‘Every hour ransomware goes undetected drastically increases its potential blast radius’: Hackers are breaching networks and laying low for longer – and nearly half of firms don’t realize until data is stolen

An ExtraHop survey found more intrusions are going undetected, leading to longer dwell times

Concept image showing man lurking in shadows with strands of light hitting different parts of his face while staring intently.
(Image credit: Getty Images)

Hackers are sneaking into networks and staying undetected for longer than ever, according to new research, and many security teams are frightfully unaware.

A study from security firm ExtraHop found threat actors are managing to access corporate networks and quietly maintain access for an average of two and a half weeks before their presence is detected — with a small number remaining undetected for several months or even years at a time.

Nearly half of organizations polled said they didn't detect the intrusion until after data was stolen, marking a 31% increase compared to last year. Notably, 14% weren’t aware any attack had taken place until the hackers themselves alerted the enterprise, typically with ransom demands.

Detection is being delayed by a combination of sophisticated obfuscation methods and alert fatigue, the survey suggested. Four-in-ten respondents, for example, said detection was delayed by attackers using encrypted channels or by mirroring legitimate workflows and processes.

Latest Videos From

Another 34% reported attackers using high-privilege account permissions to dodge being spotted. But a further 30% said initial detection was missed because alert fatigue, while 27% said undetermined baseline behavior made it difficult to spot dodgy activity.

"Every hour ransomware goes undetected drastically increases its potential blast radius," the report noted. "A wider detection window grants adversaries the critical dwell time needed to move laterally and locate backups. This delays containment, turning what could have been a localized incident into an organization-wide crisis."

Concerning dwell times

Dwell times – which refer to the timeframe in which an attack starts to when it is detected – are by no means a new problem for cybersecurity teams.

Indeed, it’s been a long-running war of attrition for security practitioners in recent years, with threat actors becoming increasingly proficient in staying undetected before wreaking havoc.

As far back as 2023, ITPro reported that enterprises were facing huge problems with this issue, yet research from Sophos at the time found enterprises were improving their response to threats on this front.

More recent analysis from Mandiant’s 2025 M-Trends report, however, shows that global median dwell times also shrunk from 11 days to 10 days.

That may seem like a step in the right direction in terms of detection capabilities, but as Sophos noted, more rapid reaction times mean threat actors are accelerating attacks and acting more aggressively – particularly in ransomware cases.

‘Ransomware isn’t shrinking, it’s migrating’

The report also found that, among polled organizations, the number of ransomware incidents faced annually by each company had fallen from 5.4 to 3.5.

That doesn't mean the ransomware threat is going away, but rather shifting focus from the US, Western Europe, Australia, and Singapore to areas with rapid enterprise digitization such as Brazil, Mexico, Vietnam, Thailand, and Indonesia.

"Ransomware isn’t shrinking, it’s migrating," the report found. "As coordinated global law enforcement hardens traditional targets, syndicates are moving downstream to other targets."

ExtraHop researchers spotted some good news, though, mainly that the average ransom payment had fallen to $2.8 million from last year's $3.6 million. On the downside, the frequency of payments is up.

Of those polled, 83% of victims paid a ransom, up from 70% in previous surveys. ExtraHop noted that the financial costs of business disruption is what drives most companies to pay a ransom, with downtime per incident averaging nearly 30 hours.

AI is creating ‘noise’ for cyber pros

Beyond that, 55% of respondents said that AI was the attack surface presenting the biggest risk to their organisation.

Enterprises raised further concerns around AI-enhanced attacks, compromised AI identity and session theft, third-party or supply chain breaches due to their integrated AI, and shadow AI exposure.

Plus, AI is often adding to the "noise" faced by security teams, with 30% of those surveyed saying that AI alerts had produced false positives that had slowed down wider investigation timelines.

"When you look at the big picture of modern cyber risk, the thread connecting every major challenge, from missed detections and prolonged dwell times to AI false positives, is a fundamental lack of situational awareness, or ground truth," said Raja Mukerji, Co-founder and Chief Scientist at ExtraHop.

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.

Freelance journalist Nicole Kobie first started writing for ITPro in 2007, with bylines in New Scientist, Wired, PC Pro and many more.

Nicole the author of a book about the history of technology, The Long History of the Future.