The average ransomware variant takes 43 minutes to encrypt 100,000 files.

SURGe, the study’s author, says that reactive measures are no match for ransomware speeds.


SURGe is a research arm of Splunk. Recently, SURGe investigated the speed of encryption. The team unleashed ten common ransomware variants on two PCs and servers. Among the variants are LockBit, REvil and Blackmatter. The average variant took 42 minutes and 52 seconds to encrypt 100,000 files.

According to SURGe, ransomware encrypts too fast to be fought with reactive measures. Victims have a serious problem. Spread can hardly be stopped, state the researchers.

SURGe recommends a focus on prevention. Think of patch policy, multifactor authentication (MFA) and network scans to find threat actors.

Ransomware variance

The research shows that speeds vary drastically per variant. LockBit, a Ransomware-as-a-Service tool, was the fastest — by far. LockBit encrypted 100,000 files in four minutes. The slowest variant took nearly four hours.

The performance of an infected PC or server impacts encryption speed. In general, encryption speeds up as performance increases. Not all components are equally influential. Memory had a limited impact during testing. Disk speeds only affected ransomware variants that supported additional CPU cores.