When a ransomware attack begins, the clock starts ticking. Within hours, sometimes minutes, attackers can move from initial access to total system lockout. By the time an alert is raised, the damage is often done.

According to Andrius Liepinaitis, Senior Incident Response Manager at Kudelski Security, that brief window between infiltration and encryption is where the battle is won or lost. In his recent conversation with Valery Rieß-Marchive, Editor-in-Chief at LeMagIT, Andrius described the harsh reality: most organizations never spot the attack in time.

“You may have only two hours between the attacker gaining access and triggering encryption,” Andrius explained. “And most of this happens at night, when no one is watching.”

That two-hour window has become the defining challenge of modern ransomware detection.

The Speed of a Modern Ransomware Attack

Ransomware operations have evolved into highly efficient, often professionalized, cybercrime businesses. Attackers no longer rely on random email attachments. They use automation, stolen credentials, and legitimate remote-access tools to enter networks quietly and move fast.

The Verizon Data Breach Investigations Report (2024) found that in more than 80 percent of ransomware cases, the entire attack chain, from initial access to encryption, took less than 24 hours. Many were completed overnight.

Andrius and his team see this pattern every week. “Most intrusions happen between 10 p.m. and 4 a.m. local time,” he said. “If you do not have 24/7 monitoring, you will wake up to encrypted systems.”

This simple timing advantage gives attackers the upper hand, especially against small and medium-sized businesses that lack round-the-clock security operations.

Why Detection Is So Difficult

Defenders often ask why ransomware cannot simply be detected before it executes. The answer lies in the way attackers now operate.

1. They use legitimate tools

Attackers rarely drop traditional malware anymore. They exploit trusted software already present inside the organization, such as TeamViewer, AnyDesk, Rclone, or PowerShell, to move data and control systems. To a security tool, this looks like normal administrative activity.

2. They hide behind valid credentials

“Criminals come through VPNs using legitimate accounts,” Andrius said in the webinar. “There is zero malware involved.”

Compromised credentials are now one of the most common attack vectors. The Cybersecurity and Infrastructure Security Agency (CISA) reports that valid account abuse was observed in most major ransomware incidents investigated in 2024. Once attackers have an employee’s username and password, they can blend in perfectly.

3. They move fast

The window for detection is extremely small. Attackers often move from initial access to full domain control within two to four hours. As Andrius explained, “We sometimes see criminals come through a VPN, escalate privileges, exfiltrate data, and trigger encryption before sunrise.”

4. They target systems without 24/7 monitoring

Small businesses and regional organizations are at the greatest risk. Without continuous monitoring or an incident response retainer, alerts raised overnight are only reviewed the next morning, long after data has been stolen or encrypted.

Lessons from the Frontline

During the BrightTALK discussion, Andrius recalled a recent success story. A long-term client who had previously suffered a full ransomware event invested in better monitoring and an IR retainer. Months later, the same threat actor tried again.

This time, Kudelski Security’s Incident Response Team was alerted to suspicious outbound traffic to a cloud storage service. They connected remotely, identified an active data-exfiltration process, and stopped it within minutes. “We literally killed the process live,” Andrius said. “It was a pre-ransomware case, and we saved them from a repeat attack.”

Cases like that are rare but revealing. They show that early detection is possible when organizations invest in visibility, detection engineering, and access management.

The False Sense of Security

One of the most dangerous assumptions in cybersecurity is that having good tools is enough. Andrius often encounters companies that believe they are protected because they have deployed endpoint detection and response (EDR) solutions, firewalls, or multi-factor authentication (MFA).

In practice, configuration errors are common. MFA may be disabled temporarily for troubleshooting, or remote gateways may not be properly logged. In one case, a client discovered that their third-party IT provider had installed its own VPN device with default credentials: an open door for attackers.

The UK National Cyber Security Centre and National Crime Agency report that ransomware actors frequently gain initial access through exposed or unpatched remote services, including VPN and RDP gateways.

Technology alone is not enough. What matters is continuous verification, including monitoring configurations, reviewing alerts, and ensuring that the human processes around those tools are mature.

How to Detect Ransomware in Time

While the perfect defense does not exist, organizations can narrow the gap between intrusion and detection by focusing on fundamentals.

Continuous Monitoring

Implement 24/7 security monitoring through a Managed Detection and Response (MDR) service or in-house SOC. Threats do not keep office hours, and neither should your defenses.

Identity Protection

Monitor for abnormal authentication activity, especially privilege escalation within Active Directory. Attackers often enumerate AD to map the network before encrypting. This reconnaissance is one of the few detectable signals before the final payload.

Network Visibility

Correlate outbound traffic with business patterns. Unexpected data transfers to unknown cloud storage domains are a clear sign of exfiltration. Automated detection rules can spot these anomalies in real time.

Tested Incident Response Plan

Prepare for failure before it happens. Having an incident response retainer means you have experts on call who can act within minutes rather than hours. Speed of action directly affects how much data can be saved.

Why Early Detection Matters

Every minute counts once an attacker gains a foothold. NIST’s Computer Security Incident Handling Guide explains that responding quickly and effectively reduces data loss, service disruption, and overall impact. Real-world cases show the cost of delays. MGM Resorts disclosed that the 2023 cyberattack would reduce quarterly earnings by about $100 million, underscoring the value of rapid detection and containment.

Detecting ransomware before encryption is difficult, but not impossible. It requires preparation, visibility, and trusted partners who know how to interpret early warning signs and respond fast.

The Takeaway: Preparation Creates the Advantage

Ransomware is no longer just a malware problem; it is an operational speed problem. Attackers exploit the time gap between intrusion and detection. The organizations that survive are those that close that gap through constant monitoring and prepared response plans.

As Andrius Liepinaitis emphasized, “Either you arrive after the fire, when everything is encrypted, or you prepare so that the fire never starts.”

Strengthen Your Ransomware Detection and Response

To reduce dwell time and improve your ability to detect ransomware before encryption, partner with experts who respond to these incidents every day.

Learn how Kudelski Security’s Incident Response and Digital Forensics team can help you build continuous visibility, prepare your teams, and respond at speed when every minute counts.

‍