Recent research have suggested that modern ransomware operations are increasingly resembling businesses, with a management structure, different teams specializing in different aspects of the operation, and outsourcing work when necessary. Many of the ransomware crews even have a PR team to draw attention to their latest victims and success stories. Recent research from Splunk suggests some groups are branching out into marketing, as well.
Earlier this year, the LockBit group posted a table listing encryption speeds for more than 30 ransomware families and highlighted the fact that LockBit 2.0 was the fastest. Measuring how long different ransomware takes to encrypt the files in victim environments is an interesting exercise from a technical perspective, but for LockBit, it was a marketing ploy to attract potential customers for their ransomware-as-a-service offering, says Shannon Davis, staff security strategist on Splunk’s SURGe research team.
The barrier to entry to launch a ransomware campaign is much lower, thanks to the availability of ransomware-as-a-service. LockBit and other “service providers” need to attract the people who want to use the tool. By listing the encryption speeds on their site, LockBit group is telling customers, “We are fast, use us, we are better,” says Davis.
Davis attempted to verify LockBit group’s tests and claims about being the fastest. While Davis found that LockBit was faster than other ransomware families, there were some notable differences. For example, the “latest and greatest” version, LockBit 2.0, was actually slower at encrypting files than the original LockBit 1.0. And Splunk found that PwndLocker was the second fastest – when LockBit group had ranked it as 15th out of 30.
The ten fastest families include some very well-known names. Conti, which has been in headlines recently, was the fourth fastest in Splunk’s tests, while LockBit placed it 19th.
There was no way to tell if the LockBit group fudged the numbers a bit to make certain groups look worse in the analysis then they actually performed, but Davis acknowledged that there are rivalries between crews as they go “head-to-head” competing for victims. The difference in results is most likely because of differences in testing methodology, he says.
While the rankings themselves are interesting (and good for ransomware marketing), security teams should note just how quickly ransomware performs its job. LockBit 1.0 takes 2.33 minutes. Conti is a little over a minute longer, at 3.6 minutes. “This is faster than any network defender can handle,” says Ryan Kovar, distinguished security strategist and leader of Splunk’s SURGe research team.
While the slowest, Avos, takes 132 minutes – or a little over 2 hours, the median is about 23 minutes. That’s still much faster than many organizations can act. Enterprise defense can’t “win” during the encryption phase, so their best chance for foiling a ransomware attack is to detect the intrusion before the encryption process kicks off, Kovar says.
Mandiant’s m-trends reports noted that ransomware families tend to spend three to five days in the victim environment collecting information before kicking off the encryption process. “We are not going to beat [them] in three minutes. We need more time,” Kovar says. “We need to be acting during those three to five days.”
Back to marketing — people often underestimate the extent that ransomware is run like a business, says Kovar. Someone analyzed and measured the encryption speeds, but more than that, someone spent the time to create a graphic and to put together a post discussing its research – and Kovar notes that all of this takes many hours to do. The fact that a ransomware crew has “top-tier marketing” and is thinking in terms of “value-add” shows ransomware’s maturity, Kovar says.
“APT28 doesn’t have a marketing guy,” Kovar says.