How fast is the ransomware encrypting files?

Once the ransomware starts to encrypt, the user has only 43 minutes to mitigate the blackmail attack.

The results came after Splunk, a security monitoring and data analysis provider, assessed the speed at which 10 variants of ransomware could encrypt data.

The company tried 10 ransomware variants on four hosts and ran them in Windows 10 and Windows Server 2019 environments, respectively, and then tested the speed at which the ransomware encrypts nearly 100000 files (totaling nearly 53GB).

Among them, the median encryption speed of these blackmail software is 43 minutes. LockBit has the fastest encryption speed, which takes only 4 minutes, and LockBit samples can encrypt 25000 files per minute.

However, the slowest variants take 3.5 hours to encrypt, and there is a significant difference between these variants and LockBit. The encryption speed of these tested ransomware variants from fast to slow is: LockBit, Babuk, Avaddon, Ryuk, REvil, BlackMatter, DarkSide, Conti, Maze, Mespinoza (Pysa).

The test results show that once the encryption process begins, the time window for users to respond to blackmail software attacks is very limited. Considering that users may suffer the most from the encryption of some critical files, rather than all of the data, the above testing time may be shorter in practice.

Under the influence of these factors, once the encryption process begins, it may be difficult for most enterprises to mitigate blackmail software attacks.

Therefore, enterprises must find extortion software intrusions earlier to mitigate the impact of attacks and pay more attention to prevention.

In the face of the continuous upgrading of new attack technologies and extortion methods, the traditional security means have been unable to effectively resist extortion software attacks. For example, the traditional security strategy is based on characteristics and rules, and the blackmail virus mainly adopts the way of "interception of samples, analysis and processing, upgrade and update". This mode will bring a "window" to the spread and destruction of the blackmail virus.

From the perspective of traditional backup and disaster recovery system, although data backup and disaster recovery can be well achieved, it is impossible to judge the availability and security of disaster recovery data in the event of blackmail software attacks. If the disaster recovery system has been attacked by blackmail software, there are a large number of damaged files, but blindly complete the backup / disaster recovery task, restore "dirty data", but will increase the scope of infection.

In defending against blackmail software attacks, enterprises need to move security to the left on the network kill chain and fully detect and prevent products when they are delivered or deployed, rather than taking action at a later stage.

However, as far as the current situation is concerned, most enterprises are far from achieving such fast detection and response. According to the M-Trends report, the average residence time of the blackmail software is only three days. This aggravates the pressure on enterprises to guard against extortion software.

On the other hand, if network defenders can quickly detect and remedy the intrusion in the initial stage, it is possible to avoid significant losses and extort the cost of software infection.

The 2021 ransomware survey report released by Fortinet shows that telecommuters and their mobile devices are the most worried about the weaknesses vulnerable to extortion attacks. Therefore, traditional methods such as Web security gateway, VPN and network access control are selected as the highest options to deal with blackmail attacks. The more intelligent and effective emerging technologies, such as zero trust network access (ZTNA), user and entity behavior analysis (UEBA), sandbox and SD-WAN, although they can effectively block the lateral movement of blackmail software, and more accurately identify intruders and variants of blackmail software, they have not been given due attention by enterprises.

Therefore, the defense against new blackmail software threats requires an omni-directional and integrated security solution. Fortinet believes that the choice of security tools should be based on its ability to detect malicious loads before delivery, the ability to prevent known / unknown threats, and the ability to respond to active threats in real time, but there is still a big deficiency in the understanding of most enterprises.

Recommended reading:

What are the new features of global data extortion attacks? Three-point countermeasures and suggestions

The report shows that the ransom demanded by the blackmail software reached 2.2 million US dollars in 2021, and secret network leaks occurred frequently.

Changing tactics to win: preventing blackmail software attacks

What is ransomed Software Protection as a Service (RPaaS)?

Illustration | Guide to blackmail software prevention

After being attacked by blackmail software

↓↓ Click to follow our ↓↓