The call comes in at 2:47 AM. Your SIEM flagged an anomalous VPN login 38 minutes ago — a successful authentication from a geolocation your user has never logged in from, but with valid credentials and a passed MFA challenge. By the time the on-call analyst opens the ticket at 2:51 AM, the session has already completed internal port scans, SMB-enumerated three file servers, identified your Veeam backup catalog, destroyed it, and begun pushing an encryption payload via Group Policy.

At 3:08 AM — 21 minutes into the analyst’s triage — the first ransom notes drop. At 3:14 AM, your CFO’s laptop reboots into a black screen with a .onion address on it. The entire environment is encrypted before a human has finished reading the alert.

This isn’t a hypothetical. This is the Akira and Storm-1175 playbook as observed in the field in Q1 2026. And it breaks something fundamental about how most organizations detect, respond, and recover from ransomware. The dwell time window that every modern SOC playbook, EDR product, and incident response retainer was built around has collapsed — and almost no one has updated their assumptions to match.

The Dwell Time Number Has Been Lying to You

For years, the industry-standard claim was that attackers sit inside networks for weeks or months before acting. Mandiant’s M-Trends reports tracked global median dwell time dropping from 205 days in 2014 to 10 days in 2023. Sophos’s State of Ransomware surveys showed a similar trajectory — a steady, almost reassuring compression.

That number is now actively misleading.

The median gets dragged upward by long-dwell espionage campaigns and supply-chain implants that sit dormant for months. Strip those out and look only at financially-motivated ransomware incidents from Q1 2026, and the numbers collapse by two orders of magnitude. Arctic Wolf’s tracking of Akira puts the median dwell time at under one hour from initial VPN authentication to full environment encryption. Microsoft’s Storm-1175 report documents the group going from zero-day exploitation to Medusa deployment in under 24 hours. Neither of these is an outlier — they’re the new operational norm for their respective operators.

If your detection and response strategy is optimized for the 10-day median, you are defending against a threat that no longer exists in its previous form. The question is no longer “can we catch the attacker before they act?” It is “can we catch them before they finish?”

Case One: Akira Finishes the Job in 60 Minutes

The Akira ransomware affiliate program has been operating since early 2023, but what Arctic Wolf documented in their April 2026 report represents a qualitative shift. Historical Akira intrusions measured dwell time in days — initial access via stolen credentials, a day or two of living-off-the-land reconnaissance, lateral movement across a week, encryption over a weekend when staff were off.

The current campaign completes the same kill chain in under 60 minutes. The timeline from Arctic Wolf’s incident data:

  • Minutes 0-5: Authentication to a SonicWall SSL VPN using valid credentials and successfully passing the MFA challenge. Immediate port scanning of the internal network from the authenticated session.
  • Minutes 5-15: Lateral movement via SMB using Impacket. Discovery of domain controllers, backup servers, and file shares.
  • Minutes 15-30: Targeted attack on Veeam Backup & Replication infrastructure. If the Veeam instance is unpatched for CVE-2023-27532 or CVE-2024-40711, the backup catalog is destroyed or encrypted in place. Data staged for exfiltration.
  • Minutes 30-60: Ransomware payload deployment, typically via AnyDesk or LogMeIn sessions that blend with normal administrative traffic, followed by mass encryption.

The credential source is the critical detail. The credentials Akira uses are valid — harvested months earlier from SonicWall devices vulnerable to CVE-2024-40766, which was disclosed and patched in August 2024. Organizations that dutifully applied the patch but did not rotate their VPN credentials afterward are getting owned with credentials that were stolen while their device was still vulnerable. The patch closed the door; the attackers were already holding the keys.

This single detail explains why Akira is currently outpacing every mature perimeter security program in the SMB and mid-market. The victims aren’t running unpatched VPNs. They’re running patched VPNs with stale credentials — and every existing “block failed logins” detection is useless against authentications that succeed on the first attempt with a valid MFA token.

Case Two: Storm-1175 Runs Zero-Days Into Group Policy

Storm-1175 operates in a different segment of the kill-chain compression spectrum: the 24-hour zero-day-to-encryption blitz. Microsoft’s Threat Intelligence team published detailed attribution on April 6, 2026, identifying Storm-1175 as a China-based financially-motivated actor serving as a primary affiliate for the Medusa ransomware-as-a-service operation.

The group’s operational model is to weaponize vulnerabilities in internet-facing enterprise software faster than most organizations can even read the advisory. Documented examples:

  • CVE-2026-23760 — An authentication bypass in SmarterTools SmarterMail’s force-reset-password endpoint. Storm-1175 exploited this a full week before public disclosure.
  • CVE-2025-10035 — A CVSS 10.0 deserialization vulnerability in Fortra GoAnywhere MFT’s License Servlet. Exploited in the wild starting September 11, 2025 — roughly a week before Fortra’s own advisory.
  • CVE-2025-31324 — An SAP NetWeaver vulnerability weaponized within one day of public disclosure.

Once the foothold is established, the kill chain executes on a 24-hour budget:

  • Hour 0-2: Initial access via exploit. Deployment of RMM tooling — SimpleHelp and MeshAgent are the consistent signatures — for persistent administrative access that mimics legitimate remote management traffic.
  • Hour 2-6: Escalation to local admin. Antivirus exclusions are set to blind EDR products. PowerShell and PsExec drive lateral movement. Impacket supplements for SMB-based pivots.
  • Hour 6-12: Active Directory compromise. PDQ Deployer is co-opted for payload staging.
  • Hour 12-24: Rclone-based exfiltration of sensitive data, then Medusa ransomware pushed domain-wide via Group Policy Object to every joined machine simultaneously. Encryption completes before business hours.

The GPO detail matters because it sidesteps the endpoint detection model that most EDR products are built around. An attacker who pushes ransomware machine-by-machine generates a trail of noisy per-host events. An attacker who modifies a single GPO and lets domain-joined machines pull the change via normal administrative channels generates a single, easily-ignored change event followed by a wave of encryption that looks like a legitimate software deployment — right up until the ransom notes appear. The entire campaign is engineered to use the Windows enterprise administration model against the organization.

The Common Thread: Pre-Positioned Advantage

Akira and Storm-1175 operate on completely different timescales — one measures dwell in minutes, the other in hours — but they share the same strategic architecture. Both operators compress the kill chain by front-loading their reconnaissance, credential harvesting, and target identification into work done before the attack timeline starts.

Akira pre-positions credentials via bulk harvesting from vulnerable devices, then drawdowns them months later against the same organizations post-patch. Storm-1175 pre-positions by accumulating zero-day exploits and scanning the internet for vulnerable instances before advisories drop. In both cases, the attacker is not doing research on your network after they get in — they already know what’s there. They just need to execute.

This is the strategic insight that most defensive programs have not internalized. You are not catching the attacker in the reconnaissance phase because the reconnaissance happened externally, weeks or months ago, against a different version of your environment. By the time your telemetry shows any activity, the attacker is in execution mode — and execution, as both operators have demonstrated, is fast.

The Detection Math No Longer Works

Line up the numbers and the structural problem becomes obvious.

The 2024 IBM Cost of a Data Breach report pegged the global average time to identify a breach at 194 days. Gartner’s 2025 SOC maturity research put mean time to detect for mature programs at roughly 4 hours for high-priority alerts — and that’s mature programs, not the median shop. Meanwhile, Akira is completing encryption in 60 minutes and Storm-1175 is completing it in 24 hours.

Even a well-tuned SIEM with 24/7 human coverage, generating a high-fidelity alert on the first anomalous VPN authentication, cannot realistically triage, escalate, contain, and eject an Akira operator before encryption begins. The analyst cycle — alert received, context gathered, severity assessed, response approved, containment action taken — is not a 15-minute workflow in any organization larger than three people. If the attacker’s timeline is under 60 minutes end-to-end, the industry-standard detect-and-respond architecture has a structural gap that cannot be closed by tuning.

The Storm-1175 timeline is kinder but not by much. Twenty-four hours sounds like a reasonable response window until you remember that most ransomware hits on Friday evenings or Saturday mornings specifically to exploit the response-time gap between detection and a human actually being available to act. Microsoft’s attribution report explicitly notes that Storm-1175 schedules final encryption pushes outside business hours. The operator is timing the kill chain against your on-call schedule.

What Actually Works When the Budget Is Fifteen Minutes

The uncomfortable answer is that the detect-and-respond model is not the primary line of defense against compressed kill chains. It is the cleanup crew. The primary defenses are structural and preventative, and most organizations are underinvesting in them.

Credential hygiene is the highest-leverage control. Akira’s entire advantage evaporates if VPN credentials are rotated on any cadence tighter than “when we notice a problem.” For SonicWall, Fortinet, Cisco, and Ivanti appliances — any perimeter device that has shipped a credential-disclosure vulnerability in the last 24 months — the correct response to the patch was not just applying the patch. It was forcing a full credential rotation on every account that authenticated to the device during the exposure window. Most organizations did not do this. Doing it now is worth more than any new detection content.

Backup infrastructure must be unreachable from the attacker’s starting position. Akira’s 15-minute destruction of the Veeam catalog is possible because Veeam lives on the same network segment as VPN-reachable hosts. Segmented, network-isolated backup targets with one-way replication into immutable storage render the dwell-time attack moot — even if encryption completes in an hour, recovery without ransom payment remains possible. If your backup server is joined to the same Active Directory domain as your production fileservers, you have a backup problem, not a detection problem.

Active Directory is the keystone. Both operators end their kill chains by abusing AD — Storm-1175 via GPO push, Akira via domain admin compromise. Tiered AD administration (privileged access workstations, tier-0 isolation, just-in-time admin via PAM) is not a nice-to-have. It is the single most effective control for preventing a compromised user account from becoming a fully-encrypted domain. If your helpdesk account can log into a domain controller, you have a structural problem that no EDR can save you from.

EDR policies must fail closed on AV exclusion changes. Storm-1175’s defense evasion explicitly relies on pushing antivirus exclusions via local admin. Modern EDRs support tamper protection that prevents even local admins from modifying the agent configuration. If yours is not configured that way, turn it on today, with an allow-list managed centrally rather than per-host.

The detection content that matters is post-authentication anomaly. The legacy SOC rule set is optimized for failed logins, brute force, and malware signatures. For compressed-kill-chain ransomware, the high-value signals are: a VPN session followed by immediate internal port scanning, RMM tool installation on servers that have never previously run one, GPO changes that deploy unsigned executables, and Rclone or similar sync tool activity from hosts that have no business doing bulk data movement. These are not subtle detections. They are specific, high-fidelity, and they fire during the critical 30-minute window before encryption starts. Almost no organization has all four running.

The Uncomfortable Conclusion

The ransomware landscape has moved through three distinct architectural eras. The spray-and-pray era ended in the late 2010s with the rise of big-game hunting and human-operated intrusions. The big-game-hunting era is ending now, as its successor compresses the hand-crafted intrusion into an automated, pre-positioned, sub-hour execution that looks more like a fire-and-forget weapon than a campaign.

For defenders, the implication is that detection-driven security is losing its position as the primary control for ransomware resilience. It remains necessary — you still need to know when something has happened — but it is no longer sufficient. The programs that weather the next 18 months will be the ones that have shifted investment toward structural prevention: credential rotation cadences measured in weeks, backup infrastructure segmented to the point of being painful to administer, Active Directory tiering with no exceptions, and EDR tamper protection configured to fail closed.

The programs that keep optimizing their SOC MTTR while leaving their VPN credentials and Veeam servers in their default configurations will continue to get encrypted inside the coffee break their analyst was getting when the alert came in.

Detect-and-respond was an acceptable model when dwell time was measured in days. It is not an acceptable primary model when dwell time is measured in minutes. The industry has not yet fully absorbed that shift. The operators have.