Splunk researchers conducted an experiment during which they tested ten ransomware programs in order to establish how they encrypt files and how quickly to respond to their attacks.
A ransomware program is malware that lists files and directories on a compromised machine, selects suitable ones for encryption, and then encrypts them, which makes them inaccessible without the corresponding decryption key.
The speed of file encryption by ransomware is of great importance for threat response teams. The faster it can be detected, the less damage it will cause, and there will be less data to be recovered.
Splunk researchers conducted 400 tests using ten different ransomware families, ten programs in each family, on four different Windows 10 and Windows Server 2019 hosts with different performance.
During the tests, experts determined the encryption speed of 98,561 files with a total volume of 53 GB using various tools such as Windows logging, Windows Perfmon statistics, Microsoft Sysmon, Zeek and stoQ.
The total average time for all one hundred ransomware programs on test installations was 42 minutes 52 seconds. However, as shown in the table below, some samples deviated significantly from this median value.
The fastest and most dangerous was the LockBit family of ransomware, which managed to encrypt all files in an average of just 5 minutes and 50 seconds. The fastest representative of the family encrypted files at a speed of 25 thousand per minute.
Previously, the popular ransomware Avaddon encrypted files in 13 minutes, REvil – in 24 minutes, and BlackMatter and Darkside – in 45 minutes. But the sensational extortionist Conti is clearly lagging behind them – it took him almost an hour to encrypt 53 GB of data. Maze and PYSA were also among the laggards, which took two whole hours.