Attacker Breakout Time refers to the time it takes for an intruder to begin moving laterally outside of the initial beachhead to other systems in the network. Threat actors are accelerating their attacks and adopting innovative new ways to circumvent endpoint detection mechanisms, according to a new report from ReliaQuest. The threat intelligence vendor claimed in its latest Threat Spotlight report for the period June–August 2025 that the average breakout time dropped to only 18 minutes. One attack from Akira came in at just six minutes, significantly below the lowest breakout time recorded in 2024, which was 27 minutes.[1]
The figure keeps falling. In January, ReliaQuest claimed breakout time in 2024 was 22% shorter than the previous year. Once adversaries reach this stage, attacks become harder to detect and contain. Threat actors are not just getting faster but also smarter, ReliaQuest warned. There has been a sharp rise in ransomware operations using the SMB file-sharing protocol for remote file encryption from 20% to 29% of ransomware attacks.
“Using compromised credentials, attackers access shared files on a network via a single compromised host, often through unmanaged devices or VPNs,” the report noted. By encrypting data remotely, they bypass endpoint protections entirely, operating quietly and efficiently within the network. This highlights a critical flaw in endpoint-focused defenses: Attacks don’t stop at the endpoint, and neither should your defense.
ReliaQuest also warned that drive-by compromise remains the most popular tactic for initial access, accounting for 34% of incidents. That is versus 12% for spear phishing links and, remarkably, 12% for USB malware. USB-based malware is thriving because of weak policy enforcement and inconsistent endpoint controls. It’s easy to overlook the dangers of plugging in unvetted USBs, and attackers exploit this to infiltrate corporate networks,” the report noted.
It pointed to the Gamarue variant as being particularly prevalent during that period. “Gamarue hides its malicious Dynamic Link Libraries (DLLs) so well that most employees would not know they are infected,” ReliaQuest said. “The infection triggers a malicious LNK file that disguises itself as a legitimate file already present on the USB, making it even harder to spot.”
This article is shared with permission at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a Notification and a Tier I Mitigation service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225 or feedback@redskyalliance.com
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.infosecurity-magazine.com/news/attacker-breakout-time-falls-18/
Comments