Ransomware gets deployed three days after an organization’s network gets infiltrated in the vast majority of attacks. Post-compromise deployment takes as long as 299 days in some of the dozens of attacks researchers at cybersecurity firm FireEye examined between 2017 and 2019. In 75% of all attacks, the attackers use that time to steal Domain Admin credentials that they can later use to distribute the ransomware payloads throughout the compromised environment. In a handful of cases, FireEye Managed Defense contained and remediated malicious activity, likely preventing ransomware deployment.
Source: https://www.bleepingcomputer.com/news/security/most-ransomware-gets-executed-three-days-after-initial-breach/