Faced with an attack from ransomware, how much time does a system administrator have to possibly save the data in extremis? Answer: “some time”, but not much.
Splunk engineers compared the data encryption speeds of ten families of ransomware. They tested them on different systems, each time using the same corpus of 98,561 files, totaling 53 GB.
On average, this malware took 43 minutes to lock everything, which corresponds to a speed of 2,346 files per minute. Clearly, this is too fast for a person to intervene in real time, especially since it usually takes several days before an infection is detected. System administrators will therefore arrive after the battle.
The fastest of all these ransomware is Lockbit, which needs just under six minutes to encrypt everything. This represents a speed of approximately 17,000 files per minute.
Lockbit is closely followed by Babuk, which runs around 15,000 files per minute. They are ahead of Avaddon and Ryuk, who already require twice as long to do the same job. The slowest are Maze and Mespinoza which only reach a speed of around 860 files per minute. To lock down the test computer, it took them almost two hours.
These differences in performance are explained by the encryption algorithm used. Thus, Lockbit only encrypts 4 kilobits of a file, which is enough to render it unusable. Others, conversely, encrypt the entire contents of the files. The creators of Lockbit can be proud, for worse, they are the best.
Source : Splunk