Threats 101
Rick Correa
Apr 2016

How Fast Does Ransomware Encrypt Files? Faster than You Think

If there was any doubt ransomware is booming, these stats from Symantec's 2016 ISTR seem to settle it:

362,000 new crypto-ransomware variants were spotted in 2015. That's an average of nearly 1,000 new variants every day.

Tweet this stat

That represents a 35% increase from 2014. As the ISTR charts below show, the upward trend in both new ransomware variants and new ransomware families is accelerating.

new_ransomware_variants_symantec.png Ransomware_discoveries_chart.png

 

What these increases represent is the rapid productization of a very profitable attack method. Criminals have realized ransomware is where the money is. Successful attacks, along with a collective ¯\_(ツ)_/¯ from law enforcement, are enbolding them to ramp up their campaigns, diversify their techniques, go after a wider range of targets (including hospitals, schools, and even police departments), and increase their demands.

We've all seen the headlines, but what isn’t getting much play is one of the key factors in ransomware's rise — how incredibly fast it operates.

Just how long do users and their IT admins have to react between unwittingly executing infected files and being alerted their data has been encrypted? To find out, I conducted a test timing the speed of encryption of various ransomware samples.

Before we dive into the results, a few notes about the test:

Test machine: 2 Core, 2.9Ghz Intel i5 Windows VM with 4GB of RAM and an SSD. Along with a standard install, I put 1,000 word documents on the computer that were approximately 70MBs total size.

How long does it take for ransomware to encrypt your files?
Answer: Minutes or seconds.

Tweet this

Starting at execution, here are the times it took for the following ransomware samples to encrypt the files and notify me with a ransom screen:

ransomware-speed-of-encryption-217.png

  • Chimera: 18 seconds
  • Petya: 27 seconds
  • TeslaCrypt 4.0: 28 seconds
  • CTB-Locker: 45 seconds
  • TeslaCrypt 3.0: 45 seconds
  • Virlock: 3 minutes 21 seconds
  • CryptoWall: 16 minutes

Five out of the seven samples finished the encryption process in under a minute.

Thanks to research from Invincea, we can see Locky is also a member of this club, having been clocked at taking just 54 seconds between execution and notification:

figure-3-locky-1.png

Invincea

To help put these times into perspective, here's a video that shows TeslaCrypt in action:

Why encryption speed is important

To be effective, ransomware needs to avoid detection until encryption is complete.¹ Many security solutions monitor for indicators the ransomware emits (e.g. new unique processes, execution in unusual directories like TEMP/Recycling Bin, strange DNS/Network Flows, deletion of Volume Shadow Copies) and alert security teams monitoring a log aggregator/SIEM.

In ideal conditions, an analyst is available to catch the alerts, correlate them as a malware incident, and remediate it. But in even the most well-tuned security organizations, response can take tens of minutes after the event is detected.

We recently surveyed IT pros at small and medium-sized businesses who had been hit with ransomware and asked them how quickly they were notified of an attack. Their responses weren't encouraging.

  • 54% were notified of the attack within 1 hour
  • 35% were notified within 24 hours
  • 11% were notified over a day later

As our encryption time trial numbers above show, ransomware doesn’t need anywhere close to that much of a head start to do its damage.

With the explosion of new ransomware families, we are seeing malware execute within a matter of seconds, not hours or even minutes. For many of the survey respondents and other victims like them, notification came too late.

To make matters worse, ransomware is also evolving from using inefficient, easily recoverable custom encryption schemes to fast and cryptographically-sound techniques. Not only has ransomware encryption gotten faster, it’s also become nearly impossible to break.

If there's one thing ransomware authors love, it's shared network drives

Speed also becomes an important factor when you consider encryption isn’t always confined to files on a single user’s machine. Many ransomware families we tested including the samples of Virlock, TeslaCrypt, and CTB-Locker also enumerate and encrypt network file shares. Ransomware campaigns like Samsam have shown an entire network can be compromised, with potentially catestrophic effects on an organization.

That makes realizing just how fast ransomware encrypts files even more scary.

By pushing speed over persistence, ransomware brings new immediacy to cyber attacks

how_fast_ransomware_encrypts_files.jpg

Photo by nicolas will

Traditional incident response has generally been broken down into non-targeted commodity malware remediation and advanced threat response. In the past, AVs generally performed well at stopping commodity malware attacks, leaving human-driven incident response to tackle the challenges of insider and advanced persistent threats.

Security vendors responded by focusing on giving their customers more data, a requirement for most well-staffed incident response groups for post-mortem analysis. That kind of reactive treatment may make sense for rooting out advanced and insider threats, but it isn't effective against ransomware.

Once it's on a system, ransomware doesn't doesn't settle in and lay low. Forget being stealthy and establishing persistence. It grabs all it can, makes a break for it, then hurls a ransom-note-wrapped-rock smashing back through your window.

With ransomware, you don't need state-of-the-art threat detection and response tools to tell you you've been popped.

That leaves the heavy lifting of stopping ransomware before it can do its encrypting damage to more proactive, preventitive tools like A/V. Unfortunately, confidence in A/V has been steadily eroding since the infamous Symantec 2014 Wall Street Journal interview where then SVP, Information Security Brian Dye declared “antivirus is dead,” pointing out it only detected 45% of malware.

In the two years since, things have not gotten better for companies relying on A/V and other signature-based security. As this year's Verizon DBIR indicates, 99% of malware is seen only once before hackers modify the code and ship it back out as a slightly modified version that continues to evade detection.

That's bad news for signature defense like anti-virus and traditional network sandboxes. See my previous post, "The Problem with Signature-Based Security" for more on why.

The need for taking speed out of the equation

With such little time to react before it's too late and encryption has taken place, perhaps the best way to address ransomware is to encourage safe behaviors to avoid it in the first place.

Efforts like better user education and phishing awareness are a great way to reduce the ransomware risk, but unfortunately they don't completely eliminate it. That's because in addition to email, ransomware is also using ad-networks for distribution. Recently, MSN.com, the default homepage for most Windows machines, was found serving TeslaCrypt via the Angler Exploit Kit.

Ransomware will find its way onto user machines, and when it does, it's the protective "safety nets" we have in place (like backup and behavioral-based endpoint protection) that can make the difference.

See how endpoint protection powered by behavioral analysis enabled us to stop CryptoWall 4.0 from day one.

See how

With the proliferation of SSDs and hardware assisted acceleration like Intel’s AES-NI, we can only expect ransomware speeds to get faster. Additionally, ransomware authors are reaping the financial benefits of successful campaigns, and we can expect better-funded future campaigns to continue to push advanced capabilities. It is not hard to imagine ransomware evolving to stealing credentials to other resources like common cloud services like Dropbox and holding those services as ransom, as well.

This security gap is only widening. To close it, we need to neutralize ransomware's speed as an advantage. That means developing ways of responding to ransomware from the onset — through protections that prevent infection and automatically remediate.

¹ To avoid detection, some samples operate in the process space of other processes to hide from the task manager, while others like recent versions of TeslaCrypt prevent the user from opening the taskbar. The few seconds of confusion are enough to allow it to encrypt and hold a user’s contents hostage.

Rick Correa

Rick Correa

Rick is a Principal Malware Researcher at Barkly. He has over 13 years experience working in computer security research and development including malware analysis, embedded systems, and wired/wireless networking.

lock-white.png

Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

Get my handbook

Comments

Stay informed!

Get the latest security news, tips, and trends straight to your inbox.