‘Every hour ransomware goes undetected drastically increases its potential blast radius’: Hackers are breaching networks and laying low for longer – and nearly half of firms don’t realize until data is stolen
An ExtraHop survey found more intrusions are going undetected, leading to longer dwell times
Hackers are sneaking into networks and staying undetected for longer than ever, according to new research, and many security teams are frightfully unaware.
A study from security firm ExtraHop found threat actors are managing to access corporate networks and quietly maintain access for an average of two and a half weeks before their presence is detected — with a small number remaining undetected for several months or even years at a time.
Nearly half of organizations polled said they didn't detect the intrusion until after data was stolen, marking a 31% increase compared to last year. Notably, 14% weren’t aware any attack had taken place until the hackers themselves alerted the enterprise, typically with ransom demands.
Detection is being delayed by a combination of sophisticated obfuscation methods and alert fatigue, the survey suggested. Four-in-ten respondents, for example, said detection was delayed by attackers using encrypted channels or by mirroring legitimate workflows and processes.
Another 34% reported attackers using high-privilege account permissions to dodge being spotted. But a further 30% said initial detection was missed because alert fatigue, while 27% said undetermined baseline behavior made it difficult to spot dodgy activity.
"Every hour ransomware goes undetected drastically increases its potential blast radius," the report noted. "A wider detection window grants adversaries the critical dwell time needed to move laterally and locate backups. This delays containment, turning what could have been a localized incident into an organization-wide crisis."
Concerning dwell times
Dwell times – which refer to the timeframe in which an attack starts to when it is detected – are by no means a new problem for cybersecurity teams.
Sign up today and you will receive a free copy of our Future Focus 2026 report - the leading resource for IT decision-maker insight on priorities and investment areas in AI, security and more.
Indeed, it’s been a long-running war of attrition for security practitioners in recent years, with threat actors becoming increasingly proficient in staying undetected before wreaking havoc.
As far back as 2023, ITPro reported that enterprises were facing huge problems with this issue, yet research from Sophos at the time found enterprises were improving their response to threats on this front.
More recent analysis from Mandiant’s 2025 M-Trends report, however, shows that global median dwell times also shrunk from 11 days to 10 days.
That may seem like a step in the right direction in terms of detection capabilities, but as Sophos noted, more rapid reaction times mean threat actors are accelerating attacks and acting more aggressively – particularly in ransomware cases.
‘Ransomware isn’t shrinking, it’s migrating’
The report also found that, among polled organizations, the number of ransomware incidents faced annually by each company had fallen from 5.4 to 3.5.
That doesn't mean the ransomware threat is going away, but rather shifting focus from the US, Western Europe, Australia, and Singapore to areas with rapid enterprise digitization such as Brazil, Mexico, Vietnam, Thailand, and Indonesia.
"Ransomware isn’t shrinking, it’s migrating," the report found. "As coordinated global law enforcement hardens traditional targets, syndicates are moving downstream to other targets."
ExtraHop researchers spotted some good news, though, mainly that the average ransom payment had fallen to $2.8 million from last year's $3.6 million. On the downside, the frequency of payments is up.
Of those polled, 83% of victims paid a ransom, up from 70% in previous surveys. ExtraHop noted that the financial costs of business disruption is what drives most companies to pay a ransom, with downtime per incident averaging nearly 30 hours.
AI is creating ‘noise’ for cyber pros
Beyond that, 55% of respondents said that AI was the attack surface presenting the biggest risk to their organisation.
Enterprises raised further concerns around AI-enhanced attacks, compromised AI identity and session theft, third-party or supply chain breaches due to their integrated AI, and shadow AI exposure.
Plus, AI is often adding to the "noise" faced by security teams, with 30% of those surveyed saying that AI alerts had produced false positives that had slowed down wider investigation timelines.
"When you look at the big picture of modern cyber risk, the thread connecting every major challenge, from missed detections and prolonged dwell times to AI false positives, is a fundamental lack of situational awareness, or ground truth," said Raja Mukerji, Co-founder and Chief Scientist at ExtraHop.
FOLLOW US ON SOCIAL MEDIA
Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.
You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.
Freelance journalist Nicole Kobie first started writing for ITPro in 2007, with bylines in New Scientist, Wired, PC Pro and many more.
Nicole the author of a book about the history of technology, The Long History of the Future.
-
Using data to help deal with ever-changing and unpredictable weather conditionsCase study Ordnance Survey and Snowflake have partnered on the creation of an IFRM to help better identify flood risks
-
Zyxel WBE665S reviewReviews A competitively priced AP that delivers great speeds, plus plenty of management options, and has a neat trick to keep Ofcom happy
-
Ransomware cartels are fragmenting into volatile splinter groups, warns Met Police cyber chiefNews Commoditized "cyber crime bazaars" and AI data mining are forcing law enforcement to rewrite its playbook
-
New ransomware threat group, The Gentlemen, has become one of the most active ransomware operators, accounting for 10% of all attacksNews NTT researchers warn that the RaaS group is leveraging SystemBC malware to establish covert tunnelling, evade detection, and support rapid lateral movement across enterprise environments
-
Instructure chose to a pay ransom following the Canvas cyber attack – research shows more than half of security leaders would follow suitAnalysis Opting to pay ransoms creates huge risks for enterprises – you’re relying on the word of criminals
-
Ransomware negotiator sentenced for role in major cyber crime groupNews Deniss Zolotarjovs was a key player in a group associated with Conti
-
Threat actors ditch ‘spray and pray’ attacks in shift to targeted exploitationNews A dip in ransomware volumes points to a more targeted approach focused on vulnerability exploitation
-
Security leaders overconfident about ransomware recoveryNews Few manage to recover all their data, and many experience business disruption
-
German authorities want your help finding the hackers behind GandCrab and REvilNews Daniil Maksimovich Shchukin and Anatoly Sergeevitsch Kravchuk are believed to have made millions from ransomware as a service schemes
-
The rise of teen hackers ‘makes for a good headline’, but cyber crime activities peak later in lifeNews With family responsibilities and mortgages to pay, it's not teenagers dishing out malware or carrying out cyber extortion
