How long does it take an attacker to encrypt your files?
Time is of the essence for cybersecurity professionals who own the solemn responsibility to respond, detect, locate and mitigate a ransomware attack.
Knowing how long ransomware takes to encrypt is interesting intelligence for cybersecurity pros to consider how to mitigate an attack. Attackers currently have the advantage because the initiation of the encryption phase of a ransomware attack is often controlled in real time by the attacker.
Splunk recently benchmarked ransomware speed. BluVector’s Threat Intelligence team randomly selected and tested a publicly available sample from each ransomware family tested by Splunk. BluVector’s patented Machine Learning Engine (MLE) detected all samples. Regression testing of these samples shows that BluVector would have detected the ransomware samples on average 60.5 months prior to their release. BluVector’s Advanced Threat Detection can provide First Move alerts and visibility into novel threats before they can enter a network and cause catastrophic damage.
How Fast Can Ransomware Run?
What gearhead doesn’t love comparing 0-60 and ¼ mile times? Often though, the results don’t directly translate to the real world, as they involve specific circumstances or a complete lack of mechanical sympathy. Recently, researchers at Splunk set out to measure the encryption speed of 10 different ransomware families. In their tests they made efforts to ensure the results were representative of real-world situations.
Firstly, using publicly accessible file repositories, the researchers gathered 98,561 document files, totaling approximately 53GB. They then set-up two different hardware configurations each for Windows 10 and Windows Server 2019, giving a total of 4 victim systems, which are representative of those utilized by real-world organizations. For each of the 10 ransomware families, they chose 10 samples to test. The researchers then performed a total of 400 encryption tests and recorded the time taken to encrypt all eligible files.
The researchers presented the results using the median times, as within some ransomware families, there were variants which produced outlier times, meaning a simple average wouldn’t give the best representation. The average of the median times for all families was 42 minutes and 52 seconds. The quickest time was produced by LockBit, with 5 minutes and 50 seconds, whereas the longest times, of almost 2 hours, were recorded for Maze and Mespinoza. There were four ransomware families with median times under 15 minutes: LockBit, Babuk, Avaddon and Ryuk. Obviously actual encryption times will vary widely dependent on the hardware specifications, number of files encrypted and network speeds (relevant when encrypting files on shared drives), however the relative speeds between ransomware families should remain consistent.
Obviously, the optimal outcome is to detect ransomware samples prior to them being able to execute on endpoints, in which case their encryption speed is irrelevant. However, there is some insight to be gained from these results into the windows of time responders have to detect, locate and mitigate a ransomware attack. Though this should really be viewed as a damage limitation window, as it is important to keep in mind that files are being encrypted by the ransomware from the moment the encryption process is initiated. Also pertinent is the fact that, especially for high value targets, the initiation of the encryption phase of a ransomware attack is often controlled in real-time by the attacker. The attacker is likely to choose a time after normal business hours or a weekend so that victims are not utilizing the files being encrypted and there are less onsite staff available to detect and mitigate the attack. In this scenario, even a two-hour encryption time may not impact the attackers achieving their desired result.
Much like 0-60 times, knowing the relative encryption speeds of ransomware families can have limited practical value – though LockBit operators have used their speed to promote their ransomware to prospective customers for some time. However, it does provide defenders with more data, and as in most cases, more data is a positive.
How Does It Propagate?
The most common attack vector for most ransomware is social engineering, either as malicious attachments or downloads performed by malicious documents. Poorly secured internet facing RDP (Remote Desktop Protocol) and other servers are also common attack vectors for ransomware.
When/How Did BluVector Detect It?
A publicly available sample from each ransomware family tested by Splunk was randomly selected, and tested against BluVector’s patented Machine Learning Engine (MLE). All samples were detected. Regression testing of these samples shows that BluVector would have detected the ransomware samples on average 60.5 months prior to their release. The following table shows how many months in advance each sample would have been detected by BluVector prior to its release: