One of the many things people want to know after they suffer a ransomware attack is “how did they gain access to my network?”  However it happened, it may have happened many months ago – and ransomware victims may have bigger problems than encrypted files.

In many cases, Small and Medium-sized Businesses compromised with malware don’t discover it for more than two years – the average is 798 days, according to Infocyte.  When looking at ransomware specifically, the average “dwell time” for cybercriminals on SMB networks is 43 days.  Hackers don’t want to wait too long to trigger a ransomware payload in case they lose access to the network, but they’re still perfectly happy staying inside the network for up to six months, because there’s plenty of money to be gained along the way to the final attack.

The FBI warned companies back in December that the ransomware attack is the final shake of the money tree.  Once hackers find their way on to a network, they scan the network to determine what files their stolen credentials can access.  At large corporations, there might be intellectual property that is worth large amounts of money to the right buyer.  Smaller companies might not have multi-million dollar trade secrets, but they do have private information like customer credit card data or employee records.  These aren’t worth much individually, but when they’re sold as a package on the dark web they can earn the criminals thousands of dollars.

Cybercriminals may also wait until the ideal time to trigger their ransom demand – and that means the worst possible time for you.  Anti-malware company Malwarebytes told Wired magazine recently that the “dwell” time on networks range from days to months.

“When the time has come for ransomware deployment, threat actors will typically choose weekends, and preferably the wee hours of Sunday morning. This made sense pre-pandemic as staff would typically return to work on Mondays to witness the damage,” says Jérôme Segura, head of threat intelligence at the monitoring firm Malwarebytes.

In fact, Microsoft is reporting that many healthcare companies learned over the past few months that hackers had been in their networks for months.  Once the pandemic overwhelmed their hospitals, they activated ransomware.  The pandemic allowed them to raise their prices, because hospitals didn’t have the resources to slow down and try to recover from the data loss.

Microsoft has also laid out the techniques used to gain network entry in these sleeper cell attacks.  At the top of their list: Remote Desktop Protocol access without Multi-Factor Authentication, and hardware running Windows operating systems that has reached end of life and is no longer receiving security updates.  Networks that allow the use of weak passwords (short passwords or those without symbols or numbers) are especially vulnerable.

The only good news in all of this is that the final payload may be able to be prevented if companies catch the hackers lying in wait.  Isolating compromised PCs from the network (and possibly the internet) may prevent the attacker from triggering the ransomware demand.  You may also be able to kick them off the network before they’ve stolen all of the files they’re after, like customer credit card information.  By lying dormant, hackers are gambling that they won’t get caught.  A security scan at the right time, however, might make that a bad gamble.

To learn how WingSwept can help your company manage cybersecurity threats, call us at 919-460-7011 or email us at