Ransomware and info stealers: 17 security solutions in the ATP test
In addition to phishing attacks, hackers and APT groups mostly use ransomware or info stealers for attacking Windows systems. The comprehensive Advanced Threat Protection test demonstrates the fact that even after initial non-detection of an attacker, all is not lost. In this test series, the experts from AV-TEST evaluate in a step-by-step test in 10 rugged scenarios what the protection solutions are capable of – or what they are not capable of. In the latest test, the malware samples unleashed attacks with special techniques. They were concealed in scripts and installation packets or they capitalized on harmless-looking Windows shortcut files. Most of the 17 protection products for consumers and corporate users put up a vigorous and successful defense. But individual products were outsmarted in a few cases.
In the past, cyberattackers often sent an executable file per e-mail. In the meantime, even newbies know they are not supposed to execute those files. Recently, however, attacks have been deploying new techniques, with which they cleverly cloak the attack code, concealing it in a script or other harmless files. Through techniques deployed, the attacks are hidden so well that even experts cannot detect them at first glance.
In the latest Advanced Threat Protection test – or ATP test for short – performed in May and June 2024 under Windows 10, the following manufacturers of products for consumer users took part: Avast, AVG, Avira, Bitdefender, McAfee, Microsoft and Surfshark.
The testing of corporate solutions examined products from the following vendors: Avast, Bitdefender (with two versions), Check Point, Cybereason, Microsoft, Microworld, Sophos, Trellix and WithSecure.
In the test, 5 current ransomware samples and 5 info stealers each were deployed in the 10 realistic attack scenarios. Every malware uses a different attack technique or even combines various techniques.
ATP test with 17 security products for Windows
The attackers used various techniques and tools to elude detection by security products. In every ATP test throughout the year, the techniques of the attackers vary, as do those of the ransomware and info stealers. Only within the current test are all products confronted with identical attackers, including attack techniques. Here are the techniques, briefly explained:
LuaJIT scripting interpreter: LuaJIT is a just-in-time compiler for the programming language Lua. Attackers conceal malicious code in Lua scripts, to later execute them on the computers of victims. As the interpreter is not very widespread, it makes the discovery of malware code more difficult. In the test, an executable LuaJIT file is used, linking to the library and thus launching the malicious code as a script.
NSIS (Nullsoft Scriptable Install System): With the open-source, script-driven tool, Windows software installation programs can be created. Attackers conceal malware and fake files in the installation packets, which are executed, launching ransomware or info stealers.
Code concealed in a LNK file: In a seemingly harmless shortcut file (.LNK), malware code is hidden, which is extracted via the PowerShell bundled within Windows. The code then loads ransomware and info stealers onto the Windows system and executes them.
In the ATP test, the individual steps of detection and defense are recorded and described in a matrix according to the MITRE ATT&CK standard. With ransomware, there are three key steps to recognize, with info stealers there are four actions. The lab awards a half or full point for each step or action fended off. This means that a product is able to earn 3 points five times for each detected and liquidated ransomware sample, and 4 points five times for the info stealers. Thus, the highest value in the protection score is 35 points.
The ten test scenarios
All attack scenarios are documented according to the standard of the MITRE ATT&CK database. The individual sub-techniques are listed in the MITRE database for “Techniques”, for example “T1566.001” under “Phishing: Spearphishing Attachment”. Each test step is thus defined among the experts and can be logically understood. In addition, all attack techniques are explained, along with how successful the malware is.
ATP test results of products for consumer users
Many products for consumer users performed well in this test, but some also experienced serious issues. The protection packages from Avast, AVG, McAfee, Microsoft and Surfshark were error-free in all 10 scenarios with ransomware and info stealers. For this they all received the maximum 35 points for the protection score.
Avira reached 34 out of the possible 35 points. The package had its problems in a scenario involving ransomware. Avira did identify, but was not able to completely stop the attacker. In the end, encryption occurred in individual files.
It was not a good test day for Bitdefender. At first, an info stealer was not recognized and was not thwarted over the course of the test. Data was stolen accordingly and the first 4 points were lost. Moreover, in two cases, the attackers with ransomware were detected but not completely stopped. Although other defense mechanisms took effect, individual files were ultimately encrypted in 2 scenarios. This means that an additional two points were lost and the protection score was only 29 out of 35 points.
All protection packages earned the "Advanced Certified" certificate in this test, as they achieved 75 percent of the maximum 35 points (26.5 points).
ATP test results of corporate solutions
The results for corporate user solutions were also mixed. 7 of the 10 products evaluated in the ATP test worked flawlessly in all 10 scenarios and received the maximum 35 points each for their protection score. They were from Avast, Bitdefender (Endpoint Security Ultra version), Check Point, Microworld, Sophos, Trellix and WithSecure.
Microsoft Defender Antivirus (Enterprise) had the difficulty that it recognized a ransomware attack but could not stop it completely. The problem persisted until the end, when individual files were encrypted. This solution received 34 out of 35 points.
While Bitdefender Endpoint Security "Ultra" received the full 35 points without any errors, the Endpoint Security version only received 30.5 out of 35 points. In the test, the version was able to detect two ransomware attackers, but could not block them completely. As a result, individual files were encrypted and a total of 2 points were lost. Bitdefender had a similar problem with an info stealer: although it was detected, it could not be completely stopped. This allowed the attacker to begin collecting data and stealing data. In this case, only 1.5 points of 4 remained – an additional 2.5 points were lost.
In three cases involving info stealers, Cybereason's product had the issue that it recognized the attackers but could not stop them. As a result, the attackers created scripts and executable files. But afterwards, the fight was over, and further protective mechanisms ended the attack in all three cases. In final analysis, Cybereason lost half a point three times, and thus had a total of 1.5 points deducted.
Cybrereason had a similar experience with ransomware in three cases: the attacker was always detected but not completely blocked. In the next step, the attackers installed their toolkit such as scripts or files on the system three times. Afterwards, further protection mechanisms ended the process and stopped the attack. But these difficulties cost an entire point three times in the scoring. By the end of the test, Cybereason had achieved 30.5 out of 35 points for its protection score.
All products received “Advanced Approved Endpoint Protection” certification, as they achieved 75 percent (at least 26.5 points out of 35 points) for the protection score.
Devious attackers versus flexible pro's
The test once more demonstrated how dynamically the defense of attackers can work. Even if ransomware successfully infiltrates some parts of Windows, the system is not yet lost. The test showed that the various protection mechanisms also successfully kicked in at later stages. Among the 17 products evaluated, resulting in 170 test scenarios, there was only one case in which the attacker was not detected and thus not stopped. In the other test scenarios in which the malware was not detected at first, the security programs managed to successfully defend the systems in later stages. There were a few cases, however, in which data was partly stolen or even in single instances, encrypted.
Fully successful, 5 products for consumer users from Avast, AVG, McAfee, Microsoft and Surfshark stood out with 35 points. Among the solutions for corporate users, the products from Avast, Bitdefender (version Endpoint Security Ultra), Check Point, Microworld, Sophos, Trellix and WithSecure performed absolutely flawlessly in the test.