For IT and cybersecurity professionals, ransomware has been the scourge of the earth over the last two years, as the cybercrime economy continues to grow and beat system administrators and network defense pros to the point of attack.
One reason for the difficulty in preventing and responding to ransomware attacks is the speed with which ransomware groups encrypt files and lock users out, with some ransomware families taking just a handful of minutes to encrypt nearly 100,000, according to new research released by IT management software company Splunk.
In a research blog and whitepaper, the San Francisco, Calif. firm analyzed 10 of the most popular ransomware variants and measured the speed at which the malware encrypted 53 GB of data, discovering that the average of the median to be just eight seconds shy of 43 minutes.
Further, all 10 of the most popular ransomware strains can encrypt the same amount of data in less than two hours, which highlights the importance of detection and response in the IT department’s software and competencies.
Splunk said its analysis came after the LockBit ransomware group posted a table on its Tor site listing ransomware encryption speeds for more than 30 ransomware variants, with LockBit 2.0 and LockBit making up the top two fastest to encrypt 100 GB at 4 minutes and 28 seconds and 6 minutes and 16 seconds, respectively.
“We couldn’t leave it to LockBit’s marketing team to only release content like this, so we rolled up our sleeves and got busy building an environment that would allow us to conduct our own ransomware speed tests,” Splunk said in a blog describing the project.
Using the Attack Range project created by Splunk researchers, the company created four victim profiles consisting of Windows 10 and Windows Server 2019 operating systems, each with two different performance specs benchmarked from customer environments. Ten samples each from 10 different ransomware families were chosen to be tested along with the Microsoft Defender detection identifiers from Virus Total.
Samples were tested across the four host profiles, amounting to 400 different ransomware runs. Using native Windows logging, Windows Perfmon statistics, Microsoft Sysmon, Zeek and stoQ, researchers measured the encryption speed of each variant.
Splunk’s analysis confirmed that the LockBit ransomware is in fact the fastest strain, with a median encryption duration of five minutes and 50 seconds. However, LockBit also recorded the fastest sample, coming in at four minutes and nine seconds.
Babuk, meanwhile, was the second fastest, with a median duration of six minutes and 34 seconds, and also the only other variant analyzed with a median duration of under 10 minutes.
The research found that all of the 10 most popular ransomware variants have a median encryption duration of under two hours, and eight logged a median duration under one hour.
Since ransomware can encrypt files in the blink of an eye, Splunk suggests organizations start looking “left of boom,” and assess capabilities to prevent or detect the ransomware’s behavior.
The company also calls on IT admins and security professionals to adopt what are now baseline cybersecurity strategies, including multi-factor authentication, network segmentation, patching and centralized logging.