This is how fast a ransomware attack encrypts all your files

Researchers examined how quickly ransomware encrypts files - in some cases, it just takes a matter of minutes.
Written by Danny Palmer, Senior Writer

It takes just five minutes for one of the most prolific forms of ransomware to encrypt 100,000 files, demonstrating how quickly ransomware can become a major cybersecurity crisis for the victim of an attack. 

Researchers at Splunk tested how quickly 10 major ransomware strains encrypted networks – and some were much more effective than others at doing the job quickly, something that makes the attackers harder to stop.  

The fastest form of ransomware is LockBit, which took a median time of just 5 minutes and 50 seconds to encrypt 100,000 files. In one of the tests, it only took LockBit 4 minutes and 9 seconds to encrypt the files measuring in at 53.83 GB across different Windows operating systems and hardware specifications. 

LockBit has been one of the most prolific forms of ransomware during the early months of 2022 and the cyber criminals behind it have boasted that it's the fastest form of ransomware. The analysis by researchers appears to show that the cyber criminals' boast is unfortunately accurate.

SEE: Cybersecurity: Let's get tactical (ZDNet special report)   

Ransomware is one of the most significant cybersecurity issues facing organisations today as hackers break into networks before encrypting files and servers and demanding a ransom payment for the decryption key. These ransom demands can be millions of dollars and many come with an extra level of extortion, with threats to publish the stolen data if the ransom isn't paid. 

Of the ransomware variants tested, the average median time to encrypt the sample files was 42 minutes and 52 seconds.  

While LockBit was the fastest to encrypt the files, Babuk ransomware isn't far behind, taking a median time of 6 minutes and 34 seconds to encrypt the data. 

Avaddon ransomware took a median time of 13 minutes and 15 seconds, followed by Ryuk at 14 minutes and 30 seconds then REvil – one of last year's most prolific ransomware groups – encrypting the data in median time of 24 minutes and 16 seconds.  

BlackMatter ransomware took 43 minutes and 3 seconds to encrypt files, Darkside – famous for the Colonial Pipeline ransomware attack took 44 minutes 52 seconds and Conti – known for a string of high-profile incidents – took a median time of 59 minutes and 34 seconds to encrypt the 54GB of test files. 

Maze and PYSA ransomware are the slowest at encrypting files, taking 1 hour and 54 minutes each to do so. 

While the slowest encryption takes almost two hours longer than the quickest, it still isn't a significant length of time – and it could easily go unnoticed until it's too late if the cyber criminals triggered the ransomware attack outside of working hours, such as overnight or at a weekend. 

In any case, it's difficult to prevent a ransomware attack once the encryption progress has already been started – that means the best form of defence against ransomware is securing the network against it in the first place. 

Two of the most common techniques cyber criminals use to compromise networks as a gateway to ransomware attacks are exploiting weak or compromised passwords for remote desktop protocols and taking advantage of unpatched vulnerabilities in software. 

It's, therefore, vital that users are encouraged to use strong passwords on their accounts in order to prevent compromise – and that should be accompanied by multi-factor authentication as an additional barrier against attacks. 

Information security and IT departments should be aware of what and who is on their networks, so that they can patch any vulnerabilities that emerge – and identify potentially suspicious activity before a full-scale attack is launched. 


Editorial standards