"For Ransomware, Speed Matters"
The LockBit group touts its speed over competing ransomware families to attract potential buyers for its ransomware-as-a-service. Earlier this year, the LockBit group posted a table listing encryption speeds for more than 30 ransomware families, highlighting that LockBit 2.0 was the fastest. Security researchers on Splunk's SURGe research team conducted a new study to see if LockBit's claim that it was the quickest ransomware is true. The researchers found that LockBit was faster than other ransomware families, but there were some notable differences. For example, the "latest and greatest" version, LockBit 2.0, was actually slower at encrypting files than the original LockBit 1.0. And the researchers found that PwndLocker was the second fastest. The LockBit group had ranked it 15th out of 30. The 10 fastest ransomware families include some very well-known names. The researchers stated that Conti was the fourth fastest in Splunk's tests, while LockBit placed it 19th. The researchers noted that there is no way to tell whether the LockBit group fudged the numbers a bit to make certain groups look worse in the analysis than they actually performed, but the researchers acknowledge that there are rivalries between crews as they go "head-to-head" competing for victims. The researchers noted that the difference in results is most likely because of differences in testing methodologies. Security teams should note just how quickly ransomware performs its job. LockBit 1.0 takes 2.33 minutes to encrypt 98553 files. Conti takes a little over a minute longer, at 3.6 minutes. The security research stated that the pace that ransomware encrypts files is faster than any network defender can handle. While the slowest ransomware, Avos, takes 132 minutes to encrypt 98553 files, the median time it takes ransomware to encrypt 98553 files is about 23 minutes. The researchers noted that that is still much faster than many organizations can act. The researchers noted that enterprise defense cannot "win" during the encryption phase, so their best chance for foiling a ransomware attack is to detect the intrusion before the encryption process kicks off. Researchers at Mandiant recently reported that ransomware families tend to spend three to five days in the victim environment collecting information before kicking off the encryption process. The researchers stated that security teams need to be acting during those three to five days.