[BreachExchange] Gone in 240 seconds: ransomware speeds compared

Thu Apr 7 08:02:42 EDT 2022

https://ia.acs.org.au/article/2022/gone-in-240-seconds--ransomware-speeds-compared.html

Gone in 240 seconds: ransomware speeds compared

You have just minutes to react before your data is lost.

By David Braue on Apr 07 2022 11:50 AM

Some ransomware can infect all your files in as little as four minutes.

The most-effective ransomware strains can encrypt nearly 100,000 files in
just four minutes, researchers have found during controlled tests.

The median time for all files to be encrypted is 42 minutes – leaving
victims little time to act.

The empirical analysis, conducted by Splunk’s Surge security team in a
tightly controlled environment, timed how long it took 10 common variants
of ransomware to infect 53GB of files on four Windows 10 and Windows Server
2019 systems set up to simulate 10 different CPU and memory configurations.

Each scenario was run 10 times, providing 100 measurements of total time to
encrypt (TTE) that confirmed companies suffering a ransomware attack had
anywhere from 4 minutes to 3½ hours before all of their files were rendered
inaccessible by the ransomware.

Variations in technical specifications such as processor speed or number of
CPU cores could impact TTE.

However, this impact was “inconsistent,” the group said, “implying that
some ransomware was single-threaded or minimally able to take advantage of
additional resources…. At times they performed worse on the systems with
higher specifications.”

In other words, just because ransomware infects your most powerful systems
doesn’t mean it’s going to compromise your files faster.

Overall, the researchers found, the fastest strain of ransomware was
LockBit – with a median encryption time of 5 minutes 50 seconds – followed
closely by Babuk (6:34).

Other rapidly-acting strains included Avaddon (13:15), Ryuk (14:30) and
Revil (24:16) – which re-emerged last September and was taken down by the
FBI late last year – while BlackMatter (43:03), Darkside (44:52) and Conti
(59:34) offered victims more time before their files were lost.

The slowest ransomware families were Maze and Mespinoza (PYSA), which both
took just over 1 hour 54 minutes before the encryption was complete.

Not long to react

The Russian-developed LockBit strain was first detected in 2019 but has
proven to be particularly long-lived, with an update last year adding new
features as its authors began offering cash rewards to company employees
willing to install the malware within their businesses.

Splunk’s findings validated performance claims by the malware’s authors,
confirming that their approach of only encrypting the first 4KB of each
file has boosted overall performance considerably.

Optimised ransomware performance poses problems for victims, the analysis
said, noting that “this narrow timeline provides a limited window for
organisations to effectively respond before encryption is complete.”

“This can prove even more limiting considering that the catastrophic apex
may be when a single critical file is encrypted, rather than the whole of
the victim’s data.”

“With such factors in play, it may prove to be extremely difficult, if not
impossible, for the majority of organisations to mitigate a ransomware
attack once the encryption process begins.”

A host of security vendors have worked to simplify the detection and
response to ransomware, developing tools that monitor systems for file
changes and instantly begin rolling back the changes to counteract the
actions of the ransomware as it infects the environment.

“When ransomware strikes, it is important that you don’t let panic set in,”
Joshua Robinson, technical marketing architect at backup and ransomware
recovery firm Rubrik, noted during a recent webinar on ransomware recovery
strategies.

“There are multiple streams of investigation going on, trying to identify
how the infection got in and what data have been compromised – and if
you’re lucky, you might have your CEO breathing down your neck as well.”

“We all like to think that it won’t happen to us,” added Rubrik technical
marketing architect Kevin Johnson, “but the reality is that ransomware is
getting more and more sophisticated – so it’s important that we have plans
in place to deal with a breach if the worst were to happen.”

Even an accidental ransomware infection can snowball into a major business
event – as automotive giant Toyota found last month, when 28 production
lines across 14 Japanese manufacturing plants were paused after what
security experts believe was a run-of-the-mill ransomware attack.

“This shutdown of a third of Toyota’s global production should serve as a
stark reminder on the complexities of our supply chains, how interdependent
these systems are on each other, and the dangers criminals pose to society
when they detonate malware in targeted systems,” said Chris Grove, product
director with operational-security firm Nozomi Networks.

“Ransomware operators may believe they're hitting an isolated,
insignificant victim, but the reality is they don't really know, or
understand, the ecosystem they're impacting.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20220407/4cb35661/attachment.html>