Researchers Measure Ransomware Encryption Speeds
Analysts at Splunk conducted over 400 tests on various ransomware strains to determine how quickly they encrypt files and to assess the possibility of timely response to such attacks. The researchers evaluated the “encryption speed” of 10 of the most common malware families, selecting 10 samples from each family (Avaddon, Babuk, BlackMatter, Conti, DarkSide, LockBit, Maze, Mespinoza, REvil, and Ryuk).
The malware samples were tasked with encrypting about 100,000 files totaling approximately 54 GB. The files were stored on four hosts—two running Windows 10 and two running Windows Server 2019. In addition to measuring encryption speed and duration, the researchers also studied how the ransomware utilized system resources.
The team measured the time each malware sample took to encrypt 100,000 files and used the average to calculate the speed for each malware family. The results showed that LockBit was the fastest, completing the task in 5 minutes and 50 seconds (over 25,000 files per minute), followed by Babuk at 6 minutes and 34 seconds. Conti encrypted files in just under an hour, while Maze and Mespinoza were the slowest, taking nearly two hours. The average data encryption time across all samples was 42 minutes and 52 seconds.
“The average encryption duration demonstrates how limited the response window is for specialists once a ransomware attack is underway,” the researchers noted. “This window may be even shorter, considering the catastrophic consequences if even a single critical file is encrypted, rather than all of the victim’s data. With these speeds, it can be extremely difficult—if not nearly impossible—for most organizations to respond to or mitigate ransomware attacks after the encryption process has started.”
The analysis also revealed that only some malware strains utilize hardware to accelerate the encryption process. The amount of device memory does not appear to significantly affect this process, but disk speed can accelerate encryption, especially if the malware can fully leverage CPU capabilities.
“Some families demonstrated high efficiency, while others used a large percentage of CPU time along with very high disk access speeds. However, there is no direct correlation between a sample using more system resources and a higher encryption speed. Some ransomware families performed worse or even crashed when deployed on faster test systems,” the report states.