Security researchers tested 10 malware variants and found speeds ranging from four minutes to over three hours to encrypt 53 GB.
Splunk researchers put 10 ransomware variants through a speed test to help network defenders improve their security strategies. Analysts measured the total encryption time and found LockBit’s claims to be the fastest to be true. The ransomware variant encrypted the 53 GB sample file in five minutes and fifty seconds.
Splunk’s SURGe team has shared these findings in a new report, “An Empirically Comparative Analysis of Ransomware Binaries.” Splunk is an open, extensible data platform that collects and analyzes an organization’s data for security, IT, and operations teams. The experiment measured how quickly 10 popular ransomware variants encrypted nearly 100,000 files on different Windows operating systems and hardware specifications. The project also looked at how the ransomware used system resources like CPU, memory, and disk. The median total encryption time was 42 minutes and 52 seconds for the 10 families.
SEE: Cyber threat intelligence software
The problem is clear, as Splunk analyzes bluntly state: “Forty-three minutes is an extremely limited window of opportunity for mitigation, especially since the average time to detect a compromise is three days, as the Mandiant M-Trends report found. The Splunk team quantified total encryption time to give network defenders more insight and the ability to move “left of the boom,” or proactively bolster defenses before an attack.
How the speed test worked
Here’s how Splunk researchers set up the experiment:
“… We created a modified version of the Splunk Attack Range lab environment to run 10 samples of each of the 10 ransomware variants on four hosts. Two hosts were running Windows 10 operating system and the other two hosts were running Windows Server 2019.… We assigned each host “high” or “medium” level resources to test ransomware behavior with different CPU configurations, memory and hard drive. We enabled Windows logging on each host to collect, synthesize, and analyze data in Splunk.
The median total encryption time was 42 minutes and 52 seconds. The fastest ransomware families ran much faster than this:
- Lock bit: 05:50
- Babuk: 06:34
- Avadon: 1:15 pm
- Ryuk: 2:30 pm
- Revil: 24:16
- Dark Matter: 43:03
- Dark side: 44:52
- Conti: 59:34
- Labyrinth: 01:54:33
- Mespinoza (PYSA): 01:54:54
Strengths and Weaknesses of Ransomware Families
Splunk analysts also wanted to quantify the encryption speed for each individual sample as well as the median speed and duration among malware families. The researchers found that some families were efficient, while others used large percentages of CPU time and very high disk access rates. There was also variety within a family: a single Babuk variant was the slowest software individually, but the family as a whole was the second fastest overall. In analyzing the test, the researchers noted that “there was no direct correlation between a sample using more system resources with faster encryption speed. Some ransomware families performed worse, or even crashed, when deployed to faster test systems. »
Splunk’s SURGe team conducted the research. The research group studies malware, responds to attacks, and educates IT and security professionals about cyber threats. SURGe provides organizations with technical advice during large-scale and urgent cyberattacks through response guides, research papers, conference presentations and webinars.