stopwatch

Researchers have conducted a technical experiment, testing ten ransomware variants to determine how fast they encrypt files and evaluate how feasible it would be to timely respond to their attacks.

Ransomware is malware that enumerates the files and directories on a compromised machine, selects valid encryption targets, and then encrypts the data, so it is unavailable without a corresponding decryption key.

This prevents the data owner from accessing the files, so ransomware attacks are either carried out for data destruction and operational disruption or financial extortion, demanding the payment of a ransom in return for a decryption key.

How fast a device is encrypted is important, as the quicker it is detected, the less damage is done, and the volume of data needing to be restored is kept to a minimum.

Putting ransomware to the test

Researchers at Splunk conducted 400 encryption tests, consisting of 10 different families, ten samples per family, and four different host profiles reflecting different performance specifications.

"We created four different "victim" profiles consisting of Windows 10 and Windows Server 2019 operating systems, each with two different performance specifications benchmarked from customer environments," Splunk explained in their report.

"We then chose 10 different ransomware families and 10 samples from each of those families to test."

During these tests, the researchers evaluated the encryption speed against 98,561 files totaling 53GB using various tools, such as native Windows logging, Windows Perfmon statistics, Microsoft SysmonZeek, and stoQ.

The host system hardware and OS configurations varied to reflect a realistic corporate network setting, and the analysts measured all encryption times and derived the median speed of encryption for each variant.

The total median time for all 100 different samples of the ten ransomware strains on the test rigs was 42 minutes and 52 seconds.

However, as reflected in the following table, some ransomware samples deviated significantly from this median value.

Average encryption times for each strain
Average encryption times for each strain (Splunk)

The "winner," and the most lethal strain in response time margins was LockBit, achieving an average of 5 minutes and 50 seconds. The fastest LockBit variant encrypted 25,000 files per minute.

LockBit has long bragged on their affiliate promotion page that they are the fastest ransomware for encrypting files, releasing their own benchmarks against over 30 different ransomware strains.

The once-prolific Avaddon achieved an average of just over 13 minutes, REvil encrypted the files in about 24 minutes, and BlackMatter and Darkside completed the encryption in 45 minutes.

On the slower side, Conti needed almost an hour to encrypt the 54 GB of test data, while Maze and PYSA finished in nearly two hours.

The time factor

While time is an important factor, it's not the only detection opportunity in ransomware attacks, which typically involve reconnaissance periods, lateral movement, credential-stealing, privilege escalation, data exfiltration, disabling of shadow copies, and more. 

All possible detection opportunities in a ransomware incident
All possible detection opportunities in a ransomware attack (CertNZ)

After the encryption is over, it is the strength of the encryption scheme itself that determines how long-lasting or manageable the consequences of the attack will be, so strength is more important than speed.

The short time to respond when ransomware is ultimately deployed highlights that focusing on that particular detection and mitigation opportunity is unrealistic and ultimately wrong.

As noted in the Splunk report, this research demonstrates the need for organizations to shift focus from incident response to ransomware infection prevention.

The overall median of 43 minutes is a tiny window of opportunity for network defenders to detect ransomware activity, considering that previous studies have found that the average time to detect compromise is three days.

Since most ransomware groups hit during weekends when the IT teams are understaffed, most encryption attempts are completed successfully, so the time for encryption shouldn't be a significant consideration for defenders.

Ultimately the best defense is to detect unusual activity during the reconnaissance stage, before ransomware is even deployed.

This includes looking for suspicious network activity, unusual account activity, and the detection of tools commonly used before an attack, such as Cobalt Strike, ADFind, Mimikatz, PsExec, Metasploit, and Rclone.

Related Articles:

New Qilin ransomware encryptor features stronger encryption, evasion

Police arrest four suspects linked to LockBit ransomware gang

New ShrinkLocker ransomware decryptor recovers BitLocker password

Attacks on Citrix NetScaler systems linked to ransomware actor

New Ymir ransomware partners with RustyStealer in attacks