A new study discovered that the LockBit ransomware could encrypt 25k worth of files in under 60 seconds. The time interval for the encryption process is so thin that before a targeted organisation feels the effect, the ransomware would have accomplished its task.
Modern-day ransomware is very time particular; therefore, time is of the essence for most attacks. That is why threat actors are always looking for ways to speed up their encryption process.
The investigation conducted by the security firm involved ten samples for each ten ransomware strains. The ransomware families included in the study are DarkSide, REvil, Ryuk, PYSA, Conti, Babuk, Avaddon, BlackMatter, Maze, and LockBit.
The study began by executing these samples in four different hosts—two operating in Windows 10 and two running on Windows 2019.
After the trial, the researchers clocked each ransomware strain on how much time they needed to encrypt approximately 100k worth of files or about 54 GB of data.
The examination confirmed that LockBit ransomware was the fastest among the ransomware family since it only needed 5.50 minutes to encrypt the 54GB of data. Babuk came in a close second at 6.34 minutes, beating the well-known ransomware such as Conti and REvil.
The popular ransomware Conti did not live up to researchers’ expectations since it only manages to encrypt all files within an hour. However, Mespinoza and Maze came last because the two strains took a couple of hours to encrypt all files.
Experts said some ransomware opts to have a slower encryption process to maximise some necessary functions.
The study implied that only some ransomware, like LockBit, takes advantage of competent hardware to increase the encryption speed of their attacks. One of the factors is related to the storage disk speed since an encryption process is faster if the disk speed is of high quality.
The experiment also noted that some ransomware used increased system resources like CPU time as part of the overall encryption.
Therefore, the most appropriate defence against such an attack is to identify suspicious activities during the initial access stage or retrieval stage before threat actors launch the ransomware.
All entities should focus more on preventing an attack by identifying the red flags of a ransomware infection. These red flags include looking for unwanted network activity and detecting tools used by threat groups before initiating an attack.
