Minimising dwell time in ransomware: Strategies for immediate action

Ransomware has shifted from slow, stealthy compromises to smash and grab operations. For many organisations, the window between first compromise and full encryption is now measured in hours, not days.

If you’re reading this because you’re concerned about the security of your remote workforce and endpoints, contact Zensec. Our experienced team can consult you on best practice and appropriate steps to take.

Secureworks reports that in more than half of observed cases, ransomware is deployed within a day of initial access, with a median dwell time of under 24 hours and some attacks going from first foothold to deployment in under 5 hours. At the same time, wider industry data still shows many attacks taking around 4 to 6 days from compromise to encryption, which gives defenders a small but vital opportunity to detect and contain intrusions before the worst happens.

In the UK, that shrinking window sits against a backdrop of rising threat levels. The NCSC has reported a sharp increase in significant cyber incidents, with ransomware a major driver, and nearly 200 large ransomware incidents in a single year.

In this environment, reducing dwell time is one of the most meaningful ways to limit damage. This article explains how attackers typically get in, why dwell time matters so much, and what UK organisations can do both in the heat of an incident and in calmer times to drive that number down.

How ransomware gets in: initial access and attack vectors

Across incident response engagements, three initial access methods dominate ransomware operations:

Scan and exploit of internet facing systems, compromised credentials, and phishing delivered commodity malware. In one large dataset, scan and exploit and stolen credentials each accounted for around 32 percent of known ransomware intrusions, with phishing delivered commodity malware representing a further 14 percent. Those high level labels hide familiar weaknesses.

Scan and exploit

Attackers continuously scan for exposed services and devices, especially VPNs, firewalls, remote management tools and web applications. They then fire off exploits for known vulnerabilities, often relying on unpatched issues from previous years rather than bleeding edge zero days.

For UK organisations, unmanaged shadow IT, misconfigured cloud services and legacy line of business systems are a consistent weak point. Once a single external service is compromised, attackers can pivot inside the environment and begin privilege escalation and discovery.

Stolen credentials

Compromised usernames and passwords are a close second. Credentials are harvested through phishing sites, malware, info stealers, and third party breaches, then sold or traded across the criminal ecosystem.

Attackers then test these credentials against VPNs, RDP gateways, O365 or other remote access services. Where multi factor authentication is weak or absent, a single reused password can be enough to gain a foothold.

Phishing and commodity malware

Phishing remains a favoured route to deliver commodity malware like loaders and remote access trojans. These tools give attackers initial persistence and visibility, which is later handed off to a hands on keyboard operator who conducts the ransomware phase.

Where penetration testing fits

You cannot manage dwell time if you do not understand the paths attackers are likely to follow in your specific environment. Targeted penetration testing that mimics these initial access techniques is one of the most reliable ways to uncover and close those paths before a real intrusion.

A structured programme of ransomware focused penetration testing services can reveal exposed services, credential weaknesses and lateral movement routes that off the shelf tools often miss, and help you prioritise remediation where it matters most.

Why dwell time matters more than ever

Dwell time is the period between an attacker gaining initial access and being detected or achieving their objective. In a ransomware context, that endpoint is typically data exfiltration, widespread encryption or both.

Shorter dwell time is not automatically good news. It often means attackers have streamlined their playbooks rather than defenders catching them earlier.

Modern ransomware operators tend to follow a pattern that unfolds far faster than traditional “slow burn” breaches:

1. Initial access through an exposed service, stolen credential or phishing.
2. Rapid privilege escalation, often to domain admin, sometimes in a matter of hours.
3. Discovery of file shares, critical systems and backup infrastructure.
4. Covert data exfiltration, commonly within the first two days of compromise.
5. Mass deployment of the ransomware payload and destruction or encryption of backups.

When dwell time is measured in hours, there is almost no margin for slow decision making, unclear incident ownership or under resourced monitoring. What you do in the first working day of suspicious activity largely determines whether you are quietly ejecting an intruder or negotiating with a criminal gang.

Immediate steps if you are under attack

If you are reading this because you think something is already wrong in your environment, the priority is containment and expert support, not a perfect root cause analysis.

If you are under attack or suspect you might be, contact Zensec immediately for incident response support.

The following actions are high level guidelines, written with UK organisations and NCSC best practice in mind. They do not replace your own incident response plan or legal advice, but they can help you act quickly and coherently.

Step 1: Contain first

Move quickly to limit the attacker’s ability to spread or cause further damage.

That usually means isolating affected systems from the network, disabling compromised user accounts, and locking down remote access paths such as VPNs, RDP and admin tools. In many cases a temporary, controlled shutdown of non essential services is the lesser evil compared with uncontrolled lateral movement and enterprise wide encryption.

Where possible, perform logical isolation using network controls rather than simply powering off every suspect device, so that forensic evidence is not lost.

Step 2: Preserve evidence and start a timeline

From the first suspicious alert or user report, maintain a simple but accurate timeline of events. Record who saw what, when key systems were taken offline, and any indicators of compromise identified.

Preserve relevant logs from endpoints, servers, identity providers, firewalls, proxies and email systems. Avoid reimaging or wiping systems until a responder has confirmed that it is safe to do so without destroying critical evidence.

This evidence is essential for effective technical response, insurance claims, regulatory reporting and potential law enforcement action.

Step 3: Activate your incident response plan and communications

If your organisation has an incident response plan, now is the time to activate it fully, not to improvise around it.

Ensure roles are clearly assigned. Someone should own technical response, someone communications, and someone decision making at executive level. Internal messaging should be calm, factual and aligned, especially where staff are being asked to disconnect devices or change working patterns.

External communications may need to include customers, suppliers and regulators, depending on the nature of the data at risk. In the UK, a personal data breach can trigger reporting obligations to the ICO and affected individuals under UK GDPR, and regulators will expect to see that your response followed documented processes and recognised guidance.

Step 4: Engage expert support and consider law enforcement

Most organisations do not handle enough major incidents each year to build deep internal experience. Engaging specialist incident responders and legal counsel early helps avoid missteps that extend dwell time or worsen the impact.

You should also consider engaging law enforcement and the NCSC, particularly for attacks affecting critical services or public bodies, or where there may be links to state sponsored actors.

The decision whether to pay a ransom is complex and increasingly constrained for UK organisations, particularly in regulated sectors. Current NCSC and Home Office positions strongly discourage payment and recent proposals move towards prohibiting payments in parts of the public sector and critical national infrastructure. Payment decisions should never be taken lightly or made without legal advice.

Building detection and response that keeps dwell time low

You cannot reduce dwell time purely through policy. You need visibility, tooling and people who can act on signals in near real time.

Endpoint detection and response as a baseline

Endpoint Detection and Response (EDR) tools provide visibility into suspicious process behaviour, lateral movement, credential theft and data exfiltration from servers, workstations and cloud workloads. Properly tuned and monitored, EDR platforms are often the first place that a ransomware operator’s activities are visible.

Managed detection and response services can close the skills and time gap for smaller teams by providing 24 by 7 monitoring and investigation.

Network and identity visibility

Network Intrusion Detection Systems and modern network telemetry help spot lateral movement, command and control traffic and unusual data transfers, particularly where attackers are using legitimate tools rather than obvious malware.

Identity systems deserve equal focus. Many ransomware operators pivot on poorly protected admin accounts and legacy identity protocols. Monitoring for unusual sign ins, risky MFA behaviour and privilege escalations is critical in reducing dwell time, because that is often where attackers slip up.

Purple Teaming and realistic exercises

Traditional penetration tests tend to be scoped and time boxed. Purple Teaming exercises go further by combining red team tactics with blue team detection tuning in real time. They are designed to help your defenders see and respond to simulated attacker behaviour across the full kill chain.

Used well, purple exercises shorten the gap between “we were compromised for weeks without knowing” and “we saw and stopped that within hours”.

Prevention: shrinking the attack surface

While dwell time focuses on what happens after an attacker is in, the easiest wins usually come from making it harder for them to get in at all.

For UK organisations, NCSC guidance on mitigating malware and ransomware provides a pragmatic baseline.

Key themes include:

• Keeping internet facing systems patched, exposed services minimised, and configuration securely managed across cloud and on premises environments.
• Using strong access controls for remote access and admin interfaces, including phishing resistant MFA wherever possible, and tightly limiting the number of accounts with high privileges.
• Ensuring robust email and web controls, including modern phishing detection and sandboxing, backed by regular user awareness training that focuses on realistic social engineering scenarios.
• Implementing network segmentation so that compromise of a single workstation or department does not automatically mean an attacker can reach domain controllers, backups and critical business applications.
• Maintaining offline tested backups and clear recovery runbooks so that, even in a worst case encryption event, you can restore operations without negotiating with criminals.
• Regular penetration testing services that explicitly include ransomware scenarios help validate that these controls are working in practice, not just on paper, and reveal weaknesses that automated tools overlook.

Bringing it together

Ransomware is not going away for UK organisations. Recent years have seen more incidents, more groups and more pressure on victims, with attacks increasingly timed to cause maximum disruption.

You cannot control who targets you, but you can control how much opportunity they have once inside. Reducing dwell time is at the heart of that effort.

Understand the paths attackers are most likely to use into your environment and close them through focused remediation and realistic testing. Build detection and response capabilities that can see suspicious activity within hours, not weeks. Follow NCSC guidance so that your controls, incident management and regulatory posture stand up to scrutiny.

And if you are already dealing with suspicious activity, or you simply are not confident how well your organisation would cope with a modern ransomware intrusion, do not wait to find out the hard way.

If you are under attack now or suspect something is wrong, contact Zensec for expert help with containment, investigation and recovery.