Ransomware Encrypts Nearly 100,000 Files in Under 45 Minutes

Since we launched SURGe last year, our team of strategic cybersecurity experts has been busy helping out security teams through various cyberattacks and security incidents. Today, we released new ransomware research, which analyzed how quickly ten major ransomware strains, including Lockbit, REvil and Blackmatter, could encrypt 100,000 files.

The research revealed that the median ransomware variant can encrypt nearly 100,000 files totalling 53.93GB in forty two minutes and fifty-two seconds. A successful ransomware infection can leave organizations without access to critical IP, employee information and customer data.

Overall, the report revealed that the impact of ransomware can fluctuate across strains and resources. Key findings from the research include:

• Encryption speeds vary between ransomware variants: Individual ransomware samples varied greatly in encryption speed, ranging from four minutes to three and a half hours.

• LockBit outpaces the pack: LockBit, a noteworthy ransomware-as-a-service (RaaS), was the fastest variant to encrypt on any system with speeds 86% faster than the median. The fastest LockBit sample encrypted just under 25K files per minute.

• Identical ransomware strains can vary across systems. Improved hardware capabilities provided most ransomware samples with faster encryption speeds, but some samples and variants appeared unable to take advantage of multithreaded processors.

  • Additional memory did not appear to have a significant effect on any samples.
  • Higher disk speeds may play a role in faster execution, but most likely in combination with a variant that can take advantage of additional CPU cores.

Ultimately, this research demonstrates the need for organizations to move away from response and mitigation, and concentrate on preventing ransomware infections. Practical steps and strategies organizations can take to prevent infections can include better patching, asset inventory, MFA and looking for ransomware actors on the network before they deploy their ransomware binaries. In addition, SURGe not only created the data, but will release it on bots.splunk.com network defenders to analyze and review themselves. We encourage blue teams and researchers to look at our work themselves.

This is the first of several whitepapers this year that will unveil research findings that are relevant to security teams everywhere — so get a copy of the An Empirically Comparative Analysis of Ransomware Binaries whitepaper today. In addition, please check out Shannon Davis’s blog for more information on the research.

Methodology

For this research, SURGe created a modified version of the Splunk Attack Range lab environment to execute ten samples of each of the ten ransomware variants against four hosts with mid and high hardware specs: two running the operating system Windows 10 and the other two running Server 2019. SURGe enabled Windows logging on each host to collect, synthesize and analyze the data in Splunk. This allowed the researchers to measure how fast the ransomware variants encrypted nearly 100,000 files and how the ransomware utilized system resources like processor, memory and disk.

About SURGe

Established in October 2021, SURGe is Splunk’s strategic cybersecurity research arm dedicated to researching, responding and educating on the cyberthreats impacting the world. As a trusted advisor, SURGe provides organizations with technical guidance during high-profile, time-sensitive cyberattacks via response guides and in-depth analyses in research papers, conference papers, and webinars. Organizations can count on SURGe to provide appropriate context and timely recommendations to navigate global security incidents with confidence and intelligence.