryption. These attacks were ineffective against companies with good backup capabilities. Today, ransomware TTPs (tactics, techniques, and procedures) are shifting constantly to evade protective controls and laterally move undetected in networks.

The cybercrime industry has also evolved significantly over the last two decades. In the past, executing successful ransomware attacks was reserved for the most sophisticated hacking groups. Today, one can buy a ransomware subscription for as low as $40.

Double extortion and triple extortion demands are increasing profits for threat actors while further complicating the ability for victim organizations to avoid paying ransom demands. These tactics began in late 2019, where ransomware criminals started auctioning off copies of data stolen before encryption in order to threaten victims and their customers, suppliers, and affiliates with sensitive data leaks and DDOS attacks if they don’t pay up.

How does a ransomware attack happen?

By remediating the security gaps that exist at each stage, security teams can manage the top risks that have the highest potential to introduce ransomware into the environment and allow the threat actor to move laterally and use privilege escalation undetected. 

By using cloud risk management, for example, users can prevent the ransomware criminal’s ability to advance to the next stage of the attack and increase the ability to rapidly detect a ransomware event. For example, managing risks related to remote access, like RDP, can impactfully reduce the risk of a ransomware attack.

While there are different ways to categorize ransomware TTPs, using the following six stages to can help security teams manage the risks associated with ransomware:

Initial Access Campaign

A ransomware attack starts with an initial access campaign where the attacker attempts to exploit an environment and establish a foothold in the network. They can do this through email phishing campaigns, targeted attacks through remote exploits on web servers, like remote desktop protocol (RDP), weaponization of websites, vulnerability exploitation, and social engineering. In recent years, criminals are bypassing the work involved in getting their own initial access. Instead, they can purchase a foothold from an initial access broker (IAB). This trend has accelerated both ransomware-as-a-service and ransomware attacks.

Post-Exploitation Foothold

The threat actor may need to install additional tools to continue to move toward their objective. To establish interactive access with a security tool such as Metasploit or Cobalt Strike, an intermediary remote access tool (RAT) or malware is required.

Lateral Movement

Once inside the network, the ransomware criminal seeks to move laterally through the network, increasing privilege access to establish persistence, and reach their objectives and targets, including critical systems, sensitive data, and C2. They will use stolen credentials and reconnaissance methods in an attempt to move undetected through the environment.


At this stage, malicious code has been executed and deployed to achieve persistence in systems throughout the network. The ransomware interacts with an external DNS or C2 tool, which maintains the encryption key. During this dwell time, ransomware criminals are able to scan and analyze sensitive data, file shares, and data stored in the cloud, create an inventory of target files, and exfiltrate data for future leverage in double- and triple-extortion demands. 


The encryption process starts when a ransomware executable planted from a desired location in the network is detonated. Data on the network is copied locally, encrypted, then uploaded back to the shared files and replaces original data. Most, if not all ransomware, use asymmetric encryption, in which a key pair is used for encryption and decryption. A public key is used to encrypt data, which can only be decrypted using the private key. This private key is known only to the attacker, and they use it to hold the encrypted information at ransom.


After systems are locked down, users trying to access an infected system will be prompted to pay the ransom within the specific deadline, which is usually a few days, to recover the files, or they will be deleted forever. In cases of double- and triple-extortion, auctions may be listed on the dark web to encourage victims to pay up. Ransomware gangs may or may not provide the ransomware decryption key in exchange for payment. Even when victims pay the ransom, stolen data is often re-sold to other cyber criminals anyway.





Ransomware Preparedness Starts with a Strong Security Posture

The attack surface of the public cloud is large, and the margin of error is low. Many businesses are storing large amounts of sensitive data specifically in the cloud. This has made cloud platforms a prime target for ransomware. Another top risk is cloud misconfiguration and unpatched vulnerabilities. 

By developing a strategy that leverages best-in-class cloud security, you can proactively remediate the most critical cloud ransomware risks to improve security posture and lower the impact of ransomware attacks in cloud, multi-cloud, and hybrid environments.

How does Orca Security and AWS help protect against cloud ransomware attacks?

With Orca Security, you can detect and mitigate various cloud misconfigurations, vulnerabilities, and malware on AWS and other cloud security platforms.

Orca’s CNAPP technology provides complete and uninterrupted visibility into AWS resources and services, like Amazon Elastic Compute Cloud (Amazon EC2), AWS Fargate, Amazon Elastic Container Service (Amazon ECS), AWS Lambda, and many more.

Curious to learn the many ways Orca Security can help your DevSecOps team mitigate cloud vulnerabilities and detect malware in AWS? 

There are five ways in which Orca Security and AWS can help you protect your cloud environments from ransomware attacks. 

Find out how these two cloud security partners can help you gain the edge you need to fight ransomware attacks in the cloud by downloading the new eBook, 5 Ways Orca Security and AWS Protect Against Ransomware.