Ransomware can encrypt 100,000 files in under 45 minutes
New research from Splunk's SURGe team looks at how quickly ten major ransomware strains, including Lockbit, Revil and Blackmatter, can encrypt 100,000 files.
The research shows that the median ransomware variant can encrypt nearly 100,000 files totaling 53.93GB in 42 minutes and 52 seconds. Encryption speeds vary between ransomware variants though with individual ransomware samples ranging from four minutes to three and a half hours to encrypt the same data.
LockBit, a ransomware-as-a-service (RaaS) offering, is the fastest variant to encrypt on any system with speeds 86 percent faster than the median. The fastest LockBit sample encrypted just under 25K files per minute.
There are also variations dependent on hardware with some samples and variants appearing unable to take advantage of multi-threaded processors. Additional memory didn't appear to have a significant effect on any samples, though higher disk speeds may play a role in faster execution, most likely in combination with a variant that can take advantage of additional CPU cores.
The report's authors warn, "The aim of SURGe's work is to provide everyday defenders actionable knowledge, and our latest research examines an area of study that only ransomware operators seem to have explored. Many security teams focus on mitigation and response when it comes to ransomware infections, however, the encryption speeds we discovered in our report are beyond the capabilities of most organizations. Based on this research, it's safe to say that if an enterprise is hit with a ransomware attack, it may be too late to stop it from spreading."
You can read more on the Splunk blog.