A ransomware speed record: three hours to disaster

James Cameron’s Titanic runs for three hours and 14 minutes. In that time, Jack and Rose meet, fall in love, and the ship sinks.

In 2025, one ransomware victim lost its network even faster.

According to Barracuda’s Managed XDR Global Threat Report (February 2026), the fastest observed ransomware attack went from initial compromise to full encryption in just three hours. 

That case involved Akira (one of the most active ransomware groups of the year), and it sets a new benchmark for operational speed. For cybersecurity practitioners, it’s tough news – because by the time your first alert lands, the attackers could already be staging payloads.

And speed isn’t the only worrying piece of the report.

Barracuda found that 96% of incidents involving lateral movement ended with the release of ransomware. Once attackers start moving, the odds of encryption spike dramatically. There’s no leisurely dwell time here. It’s breach, pivot, encrypt.

The firewall is the front door

Barracuda reports that 90% of ransomware incidents exploited firewalls, either through a known CVE or a vulnerable account. That means the perimeter device meant to keep attackers out is often the entry point.

That finding aligns neatly with Securin’s Ransomware Index Report 2025, which documents a clear shift towards infrastructure-level compromise – hypervisors, ESXi hosts, Fortinet perimeters and collaboration platforms. 

Attackers are no longer content with a single workstation; they’re targeting the systems that hold the business together.

Securin analysed 7,061 confirmed victims across 117 groups, with Akira accounting for 650 victims in 2025. The group’s playbook emphasises rapid infrastructure mapping, vulnerability correlation and high-leverage timing of encryption events.

Three hours starts to make more sense when you consider that level of preparation.

From dwell time to detonation time

We’ve all been obsessed with dwell time for years. But Barracuda’s dataset (drawn from more than two trillion IT events and nearly 600,000 security alerts in 2025) shows a threat landscape defined more by pre-positioned exploits and rapid privilege escalation – and of course, automation. Once inside, attackers escalate and execute fast. 

Securin’s researchers describe 2025 ransomware as behaving “less like cybercrime and more like a coordinated campaign to undermine digital trust”. 

The groups dominating the ecosystem (including Qilin, Akira and CL0P) operate with APT-grade discipline and decentralised affiliate structures.

Speed is a business advantage. The faster the encryption, the less time defenders have to isolate hosts, revoke tokens or shut down VPN access. 

And AI, even though it’s not fully autonomous, is acting as an accelerator. Securin notes that AI has compressed access and extortion workflows, and increased volume and velocity across campaigns. 

The calculations cyber practitioners have to make 

If encryption can happen in three hours, what does that mean in practical terms?

• Your mean time to detect (MTTD) has to be measured in minutes, not days.
• Privilege escalation alerts can’t sit in a queue.
• Firewall patching isn’t a quarterly housekeeping task anymore – it’s frontline risk management.

Barracuda’s data also shows that 100% of security incidents involved at least one unprotected or rogue endpoint. Rather than an advanced zero day problem, that’s asset hygiene. 

While attackers are compressing the attack chain, many organisations are still debating tool consolidation and SOC staffing models. Three hours is, if we’re honest, shorter than some board meetings. 

Here’s what you can build into your resilience strategy this year to mitigate the impact of high-speed ransomware: 

• Treat firewall and VPN exposure as Tier 1 risk. Patch aggressively and audit privileged accounts continuously.
• Instrument lateral movement detection. With 96% of lateral movement cases ending in ransomware, this is the inflection point.
• Rehearse sub-four-hour containment. If your incident response playbook assumes a 24-hour window, it’s obsolete.

The Titanic sank because the threat was underestimated and the response options were limited. In 2026, we can still learn from that.