Published on the 30/03/2022 | Written by Heather Wright

Ransomware encryption speeds, and Okta stumbles…

If we needed any more examples of the importance of speed when it comes to cybersecurity, Okta and a new ransomware report have provided it – albeit from two very different aspects.

First up is the ransomware report, courtesy of Splunk Surge which shows ransomware is encrypting faster than organisations can respond.

How fast is that? Well, according to the research, which tested 10 malware variants, the medium encryption time, across ransomware families was 42 minutes and 52 seconds for 98,562 files – some 53.83GB. 

“Organisations need to start looking ‘left of boom’.”

Lockbit ransomware, however, is in a class of its own, encrypting 100,000 files in 5 minutes and 50 seconds. It beat out Revil – something of a slowcoach at 24 minutes 16 seconds – and third placed Ryuk, at 14 minutes, 40 seconds. Second placed in the speed test was Babuk at 6:34, followed by Avaddon at 12:15. 

Slowest cab off the rank was Mespinoza, at one hour, 54 minutes and 54 seconds.

“Forty-three minutes is an extremely limited window of opportunity for mitigation, especially considering that the average time to detect compromise is three days, as the Mandiant M-Trends report found,” the report notes.

Shannon Davis, Splunk Surge staff security strategist of the research, says the results of the research provide knowledge organisations could use to organise their defences.

“If organisations have more than 20 hours before ransomware finishes encrypting, they might choose to focus on detecting and mitigating ransomware after infection. 

“If ransomware encrypts an entire system in 52 seconds, organisations should probably respond earlier in the ransomware lifecycle.”
Ransomware is considered one of the most significant threats to Australian and New Zealand organisations. The Australian Cyber Security Centre reports show it received more than 500 ransomware cybercrime reports in 2020-21, an increase of 15 percent. In New Zealand, Cert NZ reported a ‘significant increase’ in ransomware reports in 2021, peaking in Q2 with ransomware accounting for 30 incidents out of 1,624 for the quarter. Those numbers have steadily declined since then, with ransomware accounting for just 13 of the 3,977 incidents reported to Cert.

However, in July 2021, large numbers of Kiwi organisations, including Cambridge’s St Peter’s School were among those hit by a global ransomware attack affecting Kaseya. Datacom reported that it was aware of 200 businesses whose files had been encrypted as part of the attack. The alleged attacker was arrested in Poland earlier this month and extradited to the United States where he’s expected to face trial. 

Based on the figures from Splunk Surge’s research, Davis says organisations need to start looking ‘left of boom’, where boom is the malware detonation, and assess their capabilities to prevent or detect the ransomware group’s behaviour. 

“Multi-factor authentication, network segmentation, patching, and centralised logging – couldn’t help myself there – are all very good strategies to bolster your defences against ransomware or any other malicious actors for that matter,” he says.

Meanwhile it was a lack of speed that has got Okta in a whole world of pain. 

Last week the company ‘fessed up to a hack which ‘may’ have affected 2.5 percent of its customers – no small number for an authentication company with more than 100 million users at thousands of organisations around the world.

Hacks, of course, happen. But Okta only admitted it after hacking group Lapsus$ posted screenshots to its Telegram channel. 

Okta has since admitted that an attempt to compromise the account of a third-party customer support employee at Sitel, was first noted in January. 

A report from a forensic firm, provided to Okta on March 17, highlighted a five-day window of time between January 16-21 when the threat actor had access to the Sitel environment. 

“In trying to scope the blast radius for this incident, our team assumed the worst-case scenario and examined all of the access performed by all Sitel employees to the SuperUser application for the five-day period in question,” Bradbury says. 

“Over the past 24 hours we have analysed more than 125,000 log entries to ascertain what actions were performed by Sitel during the relevant period. We have determined that the maximum potential impact is 366 (approximately 2.5 percent of) customers whose Okta tenant was accessed by Sitel.”

While the hack may not be severe, it’s the lack of communication from Okta which has rankled many.

Lapsus$ may well have summed it up best. In a post on Telegram the hacker group said: “For a service that powers authentication systems to many of the largest corporations (and FEDRAMP approved) I think these security measures are pretty poor.”