A new report by Splunk recently revealed that some ransomware variants encrypt files at a staggering rate of 25,000 files per minute. This means that now might be a good time to revisit your threat detection and response strategy. It’s pretty clear that the moment a ransomware starts encrypting files, it's a losing race against time to minimize (not stop) the damage.
How fast do ransomware encrypt files?
Cybersecurity teams have long speculated at how fast ransomware attackers actually encrypt files, as that piece of information could provide valuable insights on how to best devise an appropriate threat mitigation plan. In the recent paper, researchers measured the encryption speed of 100 ransomware samples across 10 ransomware families.
Figure 1. The 10 ransomware families and their respective strains from the Splunk report
The results of the encryption were, in order of speed:
- LockBit: 05:50
- Babuk: 06:34
- Avaddon: 13:15
- Ryuk: 14:30
- Revil: 24:16
- BlackMatter: 43:03
- Darkside: 44:52
- Conti: 59:34
- Maze: 1:54:33
- Mespinoza (PYSA): 1:54:54
The average median encryption time of these ransomware variants for a set of almost 100,000 files that amounted to approximately 54 GB was 42 minutes and 52 seconds, with some ransomware variants taking less than 10 minutes, and others just under 2 hours. Lockbit’s fastest time (for one sample) was a mindboggling 4:09 minutes or approximately 25,000 files per minute (if only backup solutions worked this fast).
Detection and response is a losing battle
Considering how little time you’re given to respond once a ransomware enters the main stage of an attack—i.e., when it starts encrypting files—it doesn't really make sense anymore to rely solely on detection and only then responding.
Think of it this way. 95% of ransomware today implement evasion techniques specifically designed to keep undetected from traditional solutions until the execution stage. Once the ransomware executes (starts encrypting files for example), the clock starts ticking for the EDR to detect the malicious behavior and respond. A really fast reaction would be something under 30 minutes, which as we can see by the encryption times, is usually too late, with devastating damage already done.
This is why many detect and response solution providers are putting so much effort into:
- Reducing detection time - EDR vendors know that the faster they detect, the less damage will be done.
- Attack mitigation - Since damage is a given with detect and response solutions, a lot of resources are poured into mitigation efforts, to "roll back" your system to how it was before being ravaged by a threat actor.
Encryption is the last step
One important thing to realize here is that encryption is actually the last step in a long process.
When a piece of ransomware manages to land in a system (e.g., via a trojan, vulnerability exploit, phishing, etc.) it doesn’t just detonate and wreak havoc straight away. It first goes through subsequent steps of its own version of a cyber kill chain. MITRE also goes into this in much more depth.
Figure 2. The cyber kill chain
Before it can initiate its ‘actions on objectives’, it will likely need to at least:
- Gain initial access to the network
- Establish a connection with its command-and-control (C2) server
- Download additional payload
- Perform privilege escalation
- Perform lateral movement and infect as many endpoints as possible
And the list goes on.
Prevention Vs. Detection - Beating even the fastest ransomware
So, instead of just waiting for the malware to reach the final and most damaging stage of the attack in order to try and stop it, wouldn't it make more sense to shift focus to the earlier stages, before any real malicious activities have even started? That way, you don't really care how fast a ransomware variant encrypts files, because you've stopped it before it has even reached that stage.
In order to successfully complete all the steps mentioned previously , a ransomware (or the part of it that makes the initial foothold on the system) needs to be as "quiet" as possible to make sure it keeps under the radar.
As mentioned above, to remain undetected by security solutions, 95% of ransomware variants employ one or more evasion techniques, e.g., sandbox evasion, Living off the Land, code obfuscation, and so on. This part of the cyber kill chain is also the part where the malware has no communication with the threat actor and needs to make critical decisions on its own, making it a sitting duck to Minerva’s Anti Evasion platform.
Using ransomware's evasion techniques against itself
The platform turns any ransomware’s evasion techniques against itself, causing it to disarm itself indefinitely, terminating at the earliest steps of its the kill chain, before it has even come close to starting the encryption process. The more evasion techniques a ransomware employs, the easier it is for Minerva’s anti evasion platform to stop it. In effect, Minerva prevents the ransomware from advancing to those stages where it can do damage.
Not even LockBit, the fastest known ransomware out there, can outrun Minerva. Read more about Minerva’s threat prevention capabilities against LockBit 2.0 in this post.
The recent paper about ransomware encryption rates we talked about earlier should be an eye opener on how ransomware attacks are addressed today, and why it is important for the industry to start leaning towards a prevention first approach. Traditional threat response strategies, while still important, are not very effective against adversaries with these qualities. Businesses must instead focus on threat prevention—an approach in which Minerva excels.