Time becomes a critical factor when it comes to preventing ransomware from encrypting files and devices. A new study by Splunk has found that modern-day ransomware, such as LockBit, is capable of encrypting around 25,000 files in just one minute. The time window is so small that before an organization realizes the effect, the ransomware would have done its job.

Putting ransomware to the test

  • The study conducted by Splunk involved 10 samples each of 10 ransomware families.
  • The ransomware families included Avaddon, Babuk, BlackMatter, Conti, DarkSide, LockBit, Maze, Mespinoza (PYSA), REvil, and Ryuk. 
  • These samples were executed on four hosts - two running Windows 10 and the other two running Windows Server 2019.
  • After execution, the researchers measured the time the ransomware families took to encrypt nearly 100,000 files with a total size of approximately 54 GB. 
  • The results showed that LockBit was the fastest with 5 minutes and 50 seconds, followed by Babuk at 6 minutes and 34 seconds.
  • The notorious Conti encrypted files in just under an hour.
  • Maze and Mespinoza were the slowest ones, taking around two hours to encrypt files.
  • The average time across all strains was 43 minutes. According to researchers, forty-three minutes is an extremely limited window of opportunity for mitigation, considering the previous studies that found that the average time to detect compromise is three days.

Other insights

  • The analysis also showed that only some ransomware takes advantage of better hardware to speed up the encryption process. 
  • One of these factors is related to the storage disk speed. The better is the storage disk speed, the faster is the encryption process. 
  • The report also highlighted that some families utilized increased system resources such as CPU time as part of the encryption process. 

The bottom line

Ultimately, the best defense against ransomware is to detect unusual activity during the reconnaissance or initial access stage, before the ransomware is even deployed. Organizations must focus more on preventing an attack by spotting the warning signs of a ransomware compromise. This includes looking for suspicious network activity and detection of tools commonly used before an attack, such as Cobalt Strike, ADFind, Mimikatz, PsExec, Metasploit, and Rclone.

Cyware Publisher