SECURITY

Truth in Malvertising?

Splunk SURGe recently released a whitepaper, blog, and video that outline the encryption speeds of 10 different ransomware families. Early in our research, during the literature review phase, we came across another group that conducted a similar study on ransomware encryption speeds. Who was this group you ask? Well, it was actually one of the ransomware crews themselves. LockBit released the findings on their website (not linking here as it’s one of those naughty .onion sites), with a view of convincing would-be ransomware affiliates to join the LockBit crew, as they were the fastest and therefore the best. We knew that after completing our own research, we’d have to come back to test the veracity of LockBit’s findings.

Read on to see how that went!

Tell Me More About This LockBit Report

LockBit released its report in February of 2021. They tested encryption speeds across 36 different ransomware variants, including two of their own: LockBit 1.0 and LockBit 2.0. LockBit 1.0 was already considered one of, if not the fastest ransomware variants in existence, so why the need to create LockBit 2.0? And did they actually create a faster version?

Fig. 1. Screenshot of LockBit’s comparison of ransomware encryption speeds.

 

The results show LockBit 2.0 was indeed faster than LockBit 1.0 and both were found to be much faster than any of the other ransomware variants. According to this data, LockBit 2.0 was two times faster than the nearest non-LockBit variant, Cuba. LockBit included the ransomware samples on their website with this call to action: “If you have any doubts concerning this table, you can easily check the provided information downloading the samples, which have been used for testing.”

We wanted to test Lockbit 3.0 (mentioned in this blog), but despite hours of Googling, pleading on Twitter, and sending messages to secret 🐿️  Keybase and Slack groups… we couldn't find a single sample of it!

Did we have any doubt that LockBit was fast? No. Did we have any doubts about their overall findings? Yes. Our original research found that Babuk’s encryption speed was much closer to LockBit’s than what LockBit had reported. After finding this discrepancy, we knew that a full-blown test regime was needed to weed out any other differences.

LockBit’s Tests

The table from LockBit was the only reference we had to replicate this experiment. LockBit provided the following details:

  • Ransomware Name
  • Date of sample
  • Encryption speed in MB/s
  • Time to encrypt 100GB
  • Time to encrypt 10TB
  • Self-spreading?
  • Sample size
  • Total number of files encrypted

One area that we would have liked to see in more detail was the actual dataset that LockBit used to encrypt. That would help us understand some of their findings a bit better, such as the time to encrypt 100GB and 10TB. Did they use varied file types and file sizes, or did they use thousands of copies of the same file to test encryption?

LockBit provided the operating system, CPU, and memory specifications they used in their tests. For the hard drive, they mention SSD, but nothing about the IOPS or the throughput of the underlying disks. This blog gives a high-level overview of both IOPS and throughput and how they affect application performance. We did find in our original research that disk speed is just as important as CPU speed and the number of CPUs when it comes to overall encryption performance.

A top and bottom summary of LockBit’s test results:

  • 1st Place - LockBit 2.0
  • 2nd Place - LockBit 1.0
  • 3rd Place - Cuba
  • Last Place - Avos

Our Tests

We used the same approach in these tests that we did in our prior research project. We created an environment that would be identical across each variant that we tested. A modified version of Splunk Attack Range was used to build the systems in Amazon Web Services (AWS). The specifications of the “victim” system were:

  • Windows Server 2016
  • AWS EC2 Instance Type- c5.2xlarge
  • CPU Count and Type: 8 x Intel Xeon 3.4GHz
  • RAM: 16GB
  • Disk: GP3 (16000 IOPS/1000MB/s Throughput)
  • 98,561 test files spread across 100 directories (various file types and sizes)

These were the closest specifications we could find in AWS to replicate LockBit’s tests. The disk speed was the highest we could configure, but that was consistent across all variants. And as mentioned earlier, we used our “victim” dataset that contained numerous file types and sizes to try and replicate a real-world filesystem.

We tested each variant individually to avoid any contamination from other variants that may spread laterally during the experiment. Each variant was launched manually, as some don’t play nicely when launched via PowerShell (I’m looking at you, Babuk). We performed a manual observation via RDP to confirm the completion of each test run.

In our lab we also set up a Windows 2019 server to act as the Domain Controller. It did not have any shared drives, but there were no firewall rules on the system or AWS preventing access between it and the initial “victim” system.

And the Winner is...

Before I tell you, just know that our results were close, but not the same as what LockBit found. And know that you can always trust us over a ransomware crew that had a bias going into their tests.

Having said that, LockBit was the fastest again in our tests. But not LockBit 2.0.LockBit 1.0 was actually faster than its newer counterpart. Not by much, but still faster.

Total encryption time:

  • LockBit 1.0: 2 minutes 20 seconds
  • LockBit 2.0: 2 minutes 30 seconds

However, LockBit 2.0 is much more efficient than 1.0, using only half the number of CPU threads, and hitting the disk 27 fewer times. So it does look like LockBit made a number of improvements between those two versions, but not in the realm of overall speed.

LockBit 2.0 still came in right behind 1.0, right? Wrong. The following variant just pipped LockBit 2.0 to come in second place!

  • PwndLocker: 2 minutes and 28 seconds

A brief summary of our results:

  • 1st Place: LockBit 1.0
  • 2nd Place: PwndLocker
  • 3rd Place: LockBit 2.0
  • Last Place: Avos

PwndLocker, LockBit 1.0, and LockBit 2.0 perform similar partial encryption methods, which help speed up encryption.

LockBit 2.0 only encrypts the first 4KB of a file, leaving the remainder untouched. This is still enough to render most files unusable after encryption.

Fig. 2. Screenshot of sample .txt file encrypted by LockBit 2.0 (the first 4KB, in red, was encrypted and the start of the rest, in green, was untouched).

PwndLocker leaves the first 128B unencrypted, proceeds to only encrypt the next 64KB, and leaves the remainder untouched.

Fig. 3. Screenshot of a sample .txt file encrypted by PwndLocker (first 128B unencrypted in green and then encryption of the start of the next 64KB in red).

And our fastest variant, LockBit 1.0, encrypts 256KB of every file very quickly by utilizing a high number of CPU threads along with high disk access rates.

The fastest variants tend to utilize partial encryption methods, more CPU threads, or a combination of the two.

Poor old Avos managed to come last in LockBit’s test as well as ours. Not many of the other results line up between the two sets of tests, though. We’ve added a detailed table of our test results showing encryption statistics at the end of this blog.

Here is the table comparing our test results to those of LockBit.

Variant

Splunk Test Placing

LockBit Test Placing

LockBit 1.0

1

2

PwndLocker

2

15

LockBit 2.0

3

1

Conti

4

19

Babuk 2.0

5

5

SunCrypt

6

17

Sodinokibi

7

6

REvil-A

8

18

Ryuk

9

20

REvil-B

10

33

RansomEXX

11

10

DarkSide-A

12

23

DarkSide-B

13

22

Ragnar

14

7

DarkSide-C

15

31

Cuba

16

3

BlackMatter

17

4

BlackKingdom

18

33

Phoenix

19

29

Ranzy

20

14

MAKOP

21

9

DearCry

22

25

Avaddon

23

12

Pysa

24

11

Hades

25

30

Sekhmet

26

16

MountLocker

27

26

Thanos

28

13

Zeppelin

29

21

MedusaLocker

30

28

Nefilim

31

24

Nemty

32

27

Babuk 1.0

33

32

Avos

34

34

Our lead hypothesis on why the findings don’t line up is that different file types and sizes were used between the two sets of tests. If we knew what dataset LockBit used, we would have more insight into their test results.

Takeaways

After running this experiment, here are some key takeaways and recommendations:

  • Assume that once the ransomware crew gets to the point of encrypting your systems that it’s too late.
  • While LockBit is fast, it isn’t the only ransomware variant capable of extremely fast speeds. Other variants are also making use of partial encryption techniques to speed up their operations.
  • Protect your organization before ransomware is run. Get the basics right (patching, offline backups) along with things that should also now be considered basic cyber hygiene practises (multi-factor authentication, network segmentation, centralized logging).

Conclusion

It was interesting to run the same samples in our tests that LockBit used in their own tests. While the fastest and slowest samples were closely aligned between the tests, the other results were very different. The total time it took to encrypt our test filesystem was still quite fast even in the slowest tests, however, which reiterates our recommendation to look left of boom when prioritizing your network defenses.

Happy Hunting!

Appendix

Encryption statistics for our tests:

Variant

Total_Encryptions

Duration_In_Minutes

Encryptions_Per_Minute

LockBit 1.0

98552

2.33

42297

PwndLocker

98388

2.47

39833

LockBit 2.0

98548

2.5

39419

Conti

98560

3.6

27378

Babuk 2.0

98560

4.63

21287

SunCrypt

95805

4.8

19959

Sodinokibi

98553

5.27

18701

REvil-A

98553

5.32

18525

Ryuk

98384

5.93

16591

REvil-B

98553

9.87

9985

RansomEXX

88192

9.95

8864

DarkSide-A

98553

12.47

7903

DarkSide-B

98553

15.48

6366

Ragnar

98560

16.97

5808

DarkSide-C

98446

23.25

4234

Cuba

98560

23.45

4203

BlackMatter

98553

26.63

3701

BlackKingdom

98560

28.73

3431

Phoenix

98552

29.05

3392

Ranzy

98660

30.3

3256

MAKOP

98560

30.97

3182

DearCry

94537

32.6

2900

Avaddon

98660

37.48

2632

Pysa

97080

39.6

2452

Hades

98552

42

2346

Sekhmet

98560

47.88

2058

MountLocker

98559

49.53

1990

Thanos

93808

53.88

1741

Zeppelin

98046

53.92

1818

MedusaLocker

98560

58.68

1680

Nefilim

98560

60.97

1617

Nemty

98046

99.03

990.1

Babuk 1.0

98560

108.3

910.06

Avos

69360

132.2

524.66

SHA256 File hash values for samples tested:

Variant

SHA256

Avaddon

05af0cf40590aef24b28fa04c6b4998b7ab3b7f26e60c507adb84f3d837778f2

Avos

01792043e07a0db52664c5878b253531b293754dc6fd6a8426899c1a66ddd61f

Babuk 1.0

8203c2f00ecd3ae960cb3247a7d7bfb35e55c38939607c85dbdb5c92f0495fa9

Babuk 2.0

c4282e9040cdc1df92b722568a8b4c42ce9f6533fed0bd34b7fdbae264947784

BlackKingdom

c4aa94c73a50b2deca0401f97e4202337e522be3df629b3ef91e706488b64908

BlackMatter

22d7d67c3af10b1a37f277ebabe2d1eb4fd25afbd6437d4377400e148bcc08d6

Conti

ebeca2df24a55c629cf0ce0d4b703ed632819d8ac101b1b930ec666760036124

Cuba

271ef3c1d022829f0b15f2471d05a28d4786abafd0a9e1e742bde3f6b36872ad

DarkSide-A

243dff06fc80a049f4fb37292f8b8def0fce29768f345c88ee10699e22b0ae60

DarkSide-B

4d9432e8a0ceb64c34b13d550251b8d9478ca784e50105dc0d729490fb861d1a

DarkSide-C

9cee5522a7ca2bfca7cd3d9daba23e9a30deb6205f56c12045839075f7627297

DearCry

2b9838da7edb0decd32b086e47a31e8f5733b5981ad8247a2f9508e232589bff

Hades

fe997a590a68d98f95ac0b6c994ba69c3b2ece9841277b7fecd9dfaa6f589a87

LockBit 1.0

95739e350d7f2aca2c609768ee72ad67fcf05efca5c7ad8df3027c82b9c454cf

LockBit 2.0

e1330fcb0a11f4a3f88ce551726cea82dfc0b4adc71fbfefcfc84f73c1ec8b7f

MAKOP

2b5a3934d3e81fee4654bb1a7288c81af158a6d48a666cf8e379b0492551188f

MedusaLocker

dde3c98b6a370fb8d1785f3134a76cb465cd663db20dffe011da57a4de37aa95

MountLocker

226a723ffb4a91d9950a8b266167c5b354ab0db1dc225578494917fe53867ef2

Nefilim

0bafde9b22d7147de8fdb852bcd529b1730acddc9eb71316b66c180106f777f5

Nemty

a2fe2942436546be34c1f83639f1624cae786ab2a57a29a75f27520792cbf3da

Phoenix

008ec79765325200361d9c93ac35edd430f8b17894ff843268caa5acd6224549

PwndLocker

4e6c191325b37da546e72f4a7334d820995d744bf7bb1a03605adb3ad30ce9ca

Pysa

af99b482eb0b3ff976fa719bf0079da15f62a6c203911655ed93e52ae05c4ac8

Ragnar

9bdd7f965d1c67396afb0a84c78b4d12118ff377db7efdca4a1340933120f376

RansomEXX

4cae449450c07b7aa74314173c7b00d409eabfe22b86859f3b3acedd66010458

Ranzy

c4f72b292750e9332b1f1b9761d5aefc07301bc15edf31adeaf2e608000ec1c9

REvil-A

12d8bfa1aeb557c146b98f069f3456cc8392863a2f4ad938722cd7ca1a773b39

REvil-B

d74f04f0b948d9586629e06e2a2a21bdf20d678e47058afb637414eb3701c1f6

Ryuk

7faeb64c50cd15d036ca259a047d6c62ed491fff3729433fefba0b02c059d5ed

WasSekhmet

b2945f293ee3f68a97cc493774ff1e8818f104fb92ef9dbeead05a32fc7006ff

Sodinokibi

06b323e0b626dc4f051596a39f52c46b35f88ea6f85a56de0fd76ec73c7f3851

SunCrypt

3090bff3d16b0b150444c3bfb196229ba0ab0b6b826fa306803de0192beddb80

Thanos

8a4a038a965ba42a0442d44abf25e4d21f5049d4a4a8aa9cb6691ec4282814a1

Zeppelin

b7f96fbb9844cac5c7f4ec966683f3564bbb9a2f453927e1c579dcb0154f5f83

Authors and Contributors: As always, security at Splunk is a family business. Credit to authors and collaborators: Shannon Davis, Ryan Kovar


Main/top photo by Artem Beliaikin from Pexels

Shannon Davis
Posted by

Shannon Davis

Security practitioner, Melbourne, Australia via Seattle, USA.

TAGS

Truth in Malvertising?

Show All Tags
Show Less Tags

Join the Discussion