Cyber criminals are spending longer inside business' networks after the initial breach
Cyber attackers' dwell time is up 36% thanks to initial access brokers and repeat exploitation of Microsoft Exchange vulnerabilities, according to Sophos


Cyber attackers are spending longer inside business systems after hacking them, a new report has revealed.
Rogue actors who do not use ransomware are spending the most time inside small businesses with the average dwell time observed to be 51 days in organisations with fewer than 250 employees. Attackers targeting larger (3,000 - 5,000 employees) organisations spend on average just 20 days inside.
The figures for ransomware criminals are much lower, with the average dwell time inside a business falling to just 15 days.
UK cyber security firm Sophos said these figures, taken from data in 2021, amount to a 36% increase in attacker dwell time compared to the previous year.
Longer dwell times could be indicative of the increasing popularity of initial access brokers (IABs) in the cyber security landscape, the company said.
IABs are online services that are often sold on the deep web selling remote access to companies to prospective hackers and charging them according to the time spent inside the system.
Longer dwell times not only allow attackers to launch more attacks but also open up victims to attacks from multiple threat actors, Sophos said.
Sign up today and you will receive a free copy of our Future Focus 2025 report - the leading guidance on AI, cybersecurity and other IT challenges as per 700+ senior executives
The company’s forensic analyses revealed instances of IABs, cryptominers, and multiple ransomware operators targeting businesses simultaneously.
Sophos said this growing trend of hackers simply paying for access rather than developing their exploits, for example, reflects the growing ‘professionalism’ of cyber attackers and is fuelling a thriving ransomware-as-a-service (RaaS) market.
RELATED RESOURCE
The Total Economic Impact™ of Mimecast
Cost savings and business benefits enabled by using Mimecast with Microsoft 365
FREE DOWNLOAD
“The world of cybercrime has become incredibly diverse and specialised. IABs have developed a cottage cybercrime industry by breaching a target, doing exploratory reconnaissance or installing a backdoor, and then selling the turn-key access to ransomware gangs for their own attacks,” said John Shier, senior security advisor at Sophos.
“In this increasingly dynamic, speciality-based cyberthreat landscape, it can be hard for organisations to keep up with the ever-changing tools and approaches attackers use. It is vital that defenders understand what to look for at every stage of the attack chain, so they can detect and neutralise attacks as fast as possible.”
In addition to the pervasive reliance on IABs, Sophos’ analysis of cyber attacks revealed that the second of the most influential threats was the continued exploitation of the ProxyLogon and ProxyShell vulnerabilities in Microsoft Exchange servers.
Microsoft said this week that it had to delay the development of the next version of Microsoft Exchange by four years due to assigning so many experts to improve the security of the mail and calendaring service in the wake of mass exploitation last year.
Sophos said the bugs led to a significant number of incidents it saw during 2021 and that there are likely to be many related breaches of which businesses are still unaware.
The implantation of web shells and backdoors is likely to go unnoticed and the access they provide may later be sold to willing bidders in the IAB market, it said.
Other wider findings in the company’s Active Adversary Playbook report revealed that data exfiltration was far more common in ransomware incidents than in previous years, with the average time taken for actors to pull data from victims dropping from 4.28 to 1.84 days.
The trend speaks to the growing trend in ransomware of double extortion - a method which sees the victim’s systems corrupted, as well as data stolen with the threat of data leakage if the ransom isn’t paid.

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.
-
How to implement a four-day week in tech
In-depth More companies are switching to a four-day week as they look to balance employee well-being with productivity
-
Intelligence sharing: The boost for businesses
In-depth Intelligence sharing with peers is essential if critical sectors are to be protected
-
Hackers breached a 158 year old company by guessing an employee password – experts say it’s a ‘pertinent reminder’ of the devastating impact of cyber crime
News A Panorama documentary exposed hackers' techniques and talked to the teams trying to tackle them
-
The ransomware boom shows no signs of letting up – and these groups are causing the most chaos
News Thousands of ransomware cases have already been posted on the dark web this year
-
Everything we know about the Ingram Micro cyber attack so far
News A cyber attack on Ingram Micro severely disrupted operations and has been claimed by the SafePay ransomware group.
-
A prolific ransomware group says it’s shutting down and giving out free decryption keys to victims – but cyber experts warn it's not exactly a 'gesture of goodwill'
News The Hunters International ransomware group is rebranding and switching tactics
-
Swiss government data published following supply chain attack – here’s what we know about the culprits
News Radix, a non-profit organization in the health promotion sector, supplies a number of federal offices, whose data has apparently been accessed.
-
Ransomware victims are getting better at haggling with hackers
News While nearly half of companies paid a ransom to get their data back last year, victims are taking an increasingly hard line with hackers to strike fair deals.
-
LockBit data dump reveals a treasure trove of intel on the notorious hacker group
News An analysis of May's SQL database dump shows how much LockBit was really making
-
‘I take pleasure in thinking I can rid society of at least some of them’: A cyber vigilante is dumping information on notorious ransomware criminals – and security experts say police will be keeping close tabs
News An anonymous whistleblower has released large amounts of data allegedly linked to the ransomware gangs