What Is Time to Ransom (TTR)?

Written by: Lizzie Danielson

Published: 7/9/2026

woman at laptop

Time to Ransom (TTR) is the amount of time it takes a threat actor to go from first breaking into a network to deploying ransomware. The shorter the TTR, the less time a business has to catch the attack before it locks up their systems.

Key Takeaways

  • TTR measures speed, not just presence. It tracks the hours between initial access and the moment ransomware payloads are triggered, not just whether an attacker is inside the network.
  • TTR is getting shorter. Automation, prebuilt attack playbooks, and "smash and grab" tactics mean some threat actors move from access to encryption in just a few hours.
  • Not every threat actor moves at the same speed. Some ransomware groups prioritize speed over stealth, while others spend more time inside a network gathering data or elevating privileges first.
  • A short TTR shrinks your response window. The faster attackers move, the less time security teams have to detect and stop them before damage is done.
  • Recovery takes far longer than the attack itself. Even a TTR measured in hours can lead to weeks of business disruption afterward.

Breaking down what TTR actually measures

Every ransomware attack starts the same way: An attacker finds a way in. That could be via stolen credentials, a phishing email, an exposed remote desktop connection, or an unpatched vulnerability. TTR starts counting the moment that access happens, and it stops the moment ransomware is deployed.

In between those two points, threat actors are busy. They might move laterally across the network, escalate their privileges, disable security tools, dump credentials, or steal data before they ever trigger the ransomware payload. According to Huntress' 2026 Cyber Threat Report, the average TTR across security incidents was almost 17 hours, with ransomware groups taking an average of 18 actions before triggering the ransomware payload.

That average hides a lot of variation, though. Some attackers had a TTR average of just over four hours after gaining initial access, which means every minute counts once a threat actor is inside. TTR is closely related to a concept called dwell time—the length of time an attacker remains in your environment before they're detected and removed.

Federal guidance from the Cybersecurity and Infrastructure Security Agency (CISA) and the Multi-State Information Sharing and Analysis Center (MS-ISAC), including their joint #StopRansomware Guide, focuses on reducing both the likelihood and impact of ransomware and data extortion incidents through preparation, prevention, and response best practices.

Why TTR keeps shrinking

Threat actors don't all work the same way, and their TTR reflects that. Some groups favor speed. They go in already knowing what tools and defenses a target relies on, deploy ransomware quickly, and then pressure the victim to pay before the security team can react. Other groups take a slower, more deliberate approach, spending more time inside the network to steal data, disable backups, or clear logs before triggering encryption.

A few things are pushing average TTR down across the board:

  • Prebuilt attack playbooks. Many ransomware groups follow tried-and-true methods, which cuts down on the guesswork and time needed to move through a network.
  • Automation. Faster, more automated tools mean fewer manual steps between gaining access and deploying ransomware.
  • Defense evasion. Some threat actors intentionally speed up their timeline specifically because they suspect security tools might catch them if they linger too long.
  • Ransomware-as-a-Service (RaaS). Affiliates using RaaS kits often follow standardized, fast-moving processes built by the ransomware developers they work with.

Why TTR matters for your business

TTR gives security teams a rough idea of how much time they realistically have to catch an attack before it turns into a full-blown ransomware incident. A shorter TTR means a smaller window to detect suspicious activity, investigate it, and respond before damage is done.

Here's the part that really drives the urgency home: The attack itself might only take a matter of hours, but the fallout doesn't stop there. Recovery can take weeks. A 2024 Statista report found that the average length of interruption after ransomware attacks at US businesses was 24 days. That means an hours-long attack can easily turn into a month-long disruption to normal business operations.

For growing businesses and small IT teams especially, that discrepancy is worth paying attention to. You don't need a massive security budget to plan around TTR, but you do need to understand that speed matters on both sides of the equation: how fast attackers move, and how fast you can detect and respond.

How to adapt to a shrinking TTR

Because TTR keeps getting shorter, waiting to build a response plan until after an attack starts is a losing strategy. A few steps that help close the gap:

  • Keep offline, encrypted backups of critical data, and take time to test those backups in disaster recovery scenarios rather than assuming they'll work.
  • Build an incident response playbook that's reviewed and understood across your team, laying out who handles containment, remediation, and recovery, along with how communication will flow both internally and externally.
  • Watch for early warning signs, like unusual account activity, credential dumping attempts, or security tools being disabled, since these often show up before ransomware is actually deployed.
  • Get visibility into your environment. The faster you can spot suspicious activity after initial access, the more of that TTR window you get to work with.

Conclusion

TTR boils a ransomware attack down to a single, urgent question: How much time do you actually have before encryption? The answer keeps shrinking, and that means detection and response speed on your end matters more than ever. Understanding TTR won't stop an attacker from getting in, but it will help you build a security strategy that accounts for just how little time you might have once they do.

That's exactly the gap Huntress Managed EDR and our 24/7 human-led AI-assisted SOC are built to close. Managed EDR gives you the endpoint visibility to catch attacker activity long before ransomware ever deploys, and our SOC analysts investigate and respond to threats around the clock, so a shrinking TTR doesn't have to mean a shrinking response window for your business.

FAQs

TTR stands for Time to Ransom. It measures how long it takes a threat actor to go from gaining initial access to a network to deploying ransomware.

Yes. A shorter TTR means security teams have less time to detect and stop an attack before ransomware is deployed, which makes fast detection and response even more critical.

They're closely related. Dwell time generally refers to how long an attacker is present in a network, while TTR specifically measures the time from initial access to ransomware deployment.

It varies by threat actor, but Huntress found an average TTR of almost 17 hours across the incidents studied in 2025, with some groups deploying ransomware in as little as four hours after gaining access.

Yes. While businesses can't control how fast an attacker moves, they can shrink their own detection and response time by watching for early warning signs, maintaining tested backups, and having an incident response plan ready before an attack happens.

Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free