In speed tests of multiple binaries of multiple brands of ransomware, across different hardware and operating system configurations, a new Splunk report determined ransomware is very fast.
With a system of 98,561 files measuring 53.83 GB across 100 directories, the typical ransomware took only around 42 minutes to complete. If you removed two abnormally slow variants (Maze and Mespanoza, only the latter of which is still actively updated), that median rate drops to under half an hour.
That may be too quick for responders to be able to address an attack as it happens, said Ryan Kovar, who heads Splunk's SURGe research group that conducted the study.
"If I'm looking at where to spend time, you know, maybe before the study I said everything is created equally. Now I'm able to say we might want to really focus left of boom because we can have a much bigger impact than detecting just when something executes," he said.
|Family||Median Duration (H:M:S)|
|Average of the medians||00:42:52|
The study took times from 10 versions of each ransomware, sometimes to wildly differing results. Babuk, whose median time to complete was 6 minutes, 30 seconds, had one test take over three hours to complete, the longest of any strain.
The difference, said Kovar, may come down to the ebbs and flows of the software development lifecycle.
"One of the things I really enjoyed about this, it was kind of like finding out that they suffer the same software development issues we do. It's like finding out celebrities are just like us at home — you know, look! They shop at Tesco!" he said.
While all the varieties have been operational recently, ransomware has a high rate of turnover, and many are now defunct. Avaddon, REvil, BlackMatter and Darkside, all of which performed well in the testing are all no longer in business. In fact, BlackMatter is a rebranding of Darkside with mild updates — possibly explaining why the two performed with similar speeds.
That does not mean that what is gone can be forgotten. BlackMatter/Darkside has re-emerged as ALPHV (more pronouncably nicknamed Black Cat). Madiant has reported seeing rebranded versions of Avaddon since that group suddenly pulled up stakes.
In the Splunk testing, it would be hard to guess which groups are active or inactive based on speed. One reason for the wild variations comes from ransomware strategy. Where some ransomware encrypts the entire file, ransomware like LockBit only encrypts the beginning of a file. Kovar compares it to the difference between slashing someone's tires and blowing up a car. One is more thorough, but the car does not drive either way.
The Splunk tests ran on both Windows 10- and Server 2019-based AWS machines with different hardware configurations. Researchers were surprised to find that the hardware had little impact on speed. Ransomware was not built to handle multithreading, and in one case faster hardware appeared to cause ransomware to crash.
Splunk notes that LockBit's speed is in line with the ransomware group's dark net sales page. "Truth in advertising, I guess," said Kovar.
Throughout testing, Splunk amassed 200 gigabytes of data they plan to release to the research community at their annual ".conf" event this summer.
"One fun thing about this work is we have now created this very interesting testing harness, and we are looking at continuing research for any new ransomware variants that come out to test against our baseline of samples," said Kovar.
"I think I saw the news the other week that LockBit 3.0 is about to be released. The guys are looking forward to seeing if it's any faster than 1.0 and 2.0."