Gone in 52 Seconds…and 42 Minutes: A Comparative Analysis of Ransomware Encryption Speed

Do you feel like every other cybersecurity news story mentioned ransomware in 2021? We feel the same way, and as a cybersecurity vendor, we felt that we should also contribute to the noise. :-)

But we did want to try and do something different.

On top of Splunk’s numerous ransomware detections from our threat research team, we wanted to use Splunk to see if we could add some refinement and knowledge to the ransomware clamor. We decided to measure how fast ransomware encrypts files; not just one or two ransomware binaries, but dozens of them — all using Splunk.

Why? Well, partly because we have an unlimited Splunk license, but also because we couldn’t find the answer to the question: “How long do you have until ransomware encrypts your systems?” This seems like knowledge that organizations could use to organize their defenses. If organizations have more than 20 hours before ransomware finishes encrypting, they might choose to focus on detecting and mitigating ransomware after infection. If ransomware encrypts an entire system in 52 seconds, organizations should probably respond earlier in the ransomware lifecycle. 

In our initial hypothesis, we asserted that if ransomware executes on a system, then it’s too late for an organization to respond effectively. We conducted a literature review of ransomware encryption speed and only uncovered work that was encyclopedic in scope from one of the ransomware groups themselves.

The LockBit group posted a table on their Tor site (Fig. 1) listing encryption speeds for more than 30 ransomware families, showing — perhaps not surprisingly — that LockBit was the fastest. To be fair, I guess that makes sense; you typically don’t release PR pieces that highlight how bad you are. We then looked at dwell time for ransomware intrusions and found that the three-day dwell time cited by Mandiant in their 2021 M-Trends report was fairly representative. This gave us a “how long till people realize they are infected with ransomware” timeframe.

^{Figure 1. LockBit analysis of ransomware encryption speeds among competing ransomware groups.}

Prep Work

We couldn’t leave it to LockBit’s marketing team to only release content like this, so we rolled up our sleeves and got busy building an environment that would allow us to conduct our own ransomware speed tests. We took the great Splunk Attack Range project, created by Splunk’s Threat Research Team, and modified it to fit our needs.

^{Figure 2. Diagram outlining the ransomware environment created using a modified version of Splunk Attack Range.}

We created four different “victim” profiles consisting of Windows 10 and Windows Server 2019 operating systems, each with two different performance specifications benchmarked from customer environments. We then chose 10 different ransomware families and 10 samples from each of those families to test. Figure 3 outlines the families that we tested, along with the Microsoft Defender detection identifiers from VirusTotal.

^{Figure 3. Ransomware families and corresponding Microsoft Defender detection identifiers from VirusTotal.}

We tested every sample across all four host profiles, which amounted to 400 different ransomware runs (10 families x 10 samples per family x 4 profiles). In order to measure the encryption speed, we gathered 98,561 test files (pdf, doc, xls, etc.) from a public file corpus, totaling 53GB. To collect the necessary data, we used a combination of native Windows logging, Windows Perfmon statistics, Microsoft Sysmon, along with Zeek and stoQ for further analysis (that’s content for future blogs, so be patient).

In order to capture the required encryption events, we enabled Object Level Auditing on the 100 directories where our test files lived. This provided us with EventCode 4663 logs that we could use to calculate the Total Time to Encryption (TTE) for each sample. The samples we tested had an Accesses value of DELETE at the end of encrypting each file, which is how we measured encryption speed. Not all ransomware behaves this way, so a search for EventCode=4663 Accesses=DELETE in Splunk may not always return the same results.

The Heist

Just like watching Gone in 60 Seconds (the Nicholas Cage version, of course), you’re on the edge of your seat waiting for the results. Well, here you go.

^{Figure 4. Median ransomware speed measured across 10 ransomware families.}

As you can see, LockBit lived up to its own hype and was the quickest to encrypt of all the ransomware families we tested. We listed the median duration, as some families had one or two samples that would skew the average duration. For example, LockBit had the fastest sample coming in at four minutes and nine seconds (fig. 5). Babuk was a close second but had one sample that was the slowest of all samples tested, which took more than three and a half hours (fig. 6).

^{Figure 5. LockBit had the fastest ransomware sample to encrypt files with a duration of four minutes and nine seconds.} 

^{Figure 6. Babuk had the second fastest median encryption speed but the slowest individual sample, which took more than three and a half hours to encrypt the files.} 

The Getaway

This research is available in a comprehensive whitepaper with more details than what is outlined here (I get in big trouble for going over 800-1,200 words). As I mentioned earlier, there is more research to come out of our data set. We plan to publish the data to the Splunk BOTS Portal in time for .conf22 (June 14-17, 2022). This way, you can investigate the data yourself and possibly uncover details that we may not have noticed during our tests.

Finally, you might ask what this means if you’re a network defender. Well, if we go back to our original hypothesis of ransomware being too fast to defend against once it executes on the victim system, that should give you a hint. Start looking “left of boom,” where boom is the malware detonation, and assess your capabilities to prevent or detect the ransomware group’s behavior. Multi-factor authentication, network segmentation, patching, and centralized logging (couldn’t help myself there) are all very good strategies to bolster your defenses against ransomware or any other malicious actors for that matter (I’m looking at you, Nicholas Cage). And of course, this sort of work is what you can expect from SURGe over the next couple of months and well into the summer. I mean, someone has to talk about ransomware, right?

Happy Hunting!

Authors and Contributors: As always, security at Splunk is a family business. Credit to authors and collaborators: Shannon Davis, Ryan Kovar