Here is how fast threat actors can encrypt your data

There's a growing belief that ransomware has become a global cyber epidemic, with attacks such as those on the Colonial Pipeline being only the tip of a very large iceberg that is affecting countries and sectors worldwide.

Indeed, Somerset County, New Jersey, was recently hit with an attack so severe that it was said to have sent the services it was able to deliver to citizens back to 1977 levels. While so-called GoodWill ransomware has emerged in 2022, whereby victims are forced to donate money and clothes to the needy in return for their systems and data being restored, for most organizations, the consequences are rather more severe.

GoodWill's demands
GoodWill Ransomware: Image of Activity 2 described in detail. Source: CloudSEK

The US Treasury's Financial Crimes Enforcement Network (FinCEN) suggests that around $590 million worth of ransomware-related activity occurred in the first six months of 2021 alone.

While various attempts are underway to try and help organizations protect their systems and keep their data safe, the attackers are showing a frightening level of innovation. A good example was provided by a recent report from Splunk’s cybersecurity research arm SURGe, which highlights the rapid speed with which ransomware attackers can now encrypt data. The report reveals that attackers are currently capable of encrypting around 54GB in just 43 minutes, which is considerable since the typical compromise remains undetected for around three days.

"Utilizing the scientific method in a controlled environment, we measured the speed at which 10 variants of popular ransomware malware encrypted nearly 100,000 files, totaling nearly 53GB, across different Windows operating systems and hardware specifications," the researchers explain.

The average attack

The average attack was capable of encrypting a grand total of 98,561 files in just under 43 minutes, which represents an extremely limited window for any kind of detection, much less mitigation, and is obviously far less time than is typically taken to detect an attack in the first place.

Across the examined sample of attacks, the range of encrypted data extractions took place from a low of four minutes up to a high of three and a half hours. Such a narrow timeline offers organizations and security teams an extremely limited opportunity to provide any kind of meaningful response before the attackers have plundered their bounty and exited the system.

“When comparing identical ransomware strains across systems with different resources, we found some variables could impact TTE, such as processor speeds or CPU cores,” the researchers explain. “However, the impact was inconsistent, implying that some ransomware was single-threaded or minimally able to take advantage of additional resources.”

Faster than expected

The sheer speed with which ransomware was capable of operating came as something of a surprise, but it’s nonetheless clear that some ransomware is capable of operating far faster than others. Despite this variation, however, there was a clear clustering towards the mean for most ransomware applications, with just a few outliers at both the fast and slow ends of the spectrum.

In total, they analyzed 10 families of ransomware with 10 distinct binaries across a range of Windows operating systems with various hardware specifications. This included notable applications, such as DarkSide and REvil, as well as some lesser-known applications. The “ransomware-as-a-service” application LockBit proved to be the fastest and was capable of encrypting around 25,000 files every minute. These results match the claim made on LockBit’s Tor website.

"LockBit ransomware was the fastest variant to encrypt on any system," the researchers continue. "This aligns with previous reports that LockBit only encrypts 4KB of each file, rendering the file unusable and expediting the attack."

Put to the test

The various ransomware applications were tested using a modified form of Splunk’s Attack Range, which provides a testbed for the creation of small networks within AWS. The researchers executed 10 samples of each ransomware across four hosts, two running Windows 10 and two running Windows Server 2019. Each host had just over 98,500 files spread across 100 directories.

A virtual private cloud was created on AWS for each Windows endpoint and resource specification, with the ransomware then run inside that environment via a remote PowerShell script in order to emulate a typical ransomware attack.

As well as slight differences in the speed of encryption, the analysis also found that some ransomware applications were more efficient in their use of system resources, although there appeared to be no real correlation between the level of system resources used and the speed of encryption.

More from Cybernews:

Finance data leak exposes Russian citizens

2 million patients impacted by a cyberattack on a healthcare organization

Emotet variant steals credit card data from Chrome

Ukrainian hack that could allow to spy on Putin

Subscribe to our newsletter

Leave a Reply

Your email address will not be published. Required fields are markedmarked