Breaking in After Hours: Ransomware Trend Intelligence

Ransomware is a remote, digital shakedown. Disruptive to the core and costly to resolve, it doesn’t discriminate, affecting organizations from cutting-edge space technology to the wool industry and industrial environments.


Following investigations into ransomware incidents between 2017 and 2019, Mandiant Threat Intelligence identified a number of common characteristics in the initial intrusion vectors, dwell time and time of day for ransomware deployment, providing enhanced insight trends that are useful for network defenders.

Breaking in

Our research has detected several initial infection vectors across multiple ransomware incidents, including Remote Desktop Protocol, phishing with a malicious link or attachment and drive by download of malware. These vectors demonstrate that ransomware can enter victim environments by a variety of means, not all of which require user interaction.

The Timeline from Infection to Ransomware

After a breach occurred, the number of days that elapsed between the first evidence of malicious activity and the deployment of ransomware ranged from zero to 299 days. At least three days passed between the initial breach and the deployment of ransomware in 75% of cases studied. This pattern suggests that for many organizations, if initial infections are detected, contained and remediated quickly, the significant damage and cost associated with a ransomware infection could be avoided.

Figure 1: Days elapsed between initial access and ransomware deployment


Ransomware execution was frequently found to take place after hours; in 76% of incidents reviewed, ransomware was executed in victim environments before 8:00 a.m. or after 6:00 p.m on a weekday or over the weekend, using the time zone and customary working week of the victim organization. Some attackers may intentionally deploy ransomware after hours to maximize the potential effectiveness of their operation, believing that any remediation efforts will be implemented more slowly than they would be during normal working hours.

Figure 2: Observed ransomware deployment: work hours vs. after hours


Threat actor innovations have only increased the potential damage of ransomware infections in recent years and this trend shows no sign of slowing down. Financially motivated actors are expected to continue to evolve their tactics to maximize profit generated from ransomware infections. Post-compromise ransomware infections will continue to rise and attackers will increasingly couple ransomware deployment with other tactics such as data theft and extortion, increasing ransom demands and targeting critical systems.

The relief for security professionals is that with post-compromise infections, there is often a window of time between the first malicious action and ransomware deployment. If network defenders can detect and remediate the initial compromise quickly, it may be possible to avoid significant damage and the expense of a ransomware infection.

For more information on Mandiant Threat Intelligence research and expert advice on risk mitigation strategies, access our latest ransomware webinar.