Ransomware now encrypts so fast it ‘will burn the house down’
A new study found that ransomware can encrypt 54 GB in 43 minutes, an extremely limited window of mitigation, especially considering it takes about three days for compromises to be detected.
Ransomware encrypts faster than organizations can respond, making it unlikely that they can prevent a total loss of data from an attack, according to a new study.
The research by SURGe, Splunk’s new cybersecurity research arm, found that the median ransomware variant can encrypt 98,561 files totaling almost 54 gigabytes in 42 minutes and 52 seconds.
“Forty-three minutes is an extremely limited window of opportunity for mitigation, especially considering that the average time to detect compromise is three days, as the Mandiant M-Trends report found,” according to “An Empirically Comparative Analysis of Ransomware Binaries,” which Splunk published March 23.
Individual ransomware samples encrypted data along a range of four minutes to three and a half hours.
“We found out that ransomware operates a lot faster than we initially thought we did overall, but in addition to that, different ransomware families operate faster than others,” said Mick Baccio, global security strategist at Splunk. “What surprised me was not results of it but how close most of them were. There were a few outliers -- the fast ones are fast, the slow ones are slow -- but there are a lot of middling ones that I think pose a problem for everyone out there.”
The team studied the performance of 10 families with 10 separate binaries across Windows operating systems and hardware specifications. Those families included headline-makers such as DarkSide, LockBit and REvil. LockBit, a ransomware-as-a-service offering, was the fastest variant to encrypt on any system, with a sample encrypting almost 25,000 files per minute, according to the report.
The researchers built a modified version of the Splunk Attack Range, which allows for the creation of small networks within Amazon Web Services (AWS), to execute 10 samples of each of the 10 variants on four hosts, two of which ran Windows 10 and the others Windows Server 2019. Every host had 98,561 files placed in 100 directories.
The team created an AWS Virtual Private Cloud for each Windows endpoint type and resource specification, and the ransomware samples ran inside that independent, self-contained environment. The attacks were launched through a remote PowerShell script to emulate “modern ransomware campaigns where ransomware is executed by human operators,” the report stated, and events were forwarded to a central Splunk server for analysis and reporting.
“We had a virtual environment and let all the different families loose and said, ‘Hey, which ransomware family encrypts this number of files the fastest?’” Baccio said. “No matter what the ransomware family is, know that it will burn the house down. It just might take a little longer than the next ransomware family, but all of them are horrible in their own way.”
Data showed that some ransomware families used increased system resources better than others, with some even crashing when deployed on the faster test systems. “There was no direct correlation between a sample using a larger amount of system resources with a faster encryption speed,” the report stated.
“The way they’re written affects their performance,” Baccio said. “The hardware or virtualized hardware that they are running on affects their performance…. I think what that’s showing us is how unique that ransomware is getting and how advanced it’s getting,” he said. On the other side of that coin, he added, the “strategies we’re using to defend our networks have to get more advanced as well.”
That strategy will look different for each agency, depending on its needs, he said, noting that this doesn’t mean basic cyber hygiene -- cyber vegetables, as he calls it -- can fall to the wayside. They just evolve. For instance, multifactor authentication is a new element of hygiene that has emerged in recent years.
“If a ransomware incident does occur, we’re telling folks now about how little time they have for those defenses,” Baccio said. “The idea of stopping a ransomware attack after the attack has started, that time frame is shrinking more and more. What we’re trying to do is give network defenders more time before that actual attack and reduce that dwell time.”
Stephanie Kanowitz is a freelance writer based in northern Virginia.