New research reveals ransomware gangs are accelerating encryption timelines while adopting advanced evasion techniques and data extortion strategies.
A 2025 threat report by cybersecurity firm Huntress reveals ransomware gangs now take just 17 hours on average to encrypt systems after initial network intrusion, with some groups like Akira and RansomHub operating in as little as 4–6 hours.
This “smash-and-grab” approach contrasts sharply with the weeks-long dwell times common in earlier ransomware campaigns, leaving organizations with less time to detect and respond.
.webp)
Besides this, the researchers at Huntress discovered that attackers are leveraging advanced tools and techniques to breach systems across various industries, including healthcare, technology, education, government, and manufacturing.
How Attackers Accelerate Encryption?
Attackers use tools like Mimikatz and PowerShell scripts to dump credentials from memory:
powershell Invoke-Mimikatz -Command "privilege::debug sekurlsa::logonpasswords"
This enables rapid lateral movement through networks using stolen domain admin accounts.
Over 60% of 2024 ransomware incidents stemmed from vulnerabilities in remote tools:-
- ScreenConnect (CVE-2024-1709): Path traversal flaw allowed unauthenticated RCE
- CrushFTP (CVE-2024-4040): Auth bypass led to server compromise
.webp)
Newer ransomware families like CryptNet optimize encryption speed:-
python if file_size < 512KB: encrypt_full_file() else: encrypt_chunks(first_128KB, middle_128KB, last_128KB)
This approach maintains cryptographic impact while reducing encryption time by 70%.
Shifting ransomware economics:-
| Group | Avg. TTR | Payout to Affiliates |
|---|---|---|
| RansomHub | 6.4 hrs | 85-90% |
| INC/Lynx | 7.7 hrs | 80% |
| LockBit 4.0 | 17.8 hrs | 75% |
The affiliate model drives faster attacks, with high payouts incentivizing volume over precision. Notably, 38% of incidents now involve pure data extortion without encryption, as seen in BianLian’s campaigns.
Healthcare and education sectors were hardest hit:-
- 45% of healthcare attacks used Java-based RATs like STRRAT
- 24% of education incidents involved Chromeloader infostealers
.webp)
To strengthen defenses against ransomware, organizations should limit access to Remote Monitoring and Management (RMM) tools, as 74.5% of attacks exploited ConnectWise ScreenConnect.
Moreover, blocking LOLBin execution through registry modifications can prevent abuse of system-native tools.
Enabling AES-NI hardware encryption helps mitigate partial-file encryption attacks, reducing data loss risks. As Huntress researchers emphasize, “The 17-hour window isn’t a grace period—it’s a countdown.”
With ransomware now exceeding $30 billion globally, businesses must adopt rapid-response security measures, ensuring hourly backup validation and proactive threat mitigation.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free