Security researchers at Splunk Inc. have studied how quickly common forms of ransomware can encrypt 100,000 files, and the results are disturbing for companies trying to respond and mitigate attacks.
Studying 10 major ransomware strains, including Lockbit, REvil and Blackmatter, the researchers found that the median ransomware variant can encrypt 100,000 files totaling 53.93 gigabytes in 42 minutes and 52 seconds.
But not all ransomware strains are equal. The fastest encryption time recorded was from the infamous Lockbit ransomware, which could encrypt 100,000 files in 5:20, or just under 25,000 files per minute.
Babuk ransomware ranked second place, taking 6:34 to encrypt 100,000 files, followed by Avaddon at 12:15, Ryuk at 14:40 and REvil at 24:16. By comparison, the slowest ransomware in the top 10 studied, Mespinoza (PYSA), took 1:54:54.
The difference in speed is related to how varying forms of ransomware can take advantage of targeted hardware. Improved hardware capabilities on targeted systems allowed some ransomware to act rapidly, while other variants were unable to take advantage of improved resources and at times performed worse on systems with higher specifications.
Memory did not significantly affect the encryption speed for any of the samples. Higher disk speeds were found to play a possible role in faster execution, but likely in combination with a variant that can take advantage of additional processor cores.
The researchers argue that although security teams focus on mitigation and response when it comes to ransomware infections, the encryption speeds are beyond the capabilities of most organizations. It’s noted that based on this research, if an enterprise is hit with a ransomware attack, it may be too late to stop it from spreading.
“This research demonstrates the need for organizations to move away from response and mitigation, and concentrate on preventing ransomware infections,” the researchers conclude. “Practical steps and strategies organizations can take to prevent infections can include better patching, asset inventory, multifactor authentication and looking for ransomware actors on the network before they deploy their ransomware binaries.