CyberWire Daily - LockBit's contradiction on encryption speed. [Research Saturday]
Episode Date: September 3, 2022Ryan Kovar from Splunk sits down with Dave to discuss their findings in "Truth in Malvertising?" that contradict the LockBit group's encryption speed claims. Splunk's SURGe team recently released a wh...itepaper, blog, and video that outlined the encryption speeds of 10 different ransomware families. During their research they cam across Lockbit doing the same thing. After completing the research, the researchers came back to test the veracity of LockBit’s findings. The research showed three interesting finds. The first find showed that LockBit’s fastest and slowest samples were closely aligned between the tests, but the other results were very different. They also found that LockBit continues to be the fastest ransomware, but LockBit 2.0 was more efficient yet slower than its previous counterpart, LockBit 1.0. Lastly, once ransomware gets to the point of encrypting your systems, it’s too late. The research can be found here: Truth in Malvertising? Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. JoinDeleteMe.com slash N2K and use promo code N2K at checkout.
The only way to get 20% off is to go to JoinDeleteMe.com slash N2K and enter code N2K at checkout.
That's JoinDeleteMe.com slash N2K, code N2K. Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace.
Thanks for joining us.
And we had one question that we kept asking ourselves was, how fast is ransomware actually
encrypted?
And we couldn't really find anyone who had conclusively answered that.
And the only people who had, from what we could tell, was actually the LockBit ransomware group.
That's Ryan Kovar. He's a distinguished security strategist and leader of Surge, a blue team security research team at Splunk.
The research we're discussing today is titled Truth in Malvertising.
And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks and a $75 million record payout in 2024.
These traditional security tools expand your attack surface with public-facing IPs that
are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
than ever with AI tools. It's time to rethink your security. Zscaler Zero Trust plus AI stops attackers by hiding your attack surface, making apps and IPs invisible, eliminating lateral
movement, connecting users only to specific apps, not the entire network, continuously verifying
every request based on identity and context, Simplifying security management with AI-powered automation.
And detecting threats using AI to analyze over 500 billion daily transactions.
Hackers can't attack what they can't see.
Protect your organization with Zscaler Zero Trust and AI.
Learn more at zscaler.com slash security.
Earlier this year, one of my employees, Shannon Davis, had started looking at ransomware.
And, you know, when we went through ransomware, we always do a literature review for every project that Surge works on.
And we really found that most of the work had been kind of clumped around a couple big areas.
The first being ransomware groups.
So working on, you know, who are these people?
What are they doing?
Really diving into the threat actors.
And we said, great, there's been a lot of work done there.
Probably don't need to keep going into it. The second thing we found that people had been working on was around the actual
way people are paid for ransomware and the motivations, you know, Bitcoin or different
currencies and clawing back that money. And we said, great, there's been a lot of work done there.
And then the final part that we'd seen a lot of work done on was detections. And we said, okay,
that's a little bit more interesting, but what's something that hasn't been worked on? And we had one question
that we kept asking ourselves was, how fast does ransomware actually encrypt? And we couldn't
really find anyone who had conclusively answered that. And the only people who had, from what we
could tell, was actually the LockBit ransomware group. It turned out that they had actually
written up a very nice scientific-looking document explaining why their ransomware was so good. So we said, okay,
this is super interesting. Let's put this to the side, but let's actually do our own scientific
analysis. And we did that, and we released a white paper and blogs and presentations and stuff like
that earlier this year. And then we came back and we said, okay, well, let's actually look at this lock bit work.
And that's how we ended up with this truth in advertising.
Well, help me understand here.
I mean, why is speed of encryption something that matters
if I am someone offering a ransomware service here?
So twofold.
One, what we found was it was an advertising angle. And I found
this fascinating because there's been a lot of work done and I know you've talked about it.
Just this concept that ransomware organizations are greater than just cyber attacks. They are
an actual business. They have 24 by 7 help desks.
They have increasingly better bug bounties than many commercial organizations.
And one part that we hadn't really thought about was the marketing aspect.
And what this page, which was actually on their Onion Router website, so you can actually visit it, showed was that there was a move where they were seeing competition from a crowded marketplace.
So, you know, Adam Smith's invisible hand is actually at work here. And they were seeing that like, oh man, there's a lot more ransomware groups than there used to be. People are actually
selecting different ransomware services. We need a way to actually explain why our ransomware is
better than others. And so they created this, like I said, this table, which
clearly showed, at least in their eyes, that their ransomware was the fastest to encrypt.
And the reason that could be a value is, and actually why we also did our primary research,
was the question was, what can a network defender do once ransomware starts? And, you know, we found
that it took anywhere from something like four or three and a half or four hours for some ransomware to execute over 100,000 files.
But ransomware from Lockbit might only take four minutes and 30 seconds.
So if you're looking at this from a network defender point of view, I can't stop four and a half minutes or five minutes.
I might be able to stop some ransomware encryption in three hours.
five minutes, I might be able to stop some ransomware encryption in three hours. And I think Lockpit is kind of looking at this the same angle of if you're trying to make sure that you're
selling a service that people will get their money out of, you know, faster is better. And that's what
they're selling. Right. So it's more likely that we'll be successful in encrypting the files on
some on a victim's system here before they are on to us,
and that's the advantage that speed gives us.
Correct. 100%.
Yeah. So you all, I think wisely, did not trust the marketing angle of the LockBit folks
themselves and decided to dig into it. How did you go about that?
So we had created a testing harness for our original work that was much more around the concept of scientific method.
But we actually had most of the details there because LockBit, once again, in a surprising bit of a, we'll prove it to you yourself, you know, take it home 30-day warranty.
They actually gave a lot of evidence and details of their testing, including the ransomware samples that they tested on.
So thanks to Lockbit,
we were able to actually take the same samples.
They provided a general idea
of how large of a file they had to encrypt,
100 gigs or 10 terabytes.
And they also said how many files they encrypted
and the sample and the ransomware.
So they gave a whole bunch of evidence.
So we kind of took that.
We had to adjust our rig, which like I said, actually was all by Shannon Davis. He was the
primary investigator for this bit of work. And he adjusted the rig and then re-ran it through
using the parameters that they were actually advertising. And we did that on different scale
systems and a whole bunch of different areas to try to determine how they came across.
And what did you find?
You know, we found that ransomware from LockBit said that LockBit 2.0 was the fastest,
LockBit 1.0 was the second fastest, and then third place was Cuba ransomware.
So when we ran the same bit of work, we found slightly different.
We found that LockBit 1.0 was the fastest.
Second place was a ransomware family called PondLocker.
Third place was LockBit 2.0.
And then last place, just like LockBit, was a ransomware family called Avos.
So we found LockBit 1 and 2 were top three, but maybe not the 1, 2, 3 orientation that they had called out.
Do you have any insights as to what is going on under the hood in terms of why would one family be faster than another?
Are they rolling their own encryption here?
Are they using pre-existing libraries?
Any thoughts there?
You nailed on one of the most interesting things that we found. So we went in with a lot of hypotheses that either all the
ransomware families would have similar encryption speeds or that they would be, frankly, completely
different. And we started seeing that they were kind of grouped, to be frank. And for Lockpit,
but they were kind of grouped, to be frank.
And for Lockpit, at least Lockpit 2.0 and Lockpit 1.0 and even PodLocker,
they have a similar encryption method in that they only encrypt the first portion of the file.
So Lockpit 2.0 only encrypts the first four kilobytes of a file and leaves the remainder untouched.
What's interesting about this is if you're dealing with a plain text file that's a terabyte and you only lose the first four kilobytes of it, that might be perfectly fine. And heck, with Windows Word, that might be just the headers.
Right.
But for a database file or a Bitcoin, if you lose the first 4K of that file, you've lost every single bit of that file.
If you lose the first 4K of that file, you've lost every single bit of that file.
And so their method of only encrypting a little bit, especially when you start scaling that to terabytes of data, is actually a very smart idea.
Because you ruin enough of it where you still need to pay for the decryption.
Other encryption families encrypt the entire file, and they may use stronger encryption or they might use weaker encryption, but they're encrypting the whole file. We also found that we had some ideas that memory or disk speed might impact the encryption speed, which disk speed would have an impact, but it wasn't the most significant.
The largest was actually the CPU.
So the faster the processor, the faster encryption, which then makes quite a bit of sense
because obviously doing encryption is completely math and that's what a processor does on the
system. So we would see some variance there, which is also why we tested every bit of these ransomware
on the same system with the same operating system, with the same memory, with the same hard drive
speeds and everything like that. You know, as I was reading through your research and what you mentioned, you know,
of only encrypting the first 4K of a file, for example, it made me wonder, could that be
used to a victim's advantage in their recovery process? If you know that you've been hit by
an organization that only encrypts the first, you know first 4K of a file, could that speed up your recovery process?
Because now you only have to pull the first 4K of the encrypted files and graph them together.
I'm sure I'm oversimplifying it here, but is there anything to that line of thinking in your estimation?
It's an interesting area to go down. The problem that we had was
in order to get a decryption key for these ransomwares, you actually have to pay the
ransomware families. So that's a step that we weren't willing to go into for our research.
So we haven't done a lot of work on the decryption, sadly, just because that would
actually involve putting money back into the ransomware ecosystem for their next nefarious
purpose. Well, and that actually leads me to my next question, which is, is there any importance
on the decryption side? I mean, we've certainly heard anecdotal stories about how different
strains are faster or slower in the decryption side, or even more or less successful in the decryption
side. If I'm investing my money in trying to get my files unlocked, you know, it seems to me like
that would be something where there would be a competitive advantage as well. Yes, absolutely.
I often say that the choice to decrypt is kind of like your choice of whiskey. It's a very personal decision. I've had a lot of questions from people asking, like, should I decrypt? Should I not
decrypt? Should I pay the ransom? Should I just restore from backups? And that's not something I
can really give a lot of guidance on. What I can say is it would appear to us, based off our
preliminary testing, that financially these ransomware families are not geared towards
making money
from the people who are being victimized, but rather the people who are doing the victimizing,
the actual people who are buying their service as a ransomware as a service.
So I would say, if we go back to Adam Smith, the economics are that they're very concerned
in making sure their primary customer as a ransomware as a service, who are the actual
criminals who are sending off the spear phishing emails with the ransomware links.
They're more concerned in the speed and quality of encryption rather than the speed and quality of decryption.
So that is kind of my belief on this area that from a financially motivated development point of view, these families are trying to make their customers happy.
And in this case, their customers, the ransomware as a service gains, are the people who are buying the ransomware service to actually attack another organization.
So the best part of this ransomware is definitely the encryption.
And anecdotally, it does not feel that the decryption is quite to the same level of sophistication.
Right.
So looking at the big picture here, based on the information that you all have gathered, what are your takeaways?
What are the recommendations to the defenders out there?
The recommendations that I have, and this kind of goes back to our original research, is you don't have time to stop ransomware once it starts. And frankly,
you know, I put out some numbers there of, you know, three, four and a half minutes to four hours.
I would really challenge any SOC in the world that can effectively respond to a global ransomware
endemic of, you know, even a three-hour ransomware. And so what our work was primarily when we first started,
and then also as we've continued down this research,
is to give data back to network defenders of,
if you have to spend your cybersecurity dollars,
if you have to spend your cybersecurity time,
where do you prioritize?
And probably the place that we would recommend
is trying to stop ransomware from starting.
And so really move left of that boom,
the boom in this case being the actual ransomware infection, and try to find and detect ransomware
before it gets on your system. The interesting thing about that in our research, and after
talking to a lot of ransomware defenders and consultants, is that ransomware binary itself,
the actual thing that we call ransomware, is actually the very last thing that most ransomware groups put on a system.
Anecdotally, one person we talked to said they were seeing that the time from the ransomware binary
entering a network to actually being executed was only two minutes or three minutes,
but that the adversary had been on the network for four and a half days.
And what's nice is if you think of it like that, you quickly realize that the life cycle of a ransomware adversary is almost the same as a nation state adversary or an APT adversary,
which many of us have been working and defending against for many years.
So if you change your perspective and stop thinking of ransomware as something that's so terrifying,
perspective and stop thinking of ransomware as something that's so terrifying, but rather the final aspect of a chained lifecycle advanced attack. You can really start looking at this
in a different angle and adjust your defenses better and duplicate effort in places or rather,
you don't have to duplicate your efforts because you're already looking for spear phishing emails.
You're already looking for lateral movement. You're already looking for persistence. You're already looking for exfiltration of data. And these are all things that happen in
ransomware attack, and they're all the things that happen in a nation state attack. So as long as
you're looking for both, you'll be able to find ransomware before you have to deal with the
encryption speeds. Our thanks to Ryan Kovar from Splunk for joining us.
The research is titled Truth in Malvertising.
We'll have a link in the show notes.
Cyber threats are evolving every second. Thank you. ThreatLocker is a full suite of solutions designed to give you total control, stopping unauthorized applications, securing sensitive data,
and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach can keep your company safe and compliant. Thanks for listening.
We'll see you back here next week.