A blog post from FireEye's Kelli Vanderlee said apart from this common characteristic, in most cases which were examined, at least three days elapsed between the first indication of malicious activity and the ransomware being deployed.
The most common methods for gaining entry to a Windows system was through the remote desktop protocol which the operating system support. Else, some attacks gained access through phishing or drive-by downloads.
Vanderlee wrote that in 2018 and 2019, post-compromise and interactive ransomware deployment increased, allowing attackers to identify key systems so that their attacks could be more effective.
Another point noted was that ransomware attackers used other means like data theft and extortion to increase their chances of success.
Taking aim at high-availability organisations like hospitals, government organisations or industrial environments was a tactic used to increase the chances of having a ransom paid.
Vanderlee noted that the use of RDP had been more common in 2017, and had fallen away to some extent in the two following years. In some cases, the credentials to gain entry through RDP were brute-forced; at others, the ransomware actor purchased access credentials from another person in the same game.
While phishing is all too common, Mandiant also observed several cases where a user was tricked into visiting a website where his/her Windows machine was infected with malware that would facilitate the entry of ransomware.
"In 76% of incidents we reviewed, ransomware was executed in victim environments after hours, that is, on a weekend or before 8am or after 6pm on a weekday, using the time zone and customary work week of the victim organisation," Vanderlee noted. "This observation underscores that threat actors continue working even when most employees may not be."
Vanderlee said that in the midst of the woes caused by ransomware attacks, there was some light. "The good news is that particularly with post-compromise infections, there is often a window of time between the first malicious action and ransomware deployment," she said.
"If network defenders can detect and remediate the initial compromise quickly, it is possible to avoid the significant damage and cost of a ransomware infection."