<div dir="ltr"><br clear="all"><div><br></div><a href="https://ia.acs.org.au/article/2022/gone-in-240-seconds--ransomware-speeds-compared.html">https://ia.acs.org.au/article/2022/gone-in-240-seconds--ransomware-speeds-compared.html</a><br><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><span><div dir="ltr" style="margin-left:0pt" align="left"></div></span></div></div><div><br></div><div><span id="gmail-docs-internal-guid-f95f6466-7fff-35d9-3b06-9f7e83441e3a"><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Gone in 240 seconds: ransomware speeds compared</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">You have just minutes to react before your data is lost.</span></p><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">By David Braue on Apr 07 2022 11:50 AM</span></p><br><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Some ransomware can infect all your files in as little as four minutes. </span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The most-effective ransomware strains can encrypt nearly 100,000 files in just four minutes, researchers have found during controlled tests.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The median time for all files to be encrypted is 42 minutes – leaving victims little time to act.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The empirical analysis, conducted by Splunk’s Surge security team in a tightly controlled environment, timed how long it took 10 common variants of ransomware to infect 53GB of files on four Windows 10 and Windows Server 2019 systems set up to simulate 10 different CPU and memory configurations.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Each scenario was run 10 times, providing 100 measurements of total time to encrypt (TTE) that confirmed companies suffering a ransomware attack had anywhere from 4 minutes to 3½ hours before all of their files were rendered inaccessible by the ransomware.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Variations in technical specifications such as processor speed or number of CPU cores could impact TTE.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">However, this impact was “inconsistent,” the group said, “implying that some ransomware was single-threaded or minimally able to take advantage of additional resources…. At times they performed worse on the systems with higher specifications.”</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">In other words, just because ransomware infects your most powerful systems doesn’t mean it’s going to compromise your files faster.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Overall, the researchers found, the fastest strain of ransomware was LockBit – with a median encryption time of 5 minutes 50 seconds – followed closely by Babuk (6:34).</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Other rapidly-acting strains included Avaddon (13:15), Ryuk (14:30) and Revil (24:16) – which re-emerged last September and was taken down by the FBI late last year – while BlackMatter (43:03), Darkside (44:52) and Conti (59:34) offered victims more time before their files were lost.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The slowest ransomware families were Maze and Mespinoza (PYSA), which both took just over 1 hour 54 minutes before the encryption was complete.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Not long to react</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">The Russian-developed LockBit strain was first detected in 2019 but has proven to be particularly long-lived, with an update last year adding new features as its authors began offering cash rewards to company employees willing to install the malware within their businesses.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Splunk’s findings validated performance claims by the malware’s authors, confirming that their approach of only encrypting the first 4KB of each file has boosted overall performance considerably.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Optimised ransomware performance poses problems for victims, the analysis said, noting that “this narrow timeline provides a limited window for organisations to effectively respond before encryption is complete.”</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">“This can prove even more limiting considering that the catastrophic apex may be when a single critical file is encrypted, rather than the whole of the victim’s data.”</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">“With such factors in play, it may prove to be extremely difficult, if not impossible, for the majority of organisations to mitigate a ransomware attack once the encryption process begins.”</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">A host of security vendors have worked to simplify the detection and response to ransomware, developing tools that monitor systems for file changes and instantly begin rolling back the changes to counteract the actions of the ransomware as it infects the environment.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">“When ransomware strikes, it is important that you don’t let panic set in,” Joshua Robinson, technical marketing architect at backup and ransomware recovery firm Rubrik, noted during a recent webinar on ransomware recovery strategies.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">“There are multiple streams of investigation going on, trying to identify how the infection got in and what data have been compromised – and if you’re lucky, you might have your CEO breathing down your neck as well.”</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">“We all like to think that it won’t happen to us,” added Rubrik technical marketing architect Kevin Johnson, “but the reality is that ransomware is getting more and more sophisticated – so it’s important that we have plans in place to deal with a breach if the worst were to happen.”</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">Even an accidental ransomware infection can snowball into a major business event – as automotive giant Toyota found last month, when 28 production lines across 14 Japanese manufacturing plants were paused after what security experts believe was a run-of-the-mill ransomware attack.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">“This shutdown of a third of Toyota’s global production should serve as a stark reminder on the complexities of our supply chains, how interdependent these systems are on each other, and the dangers criminals pose to society when they detonate malware in targeted systems,” said Chris Grove, product director with operational-security firm Nozomi Networks.</span></p><br><p dir="ltr" style="line-height:1.38;margin-top:0pt;margin-bottom:0pt"><span style="font-size:11.5pt;font-family:Arial;color:rgb(51,51,51);background-color:transparent;font-variant-numeric:normal;font-variant-east-asian:normal;vertical-align:baseline;white-space:pre-wrap">“Ransomware operators may believe they're hitting an isolated, insignificant victim, but the reality is they don't really know, or understand, the ecosystem they're impacting.”</span></p></span><br class="gmail-Apple-interchange-newline"></div></div>