Sophos has posted a blog providing an insightful look into the activity of threat actors loitering on victim networks before finally executing a Lockbit ransomware attack. Researchers described how an unknown threat actor spent over five months exploring a “regional US government agency’s” networks after gaining access to them. Their activity was initially amateurish and lackadaisical, before turning professional in the weeks before the ransom, potentially indicating that a novice attacker had penetrated the network and eventually sold the access to a more sophisticated group. Sophos researchers point to mistakes made by the initial attacker that created multiple alerts for the IT department and their inability to capitalize on these alerts created vulnerabilities that were swiftly exploited for rapid lateral movement to deploy ransomware. This attack highlights the importance of using the window when attackers have access to the network, but have not exploited it, to prepare and defend critical assets. Read more at Sophos.