Researchers measured the speed of ransomware

Splunk analysts conducted over 400 tests and measured the speed of various ransomware to determine how fast they encode files and assess the ability to respond to such attacks in a timely manner.

The researchers tested the speed of the 10 most common malware families by selecting 10 samples for each family (Avaddon, Babuk, BlackMatter, Conti, DarkSide, LockBit, Maze, Mespinoza, REvil and Ryuk).

The malware was forced to encrypt about 100,000 files with a total size of about 54 GB. The files were stored on four hosts – two running Windows 10 and two running Windows Server 2019. In addition to encryption speed and duration, the researchers also studied how the ransomware uses system resources.

The researchers measured the time it took each malware to encrypt 100,000 files and used the average to calculate the speed of each malware family. The results showed that LockBit was the fastest at 5 minutes 50 seconds (over 25,000 files per minute), followed by Babuk at 6 minutes 34 seconds. The Conti malware encrypted files in just under an hour, while Maze and Mespinoza were the slowest: their result was almost two hours. The average data encryption time is 42 minutes and 52 seconds.

Ransomware speed

The average duration of encryption demonstrates how limited is the time to respond to a ransomware attack [experts have] when the encryption process is already running. It could be even more limited, considering what a disaster it could be if just one critical file is encrypted, rather than all of the victim’s data. With these numbers, it can be extremely difficult and almost impossible for most organizations to [respond to attacks] or mitigate ransomware attacks once the encryption process has begun.the researchers note.

The analysis also showed that only some malware uses hardware to speed up the encryption process. The amount of device memory does not appear to have a significant impact on this process, but the speed of the work disk can speed up encryption, although this is most likely if malware can take full advantage of the CPU.

Some families showed high efficiency, while others used a large percentage of processor time along with very high disk access speed. However, there is no direct relationship between a sample using more system resources with a higher encryption speed. Some families of ransomware performed worse or even crashed when deployed to faster test systems.the report notes.

Let me remind you that we also reported that NetWalker ransomware operator sentenced to seven years in prison, and also that Trickbot ransomware wanted to open offices in St. Petersburg.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

Daniel Zimmermann

Daniel Zimmermann has been writing on security and malware subjects for many years and has been working in the security industry for over 10 years. Daniel was educated at the Saarland University in Saarbrücken, Germany and currently lives in New York.

Related Articles

Leave a Reply

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to top button