{ "id": "36d700f7-02b0-4237-b051-fce35e42553f", "created_at": "2026-04-06T00:09:00.287575Z", "updated_at": "2026-04-10T13:11:52.812674Z", "deleted_at": null, "sha1_hash": "74f4efae43c31a1294ecc2db39958724a1cc284a", "title": "Ransomware Deployment Trends | They Come in the Night", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 872418, "plain_text": "Ransomware Deployment Trends | They Come in the Night\r\nBy Mandiant\r\nPublished: 2020-03-16 ยท Archived: 2026-04-05 20:20:47 UTC\r\nWritten by: Kelli Vanderlee\r\nRansomware is a remote, digital shakedown. It is disruptive and expensive, and it affects all kinds of\r\norganizations, from cutting edge space technology firms, to the wool industry, to industrial environments.\r\nInfections have forced hospitals to turn away patients and law enforcement to drop cases against drug dealers.\r\nRansomware operators have recently begun combining encryption with the threat of data leak and exposure in\r\norder to increase leverage against victims. There may be a silver lining, however; Mandiant Intelligence research\r\nsuggests that focusing defensive efforts in key areas and acting quickly may allow organizations to stop\r\nransomware before it is deployed.\r\nMandiant Intelligence examined dozens of ransomware incident response investigations from 2017 to 2019.\r\nThrough this research, we identified a number of common characteristics in initial intrusion vectors, dwell time,\r\nand time of day of ransomware deployment. We also noted threat actor innovations in tactics to maximize profits\r\n(Figure 1). Incidents affected organizations across North America, Europe, Asia Pacific, and the Middle East in\r\nnearly every sector category, including financial services, chemicals and materials, legal and professional services,\r\nlocal government, and healthcare. We observed intrusions attributed to financially motivated groups such as FIN6,\r\nTEMP.MixMaster, and dozens of additional activity sets.\r\nhttps://www.mandiant.com/resources/they-come-in-the-night-ransomware-deployment-trends\r\nPage 1 of 8\n\nFigure 1: Themes Observed in Ransomware Incidents\r\nThese incidents provide us with enhanced insight into ransomware trends that can be useful for network\r\ndefenders, but it is worth bearing in mind that this data represents only a sample of all activity. For example,\r\nMandiant ransomware investigations increased 860% from 2017 to 2019. The majority of these incidents appeared\r\nto be post-compromise infections, and we believe that threat actors are accelerating use of tactics including post\r\ncompromise deployment to increase the likelihood of ransom payment. We also observed incidents in which\r\nransomware was executed immediately, for example GANDCRAB and GLOBEIMPOSTER incidents, but most\r\nof the intrusions examined were longer duration and more complex post-compromise deployments.\r\nCommon Initial Infection Vectors\r\nhttps://www.mandiant.com/resources/they-come-in-the-night-ransomware-deployment-trends\r\nPage 2 of 8\n\nWe noted several initial infection vectors across multiple ransomware incidents, including RDP, phishing with a\r\nmalicious link or attachment, and drive by download of malware facilitating follow-on activity. RDP was more\r\nfrequently observed in 2017 and declined in 2018 and 2019. These vectors demonstrate that ransomware can enter\r\nvictim environments by a variety of means, not all of which require user interaction.\r\nRDP or other\r\nremote\r\naccess\r\nOne of the most frequently observed vectors was an attacker logging on to a system in a\r\nvictim environment via Remote Desktop Protocol (RDP). In some cases, the attacker brute\r\nforced the credentials (many failed authentication attempts followed by a successful one). In\r\nother cases, a successful RDP log on was the first evidence of malicious activity prior to a\r\nransomware infection. It is possible that the targeted system used default or weak\r\ncredentials, the attackers acquired valid credentials via other unobserved malicious activity,\r\nor the attackers purchased RDP access established by another threat actor. In April 2019, we\r\nnoted that FIN6 used stolen credentials and RDP to move laterally in cases resulting in\r\nransomware deployment.\r\nPhishing\r\nwith link or\r\nattachment\r\nA significant number of ransomware cases were linked to phishing campaigns delivering\r\nsome of the most prolific malware families in financially motivated operations:\r\nTRICKBOT, EMOTET, and FLAWEDAMMYY. In January 2019, we described\r\nTEMP.MixMaster TrickBot infections that resulted in interactive deployment of Ryuk.\r\nDrive-by-download\r\nSeveral ransomware infections were traced back to a user in the victim environment\r\nnavigating to a compromised website that resulted in a DRIDEX infection. In October 2019,\r\nwe documented compromised web infrastructure delivering FAKEUPDATES, then\r\nDRIDEX, and ultimately BITPAYMER or DOPPELPAYMER infections.\r\nMost Ransomware Deployments Take Place Three or More Days After Initial Infection\r\nThe number of days elapsed between the first evidence of malicious activity and the deployment of ransomware\r\nranged from zero to 299 days (Figure 2). That is, dwell times range quite widely, and in most cases, there was a\r\ntime gap between first access and ransomware deployment. For 75 percent of incidents, at least three days passed\r\nbetween the first evidence of malicious activity and ransomware deployment.\r\nThis pattern suggests that for many organizations, if initial infections are detected, contained, and remediated\r\nquickly, the significant damage and cost associated with a ransomware infection could be avoided. In fact, in\r\na handful of cases, Mandiant incident responders and FireEye Managed Defense contained and remediated\r\nmalicious activity, likely preventing ransomware deployment. Several investigations discovered evidence of\r\nransomware installed into victim environments but not yet successfully executed.\r\nhttps://www.mandiant.com/resources/they-come-in-the-night-ransomware-deployment-trends\r\nPage 3 of 8\n\nFigure 2: Days elapsed between initial access and ransomware deployment\r\nRansomware Deployed Most Often After Hours\r\nIn 76% of incidents we reviewed, ransomware was executed in victim environments after hours, that is, on a\r\nweekend or before 8:00 a.m. or after 6:00 p.m. on a weekday, using the time zone and customary work week of\r\nthe victim organization (Figure 3 and Figure 4). This observation underscores that threat actors continue working\r\neven when most employees may not be.\r\nSome attackers possibly intentionally deploy ransomware after hours, on weekends, or during holidays, to\r\nmaximize the potential effectiveness of the operation on the assumption that any remediation efforts will be\r\nimplemented more slowly than they would be during normal work hours. In other cases, attackers linked\r\nransomware deployment to user actions. For example, in 2019 incidents at retail and professional services firms,\r\nattackers created an Active Directory Group Policy Object to trigger ransomware execution based on user log on\r\nand log off.\r\nhttps://www.mandiant.com/resources/they-come-in-the-night-ransomware-deployment-trends\r\nPage 4 of 8\n\nFigure 3: Ransomware execution frequently takes place after hours\r\nhttps://www.mandiant.com/resources/they-come-in-the-night-ransomware-deployment-trends\r\nPage 5 of 8\n\nFigure 4: Ransomware execution by hour of the day\r\nMitigation Recommendations\r\nOrganizations seeking to prevent or mitigate the effects of ransomware infections could consider the following\r\nsteps. For more comprehensive recommendations for addressing ransomware, please refer to our blog post:\r\nRansomware Protection and Containment Strategies: Practical Guidance for Endpoint Protection, Hardening,\r\nand Containment.\r\nAddress\r\nInfection\r\nVectors\r\nUse enterprise network, email, and host-based security products with up-to-date\r\ndetections to prevent and detect many common malware strains such as\r\nTRICKBOT, DRIDEX, and EMOTET.\r\nContain and remediate infections quickly to prevent attackers from conducting\r\nfollow-on activity or selling access to other threat actors for further exploitation.\r\nPerform regular network perimeter and firewall rule audits to identify any systems\r\nthat have inadvertently been left accessible to the internet. Disable RDP and other\r\nprotocols to systems where this access is not expressly required. Enable multi-factor\r\nauthentication where possible, particularly to internet-accessible connections, see\r\npages 4-15 of the white paper for more details.\r\nhttps://www.mandiant.com/resources/they-come-in-the-night-ransomware-deployment-trends\r\nPage 6 of 8\n\nEnforce multi-factor authentication, that is, where enabled, do not allow single\r\nfactor authentication for users who have not set up the multi-factor mechanism.\r\nImplement\r\nBest Practices\r\nFor example, carry out regular anti-phishing training for all employees that operate\r\na device on the company network. Ensure employees are aware of threat, their role\r\nin preventing it, and the potential cost of a successful infection.\r\nImplement network segmentation when possible to prevent a potential infection\r\nfrom spreading.\r\nCreate regular backups of critical data necessary to ensure business continuity and,\r\nif possible, store them offsite, as attackers often target backups.\r\nRestrict Local Administrator accounts from specific log on types, see page 18 of the\r\nwhite paper for more details.\r\nUse a solution such as LAPS to generate a unique Local Administrator password for\r\neach system.\r\nDisallow cleartext passwords to be stored in memory in order to prevent Mimikatz\r\ncredential harvesting, see p. 20 of the white paper for more details.\r\nConsider cyber insurance that covers ransomware infection.\r\nEstablish\r\nEmergency\r\nPlans\r\nEnsure that after-hours coverage is available to respond within a set time period in\r\nthe case of an emergency.\r\nInstitute after-hours emergency escalation plans that include redundant means to\r\ncontact multiple stakeholders within the organization and 24-hour emergency\r\ncontact information for any relevant third-party vendors.\r\nOutlook\r\nRansomware is disruptive and costly. Threat actor innovations have only increased the potential damage of\r\nransomware infections in recent years, and this trend shows no sign of slowing down. We expect that financially\r\nmotivated actors will continue to evolve their tactics to maximize profit generated from ransomware infections.\r\nWe anticipate that post-compromise ransomware infections will continue to rise and that attackers will\r\nincreasingly couple ransomware deployment with other tactics, such as data theft and extortion, increasing ransom\r\ndemands, and targeting critical systems.\r\nThe good news is that particularly with post-compromise infections, there is often a window of time between the\r\nfirst malicious action and ransomware deployment. If network defenders can detect and remediate the initial\r\ncompromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection.\r\nRegister for our upcoming ransomware webinar to learn more.\r\nPosted in\r\nhttps://www.mandiant.com/resources/they-come-in-the-night-ransomware-deployment-trends\r\nPage 7 of 8\n\nThreat Intelligence\r\nSecurity \u0026 Identity\r\nSource: https://www.mandiant.com/resources/they-come-in-the-night-ransomware-deployment-trends\r\nhttps://www.mandiant.com/resources/they-come-in-the-night-ransomware-deployment-trends\r\nPage 8 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.mandiant.com/resources/they-come-in-the-night-ransomware-deployment-trends" ], "report_names": [ "they-come-in-the-night-ransomware-deployment-trends" ], "threat_actors": [ { "id": "12517c87-040a-4627-a3df-86ca95e5c13f", "created_at": "2022-10-25T16:07:23.61665Z", "updated_at": "2026-04-10T02:00:04.689Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "ATK 88", "Camouflage Tempest", "FIN6", "G0037", "Gold Franklin", "ITG08", "Skeleton Spider", "Storm-0538", "TAAL", "TAG-CR2", "White Giant" ], "source_name": "ETDA:FIN6", "tools": [ "AbaddonPOS", "Agentemis", "AmmyyRAT", "Anchor_DNS", "BlackPOS", "CmdSQL", "Cobalt Strike", "CobaltStrike", "FlawedAmmyy", "FrameworkPOS", "Grateful POS", "JSPSPY", "Kaptoxa", "LOLBAS", "LOLBins", "Living off the Land", "LockerGoga", "MMon", "Magecart", "Meterpreter", "Mimikatz", "More_eggs", "NeverQuest", "POSWDS", "Reedum", "Ryuk", "SCRAPMINT", "SONE", "SpicyOmelette", "StealerOne", "Taurus Loader Stealer Module", "Terra Loader", "TerraStealer", "Vawtrak", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "cobeacon", "grabnew" ], "source_id": "ETDA", "reports": null }, { "id": "f6f91e1c-9202-4497-bf22-9cd5ef477600", "created_at": "2023-01-06T13:46:38.86765Z", "updated_at": "2026-04-10T02:00:03.12735Z", "deleted_at": null, "main_name": "WIZARD SPIDER", "aliases": [ "TEMP.MixMaster", "GOLD BLACKBURN", "DEV-0193", "UNC2053", "Pistachio Tempest", "DEV-0237", "Storm-0230", "FIN12", "Periwinkle Tempest", "Storm-0193", "Trickbot LLC" ], "source_name": "MISPGALAXY:WIZARD SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ea7bfe06-7c23-481d-b8ba-eafa6cda3bc9", "created_at": "2022-10-25T15:50:23.317961Z", "updated_at": "2026-04-10T02:00:05.280403Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "FIN6", "Magecart Group 6", "ITG08", "Skeleton Spider", "TAAL", "Camouflage Tempest" ], "source_name": "MITRE:FIN6", "tools": [ "FlawedAmmyy", "GrimAgent", "FrameworkPOS", "More_eggs", "Cobalt Strike", "Windows Credential Editor", "AdFind", "PsExec", "LockerGoga", "Ryuk", "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "b3acfb48-b04d-4d3d-88a8-836d7376fa2e", "created_at": "2024-06-19T02:03:08.052814Z", "updated_at": "2026-04-10T02:00:03.659971Z", "deleted_at": null, "main_name": "GOLD FRANKLIN", "aliases": [ "FIN6 ", "ITG08 ", "MageCart Group 6 ", "Skeleton Spider ", "Storm-0538 ", "White Giant " ], "source_name": "Secureworks:GOLD FRANKLIN", "tools": [ "FrameWorkPOS", "Metasploit", "Meterpreter", "Mimikatz", "PowerSploit", "PowerUpSQL", "RemCom" ], "source_id": "Secureworks", "reports": null }, { "id": "63061658-5810-4f01-9620-7eada7e9ae2e", "created_at": "2022-10-25T15:50:23.752974Z", "updated_at": "2026-04-10T02:00:05.244531Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "Wizard Spider", "UNC1878", "TEMP.MixMaster", "Grim Spider", "FIN12", "GOLD BLACKBURN", "ITG23", "Periwinkle Tempest", "DEV-0193" ], "source_name": "MITRE:Wizard Spider", "tools": [ "TrickBot", "AdFind", "BITSAdmin", "Bazar", "LaZagne", "Nltest", "GrimAgent", "Dyre", "Ryuk", "Conti", "Emotet", "Rubeus", "Mimikatz", "Diavol", "PsExec", "Cobalt Strike" ], "source_id": "MITRE", "reports": null }, { "id": "ee3363a4-e807-4f95-97d8-b603c31b9de1", "created_at": "2023-01-06T13:46:38.485884Z", "updated_at": "2026-04-10T02:00:02.99385Z", "deleted_at": null, "main_name": "FIN6", "aliases": [ "SKELETON SPIDER", "ITG08", "MageCart Group 6", "ATK88", "TA4557", "Storm-0538", "White Giant", "GOLD FRANKLIN", "G0037", "Camouflage Tempest" ], "source_name": "MISPGALAXY:FIN6", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e6a21528-2999-4e2e-aaf4-8b6af14e17f3", "created_at": "2022-10-25T16:07:24.422115Z", "updated_at": "2026-04-10T02:00:04.983298Z", "deleted_at": null, "main_name": "Wizard Spider", "aliases": [ "DEV-0193", "G0102", "Gold Blackburn", "Gold Ulrick", "Grim Spider", "ITG23", "Operation BazaFlix", "Periwinkle Tempest", "Storm-0230", "TEMP.MixMaster", "Wizard Spider" ], "source_name": "ETDA:Wizard Spider", "tools": [ "AdFind", "Agentemis", "Anchor_DNS", "BEERBOT", "BazarBackdoor", "BazarCall", "BazarLoader", "Cobalt Strike", "CobaltStrike", "Conti", "Diavol", "Dyranges", "Dyre", "Dyreza", "Dyzap", "Gophe", "Invoke-SMBAutoBrute", "KEGTAP", "LaZagne", "LightBot", "PowerSploit", "PowerTrick", "PsExec", "Ryuk", "SessionGopher", "TSPY_TRICKLOAD", "Team9Backdoor", "The Trick", "TheTrick", "Totbrick", "TrickBot", "TrickLoader", "TrickMo", "Upatre", "bazaloader", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434140, "ts_updated_at": 1775826712, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/74f4efae43c31a1294ecc2db39958724a1cc284a.pdf", "text": "https://archive.orkl.eu/74f4efae43c31a1294ecc2db39958724a1cc284a.txt", "img": "https://archive.orkl.eu/74f4efae43c31a1294ecc2db39958724a1cc284a.jpg" } }