Ransomware is a type of malware that encrypts files on a victim’s computer and demands payment in order to decrypt them. The speed at which ransomware can spread depends on several factors:
Infection Vectors
Ransomware typically spreads through these main infection vectors:
- Phishing emails – Emails containing malicious attachments or links that download the ransomware when opened or clicked on.
- Exploit kits – Collections of exploits targeting vulnerabilities in applications. When a user visits a compromised website, the kit attempts to exploit the vulnerabilities to silently install ransomware.
- Remote Desktop Protocol (RDP) – Brute forcing weak RDP credentials allows hackers access to deploy ransomware directly.
- Software vulnerabilities – Unpatched software flaws can be exploited to install ransomware without any user action.
- Removable media – Malware copied onto USB drives and other removable media automatically infects computers when the media is inserted and accessed.
Phishing emails enable very rapid spreading of ransomware when sent to large contact lists. Other vectors rely on users visiting boobytrapped websites or connectors, so propagation is somewhat slower.
Initialization Time
After the ransomware files are deployed to the victim’s computer, there is some lag time before the malware initializes and begins encrypting files. For example:
- Time to complete the installation process.
- Checks whether any anti-virus is running and attempts to disable it.
- Waits for system to be idle to avoid detection.
- Listens for commands from command and control server.
This initialization time varies by strain, from a few minutes to remaining dormant for days or weeks before activating. More advanced ransomware aims to initialize faster to start encrypting files quicker.
Encryption Speed
Once enabled, encryption speed depends on:
- Targeted file types – Ransomware often targets certain file types for encryption, like documents, images, databases, etc. Focusing on fewer file types can accelerate encryption.
- Number of files – The number of files to encrypt on the infected system impacts overall speed.
- Size of files – Larger files naturally take longer to encrypt than smaller ones.
- CPU usage – Ransomware is optimized to use a large percentage of available CPU resources to encrypt swiftly.
Advanced strains employ multithreading and scale CPU usage dynamically to encrypt files as fast as possible across the system.
Network Propagation Speed
Some ransomware variants also attempt to propagate across networks by stealing credentials or exploiting vulnerabilities to spread to more endpoints. Key factors impacting lateral movement speed include:
- Open network shares – Access to shared folders accelerates infection of additional connected systems.
- Weak credentials – Brute forcing of poor passwords enables faster lateral movement.
- VPN connections – Active VPNs to remote endpoints provides paths to infect additional systems.
- Vulnerabilities – Wormable exploits like EternalBlue provide immediate network propagation.
Self-propagating ransomware strains can infect large networks in under an hour by leveraging these methods. However, most ransomware relies on manual deployment and slower infection vectors for propagation.
Impact Speed Summary
In summary, while initialization of ransomware may take from minutes to weeks after initial infection, the actual encryption and impact speeds depend largely on:
- Breadth of infection vectors
- Targeted file types
- Number and size of files
- CPU usage scaling
- Ability to self-propagate across networks
Advanced ransomware strains with worm-like propagation can disable hundreds of systems within an organization in minutes. However, less sophisticated variants may take hours to days to fully encrypt files on a single system.
Defense methods like isolating and patching systems, requiring strong credentials, monitoring for lateral movement, and restricting VPN connections are critical to limiting the speed of ransomware outbreaks.
Conclusion
Ransomware outbreak speed depends on the sophistication and capabilities of the variant, as well as the security posture of the target organization. While fast-moving ransomware is certainly a concerning threat, focusing on preventative controls can significantly reduce the speed and impact of attacks. With layered defenses and threat hunting, even rapid ransomware strains can be quickly detected and contained.