Lockbit wins ransomware speed test, encrypts 25,000 files per minute

Ransomware moves more quickly than most organizations can respond. Though knowing they have a specific limited window should help inform where to put their defenses, according to security data shop Splunk.

The vendor's research team Surge today published research on how long it takes 10 of the big ransomware families including Lockbit, Conti, and REvil to encrypt 100,000 files. While the criminal gangs' speeds varied, Surge found the median ransomware variant can encrypt nearly 100,000 files totaling 53.93GB in 42 minutes and 52 seconds. 

Also: Lockbit was the fastest, and 86 percent faster than the median. The fastest Lockbit sample encrypted just under 25,000 files per minute.

However, the research is more than just an interesting read on ransomware families' encryption speeds, according to Ryan Kovar, who leads the Splunk Surge team. Security teams can use this knowledge to improve their defenses, he told The Register.

Focusing on ransomware mitigation and response doesn't work because most encryption speeds are too fast, anywhere from four minutes to three hours, he said. 

"This reactive approach is really around a lack of knowledge of how ransomware works," Kovar said. "What we wanted to do is see if we could provide the evidence for people to start looking left of boom."

Investing in tools that focus on prevention and earlier detection provide more bang for their buck, he added. This includes the basics like better patching and conducting an asset inventory, as well as using multi-factor authentication and tools that look for attackers on the network before they deploy ransomware binaries.

"There's a lot of value in having detections that show that ransomware is executed, especially on giant networks," Kovar continued.

"But if you have $100, and you can start moving your detections left and finding things before they encrypt, whether that be ransomware in flight or focusing on the tools that the ransomware operators use to get in the network and move laterally, there's a lot of value there."

In addition to publishing the research, Surge will also release the data on bots.splunk.com so that security teams can review it.

• Microsoft investigates Lapsus$'s boasts of Bing, Cortana code heist
• AvosLocker group is targeting US critical infrastructure, FBI says
• Exotic Lily is a business-like access broker for ransomware gangs
• CISOs face 'perfect storm' of ransomware and state-supported cybercrime

To determine how quickly ransomware encrypts, the researchers selected 10 ransomware families with 10 separate binaries from each family. They then created an Amazon Web Services virtual private cloud for each family and executed all of the samples against four hosts: two running the operating system Windows 10 and the other two running Windows Server 2019. All of the performance telemetry from the endpoint hosts was then sent to a central Splunk instance for analysis.

Surge selected the 10 ransomware families, sourced from VirusTotal, based on their prevalence over the past two years. The families, listed from fastest to slowest are: LockBit, Babuk, Avaddon, Ryuk, REvil, BlackMatter, Darkside, Conti, Maze and Mespinoza.

LockBit's median encryption time remained the fastest, five minutes and 50 seconds, consistently across the different hardware types. "That was really surprising," Kovar said. 

However, this lined up with previous research about LockBit that found the criminal group only encrypts 4KB of each file, thus breaking the data, before moving on to the next file. For comparison: other ransomware families encrypt the entire file, which obviously takes longer.

Mespinoza was the slowest with a median duration of almost two hours.

"It's kind of like a car: if someone cuts the gas line or flattens a car and turns it into a tube, either way you can't drive. But it's a lot faster just to cut the gas line," Kovar said. "And that's kind of how LockBit ransomware works."

This also supports LockBit's claim of the "fastest ransomware" on its Tor website. 

"So seeing that difference on the same files on the same systems being executed by the different ransomware family, and seeing that they're not all created equal was a fascinating outcome," Kovar said. 

In addition to releasing this data for other researchers to analyze, Surge has future ransomware topics it wants to explore in upcoming research. According to the report:

"We hope to evaluate the patterns that ransomware exhibits when encrypting files, ransomware worming behavior, how to cluster similar ransomware binaries based on fuzzy hashing algorithms, and future analysis of ransomware family attribution over time." ®