The most-effective ransomware strains can encrypt nearly 100,000 files in just four minutes, researchers have found during controlled tests.
The median time for all files to be encrypted is 42 minutes – leaving victims little time to act.
The empirical analysis, conducted by Splunk’s Surge security team in a tightly controlled environment, timed how long it took 10 common variants of ransomware to infect 53GB of files on four Windows 10 and Windows Server 2019 systems set up to simulate 10 different CPU and memory configurations.
Each scenario was run 10 times, providing 100 measurements of total time to encrypt (TTE) that confirmed companies suffering a ransomware attack had anywhere from 4 minutes to 3½ hours before all of their files were rendered inaccessible by the ransomware.
Variations in technical specifications such as processor speed or number of CPU cores could impact TTE.
However, this impact was “inconsistent,” the group said, “implying that some ransomware was single-threaded or minimally able to take advantage of additional resources…. At times they performed worse on the systems with higher specifications.”
In other words, just because ransomware infects your most powerful systems doesn’t mean it’s going to compromise your files faster.
Overall, the researchers found, the fastest strain of ransomware was LockBit – with a median encryption time of 5 minutes 50 seconds – followed closely by Babuk (6:34).
Other rapidly-acting strains included Avaddon (13:15), Ryuk (14:30) and Revil (24:16) – which re-emerged last September and was taken down by the FBI late last year – while BlackMatter (43:03), Darkside (44:52) and Conti (59:34) offered victims more time before their files were lost.
The slowest ransomware families were Maze and Mespinoza (PYSA), which both took just over 1 hour 54 minutes before the encryption was complete.
Not long to react
The Russian-developed LockBit strain was first detected in 2019 but has proven to be particularly long-lived, with an update last year adding new features as its authors began offering cash rewards to company employees willing to install the malware within their businesses.
Splunk’s findings validated performance claims by the malware’s authors, confirming that their approach of only encrypting the first 4KB of each file has boosted overall performance considerably.
Optimised ransomware performance poses problems for victims, the analysis said, noting that “this narrow timeline provides a limited window for organisations to effectively respond before encryption is complete.”
“This can prove even more limiting considering that the catastrophic apex may be when a single critical file is encrypted, rather than the whole of the victim’s data.”
“With such factors in play, it may prove to be extremely difficult, if not impossible, for the majority of organisations to mitigate a ransomware attack once the encryption process begins.”
A host of security vendors have worked to simplify the detection and response to ransomware, developing tools that monitor systems for file changes and instantly begin rolling back the changes to counteract the actions of the ransomware as it infects the environment.
“When ransomware strikes, it is important that you don’t let panic set in,” Joshua Robinson, technical marketing architect at backup and ransomware recovery firm Rubrik, noted during a recent webinar on ransomware recovery strategies.
“There are multiple streams of investigation going on, trying to identify how the infection got in and what data have been compromised – and if you’re lucky, you might have your CEO breathing down your neck as well.”
“We all like to think that it won’t happen to us,” added Rubrik technical marketing architect Kevin Johnson, “but the reality is that ransomware is getting more and more sophisticated – so it’s important that we have plans in place to deal with a breach if the worst were to happen.”
Even an accidental ransomware infection can snowball into a major business event – as automotive giant Toyota found last month, when 28 production lines across 14 Japanese manufacturing plants were paused after what security experts believe was a run-of-the-mill ransomware attack.
“This shutdown of a third of Toyota’s global production should serve as a stark reminder on the complexities of our supply chains, how interdependent these systems are on each other, and the dangers criminals pose to society when they detonate malware in targeted systems,” said Chris Grove, product director with operational-security firm Nozomi Networks.
“Ransomware operators may believe they're hitting an isolated, insignificant victim, but the reality is they don't really know, or understand, the ecosystem they're impacting.”
