The power of reports and software testing has been appreciated by criminals in their marketing strategy. There is a fairly large list of Ransomware-as-a-Service “companies” on the market that allow people – not having much of a clue about hacking attacks – to enter the world of cybercriminals and obtain financial benefits illegally. Criminal organizations that compete in the fight for customer attention invest in marketing. In this regard, they don’t differ from any other legally operating IT company.
In February, a report appeared on the website of one of the cybercriminal groups – LockBit, in which criminals tested encryption speeds across 36 different ransomware variants, including two of their own: LockBit 1.0 and LockBit 2.0. It turned out that those two solutions; LockBit 2.0 and LockBit 1.0 are at the top of the table. Information about the conditions of these tests was limited.
Splunk specialists decided to verify the test results based on more detailed assumptions. It turned out that LockBit was the fastest tool. But LockBit 1.0 was actually faster than its newer counterpart LockBit 2.0. The total encryption time of nearly 100K test files spread across 100 directories (various file types and sizes) for LockBit 1.0 was 2 minutes 20 seconds, for LockBit 2.0 it was 2 minutes 30 seconds. The test showed that LockBit 2.0 is much more efficient than 1.0, using only half the number of CPU threads, and hitting the disk 27 fewer times.
Yet, it doesn’t change the fact that the older version was faster. Splunk researchers found the second place actually belongs to PwndLocker, as its software needs only 2 minutes and 28 seconds to encrypt the same data.
All three of the fastest tools are using the method of partial encryption. It is enough to render most files unusable. LockBit 2.0 only encrypts the first 4KB of a file, leaving the remainder untouched. PwndLocker leaves the first 128B unencrypted, to encrypt the next 64KB of a file. The fastest variant, LockBit 1.0, encrypts 256KB of every file by utilizing a high number of CPU threads along with high disk access rates.
The slowest, Avos, needs 132 minutes to encrypt data. The median for all tested tools is about 23 minutes. For many organizations, it is impossible to act so fast. There is no chance to counteract during the encryption phase, as it has to be done before. According to Mandiant’s “M-Trends 2022” report ransomware criminals tend to spend three to five days in the victim’s environment collecting information before they start the encryption process. That is enough time to stop them, but when encryption starts, it is already too late.