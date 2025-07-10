IBM X-Force analyzed the evidence from multiple ransomware attack investigations that occurred between 2019 and 2021. In each investigation, access to the victim network was obtained through an initial access broker (initial access brokers are cybercriminals who specialize in breaching companies and then selling the access to ransomware attackers). The emphasis of the research was to better understand the duration of the activities during the various stages of a ransomware attack.

The findings of this research revealed the average duration of an enterprise ransomware attack (time between initial access and ransomware deployment) reduced 94.34% between 2019 and 2021. This is a substantial reduction and while ransomware attack lifecycle time decreased significantly, the research did not reveal substantial changes in the tools, techniques and procedures used by threat actors.

Additionally, X-Force analyzed victim organizations’ ability to prevent, detect, and respond to ransomware attacks prior to the deployment of the ransomware and found that ransomware attacks have continually been successful against organizations who have not implemented effective measures to combat the threat of ransomware.

Instead, the evidence revealed the time in transferring access from the access broker to an interactive session to carry out the ransomware attack has decreased significantly, and ransomware operators have become more efficient in gaining privileged access to Active Directory and deploying the ransomware. Understanding the speed and efficiency of ransomware attacks enables organizations to develop a detection and response strategy that is specifically designed to address the ransomware threat.