Splunk researchers put 10 ransomware variants to a speed test to help network defenders improve their security strategies. The analysts measured total time to encrypt and found that LockBit’s claims to be the fastest were true. The ransomware variant encrypted the 53GB sample file in five minutes and fifty seconds.
Splunk’s SURGe team shared these findings in a new report, “An Empirically Comparative Analysis of Ransomware Binaries.” Splunk is an open, extensible data platform that collects and analyzes data across an organization for security, IT and operations teams.The experiment measured the speed at which 10 variants of popular ransomware malware encrypted nearly 100,000 files across different Windows operating systems and hardware specifications. The project also examined how the ransomware utilized system resources like processor, memory and disk. The median total time to encrypt was 42 minutes and 52 seconds across all 10 families.
The problem is clear, as the Splunk analysts state bluntly: “Forty-three minutes is an extremely limited window of opportunity for mitigation, especially considering that the average time to detect compromise is three days, as the Mandiant M-Trends report found.” The Splunk team quantified the total time to encrypt to give network defenders more knowledge and the ability to move “left of boom,” or in a proactive way to strengthen defenses ahead of an attack.
How the speed test worked
Here is how the Splunk researchers set up the experiment:
“…we created a modified version of the Splunk Attack Range lab environment to execute 10 samples of each of the 10 ransomware variants on four hosts. Two hosts ran the operating system Windows 10 and the other two hosts ran Windows Server 2019. … We assigned each host ‘high’ or ‘mid’ level resources to test how ransomware would behave with different processors, memory, and hard drive configurations. We enabled Windows logging on each host to collect, synthesize, and analyze the data in Splunk.”
The median total time to encrypt was 42 minutes and 52 seconds. The fastest ransomware families worked much quicker than that:
- LockBit: 05:50
- Babuk: 06:34
- Avaddon: 13:15
- Ryuk: 14:30
- Revil: 24:16
- BlackMatter: 43:03
- Darkside: 44:52
- Conti: 59:34
- Maze: 01:54:33
- Mespinoza (PYSA): 01:54:54
Strengths and weaknesses within ransomware families
Splunk analysts also wanted to quantify the encryption speed for each individual sample as well as the median speed and duration across the families of malware. The researchers found some families were efficient, while others used large percentages of CPU time and very high disk access rates. There was variety within a family as well: a single Babuk variant was the slowest software individually but the family as a whole was the second fastest overall. In the analysis of the test, the researchers noted that “there was no direct correlation between a sample using a larger amount of system resources with a faster encryption speed. Some ransomware families performed worse, or even crashed, when deployed on the faster test systems.”
Splunk’s SURGe team conducted the research. The research group studies malware, responds to attacks and educates IT and security professionals about cyberthreats. SURGe provides organizations with technical guidance during high-profile, time-sensitive cyberattacks via response guides, research papers, conference presentations and webinars.