Network defenders have just 43 minutes to mitigate ransomware attacks once encryption has begun, a new study from Splunk has warned.
The security monitoring and data analytics vendor evaluated the speed at which 10 ransomware variants encrypt data to compile its report, An Empirically Comparative Analysis of Ransomware Binaries.
Using a controlled Splunk Attack Range lab environment, the firm executed 10 samples of each of the 10 variants on four hosts – two running Windows 10 and the other two running Windows Server 2019.
It then measured the speed at which the ransomware encrypted nearly 100,000 files, totaling almost 53GB.
LockBit came out fastest, with speeds 86% faster than the median of 43 minutes. The fastest LockBit sample encrypted 25,000 files per minute.
However, there was a significant variation in speeds between the fastest, which took just four minutes in total, and the slowest variant, which took three-and-a-half hours.
In order of fastest first, the variants analyzed by Splunk were: LockBit; Babuk; Avaddon; Ryuk; REvil; BlackMatter; DarkSide; Conti; Maze; and Mespinoza (Pysa).
“The average median duration demonstrates a limited window of time to respond to a ransomware attack once the encryption process is underway. This can prove even more limiting considering that the catastrophic apex may be when a single critical file is encrypted, rather than the whole of the victim’s data,” the report warned.
“With such factors in play, it may prove to be extremely difficult, if not impossible, for the majority of organizations to mitigate a ransomware attack once the encryption process begins.”
As such, organizations must focus more of their efforts on prevention by spotting the warning signs of a ransomware compromise earlier on, Splunk argued.
“If an organization wishes to defend against ransomware, it’s clear that they need to move left on the cyber kill chain and detect on delivery or exploitation rather than actions on objective,” it said, citing the famous Lockheed Martin model.
However, as things stand, most organizations are far from realizing such rapid detection and response.
According to the most recent M-Trends report, ransomware has a median dwell time of three days in the Americas.