33 Protection Products: Strong Defense against Ransomware and Data Stealers
Law enforcement agencies such as Interpol, FBI and national police departments work very well together and have scored some successes. APT groups, such as HIVE, Emotet or QBot were indeed broken up, but their malware and their code remains in circulation. This inspires additional groups to make modifications and to develop new malware. As an additional variant, the cyber attackers use further techniques for the assault.
In the latest test, involving 10 real-life attack scenarios, the lab at AV-TEST examined 5 ransomware attacks and 5 attacks with data stealers. In the process, the attackers partly used the "DNS TXT Record" technique or relied on encrypted connections via HTTPS. Some of the malware samples were written in the relative new programming language, Rust. The advantage for attackers: Rust is very fast and allows many operations to be run in parallel. The greatest advantage, however, is that malware authored in Rust can evade the statistical analysis of many malware detection systems. That is why the latest test with its dynamic detection and defense is so important.
Attack techniques and Rust programming
The harnessed technique, "DNS TXT Record" can be briefly summarized as follows: With the tool DNS Lookup, Windows offers the opportunity to query the text information of a domain. Attackers take advantage of this scenario. They attack and then query a DNS TXT record per PowerShell. This does not contain any information, however, but rather an additional command line that is transferred and executed. This circumvented route seeks to elude detection by protection software.
The second technique is the use of HTTPS. The "Hypertext Transfer Protocol Secure" protects a connection not only against eavesdropping but also against manipulation. Attackers use this secure direct line so that the protection software cannot analyze the content. It is actually no problem, however, that protection systems open these connections, analyze them and then pass them on. This function only has to be used. But attackers rely on the protection function not be used. An analysis of Watchguard at the end of 2022 indicated that over 80 percent of the registered attacks occurred encrypted per HTTPS.
In July and August 2023, in 10 real-life scenarios, the lab at AV-TEST examined the security capabilities of 16 protection packages for consumer users and of 17 endpoint solutions for corporate users under Windows 10 Professional.
ATP test: security software for consumer users
ATP test: security software for corporate users
Techniques of data stealers and ransomware
In detecting and defending against malware, all the protection products combine various dynamic techniques, such as EDR – Endpoint Detection & Response. The "scenario" illustrations from 1 to 10 below indicate how all 10 attacks unfolded, along with the individual defensive steps.
The sequence of an attack in the Advanced Threat Protection test usually follows this pattern: a spearphishing e-mail, containing a malware attachment, ends up in a Windows system. This is where the protection systems detect the attacker immediately or as soon as it starts running. In the results chart, this is confirmed with the green field under "Initial Access“ or under "Execution". If that is the case, then the attack is already thwarted.
If this does not occur, the attackers go to work: The data stealers gather information on existing data and "exfiltrate" them to a C2 server afterwards. The ransomware also does collect information, but generally only sends a file list of all drives to the C2 server. Then, the data encryption and renaming of data begins. After encryption, a text file is displayed on the desktop, informing the user about the attack and demanding ransom.
For each detected and marked attack step, the lab awarded points. For data stealers, this meant up to 4 points, and for ransomware up to 3 points. The highest value in the protection score was thus 20 points for data stealers, plus a maximum of 15 points for ransomware. This means that in total, the lab awarded up to 35 points.
In order to find a more detailed explanation of the evaluation tables and the individual color codes in the traffic light system please see also the article ”Test and Study: Do Security Solutions stop Current Ransomware under Windows 11?“.
The 10 test scenarios
All attack scenarios are documented according to the standard of the MITRE ATT&CK database. The individual sub-techniques, for example "T1566.001", are listed in the MITRE database for "Techniques" under "Phishing: Spearphishing Attachment". Each test step is thus defined among the experts and can be logically understood. In addition, all attack techniques are explained, along with how successful the malware is.
ATP test of products for consumer users
A total of 16 security products for consumer users faced off in the Advanced Threat Protection (ATP) test under Windows 2023. Included in the test were products from the following manufacturers: AhnLab, Avast, AVG, Avira, Bitdefender, F-Secure, Kaspersky, Malwarebytes, McAfee, Microsoft, Microworld, Norton, Panda, PC Matic, Protected.net and Trend Micro.
All products flawlessly fended off the attackers in the 10 scenarios. The deployed techniques "DNS TXT Record" or encrypted connections were of little benefit to the attackers, nor was the use of the Rust programming language for the malware. Thus, each product received the full 35 points on its protection score for this performance.
All products for consumer users received the certificate "Advanced Certified", as they achieved a protection score of 75% out of the 35 points (i.e. 26.3 points).
ATP test for corporate user solutions
The 17 protection products examined in the Advanced Threat Protection test for Windows endpoints for corporate users came from the following manufacturers: Acronis, AhnLab, Avast, Bitdefender (with two versions), Check Point, Kaspersky (with two versions), Malwarebytes, Seqrite, Sophos, Symantec, Trellix, Trend Micro, VMware, WithSecure and Xcitium.
In the area of corporate users, 16 out of 17 products evaluated delivered flawless performance. In none of the 10 scenarios were the ransomware and the data stealers able to penetrate the systems and unleash their destructive payload. For this, the 16 products received the full 35 points for the protection score.
Only Trellix had difficulties in one scenario and was not able to block the attacker completely. In the end, encryption occurred in individual files, and the solution had one point taken off as a result.
For this performance, the solutions also earned the certificate "Advanced Approved Endpoint Protection". The only exceptions here are Acronis and Panda. The products passed the test error-free, however AV-TEST only certifies products that achieve certification in the regular monthly tests and fulfillment of all their criteria.
Error-free defensive performance of nearly all products
The latest Advanced Threat Protection test from July and August is really something special. 32 out of 33 evaluated products for consumer users and corporate users completed the test error-free and received the maximum 35 points.
In the 10 test scenarios, the attackers deployed the latest techniques, such as DNS TXT Record, encrypted connections or even the Rust programming language. But the protection programs know all these variants and respond accordingly in the detection and defense. All in all: nearly exemplary performance!