Deutsch
English
Français
Español
- Share:
Security vs. Ransomware: 34 Solutions in the Advanced Threat Protection Test
The waves of attacks with ransomware are becoming more and more frequent, especially given the fact that now there is Ransomware-as-a-Service, allowing even non-techie cybercriminals to also join in the attacks. Can the latest security solutions on the market for corporate users and consumer users withstand the onslaughts? The Advanced Threat Protection tests from AV-TEST quickly reveal how well solutions are able to mount a defense against ransomware. In realistic scenarios, each defense and interception step carried out by the solutions is documented and evaluated. Many security products work well – but not all.
Advanced Threat Protection test with 34 security packages and solutions
As if the attacks of the normal APT groups weren’t enough stress, their new business model, RaaS, Ransomware-as-a-Service, is gaining more and more traction. With the rise of RaaS, APT groups are giving relevant licenses to attackers having little experience with ransomware. The ransomware is delivered, and the infrastructure is made available. A portion of the money collected from each individual extortion goes immediately to the APT group. This model will naturally result in more and more attacks with ransomware now and in the future. That is why it is all the more important to know how well security solutions identify, stop and liquidate the attackers. Unlike traditional malware, the mere detection of ransomware does not always lead to successful defense. However: even ransomware not detected in the beginning can still be stopped during the course of the attack. Insights into how well everything works are provided by the Advanced Threat Protection tests from AV-TEST. In the test, all products – whether they be for corporate or consumer users – are each required to withstand 10 live scenarios with ransomware.
34 solutions put to the test – 340 live scenarios
The products examined in the test are divided up into two groups with 17 products each. The 17 security packages for consumer users come from AhnLab, Avast, AVG, Avira, Bitdefender, F-Secure, G DATA, K7 Computing, Kaspersky, Malwarebytes, McAfee, Microsoft, NortonLifeLock, PC Matic, Protected.net, Trend Micro and VIPRE Security.
The other 17 security solutions for corporate users originate from AhnLab, Avast, Bitdefender (2 products), Comodo (soon to be Xcitium) , G DATA, Kaspersky (2 products), Malwarebytes, Microsoft, Sangfor Technologies, Seqrite, Symantec, Trellix, Trend Micro, VMware and WithSecure (formerly F-Secure Business).
In 10 defined, realistic scenarios under Windows, each individual solution is required to detect and fend off ransomware or identify its further steps and stop the attack. The 10 scenarios are explained in the charts below. An e-mail arrives with a zip file attachment, for example. It contains an executable file that launches immediately upon unzipping. Afterwards, the ransomware starts to take over and encrypt the system with various steps. The test scenarios list the type of attack in each step. In the process, the lab specifies the definitions in MITRE ATT&CK “Techniques” codes. The lab also explains the exact technical steps of an Advanced Threat Protection test in the already released article New Lines of Defense: EPPs and EDRs Put to the Test Against APT and Ransomware Attacks.
The Advanced Threat Protection test reveals how well the 17 security packages in the test stand up against 10 realistic scenarios with ransomware
The nightmare for all companies – ransomware! The Advanced Threat Protection test reveals the performance of the security solutions in providing defense
Facing off against ransomware 340 times
If during a test a security package detects ransomware in one of the first two steps (initial access or execution), the attack is considered thwarted. The lab uses color coding for quick evaluation of the table. The color green means: attack stopped, yellow: only partially stopped, and orange indicates: attack not stopped (no detection). The yellow field at the end can indicate two results: if the attack is only partially detected, then there is either encryption of individual files (some files encrypted) or the ransomware was indeed prevented from encrypting files but it is able to remain on the system (malware remains on system). If there is an orange field at the end of the row of fields in the chart, the attack is considered undetected and the ransomware is able to launch completely (files encrypted).
The point system is kept as simple as the evaluation: the lab awards up to 4 points for complete detection or defense per scenario. There is a significant point deduction for partial detections. The scores of all 10 scenarios then add up to the protection score, which in this test is a maximum of around 40 points. Please note: while the Advanced Threat Protection tests do occur regularly every two months, the scenarios may vary, and thus also the maximum points of the protection score.
Test scenarios
All attack scenarios are documented according to the standard of the MITRE ATT&CK database. The individual sub-techniques, for example “T1059.001”, are listed in the MITRE database for “Techniques” under 1059.001 “Command and Scripting Interpreter: PowerShell“. Each test step is thus defined among the experts and can be logically understood.
Consumer users: 12 products are error-free
In this test, a total of 17 products each faced off against 10 realistic attack scenarios with ransomware. 12 of the security packages were very successful. They detected the ransomware immediately and did not allow any further actions. For this they received the maximum 40 points of the protection score: AhnLab, Avast, AVG, Avira, F-Secure, Kaspersky, McAfee, Microsoft, NortonLifeLock, PC Matic, Protected.net and VIPRE Security.
This was followed by Bitdefender and K7 Computing with 39 out of 40 points. Both incurred a partial detection in one scenario. With Bitdefender, a small number of various files were encrypted. With K7 Computing, the encryption was indeed stopped, but the malware remained on the PC and continued to be a threat. Trend Micro had the same problem – but a total of three times. This resulted in only 37 points.
Malwarebytes committed two partial detections, whereby in one instance, some files were encrypted. In the second case, in addition to the encryption of some files, a registry key was set and the background image was modified. As all actions that could not be prevented resulted in points being taken off, there were only 36.5 points in total.
The security package from G DATA did not detect any attacker in two scenarios, and as a result, the ransomware executed. G DATA lost the four points twice and managed to land at 32 points.
In order for a product to receive the certificate “Advanced Certified” in the test, it was required to achieve at least 75 percent (30 points) of the maximum 40 points of the protection score. All the products in the test managed to do so.
Corporate users: many solutions work error-free
The solutions for corporate users evaluated in the test largely revealed excellent results. 12 of the 17 products tested achieved the full 40 points of the protection score.
Bitdefender followed with its two solutions at 39 points, as there was one partial detection each.
Seqrite had a few problems in three cases and received 37 points. There was one partial detection, for example, where individual files were encrypted. In the other cases, the ransomware was indeed detected and blocked, but it remained on the system. That is an additional risk.
Trend Micro had this difficulty a total of three times. The risk does still remain, but at least nothing was encrypted. There were also 37 points awarded to Trend Micro.
The corporate user solution from G DATA experienced the problem in two scenarios that it did not detect the attackers, and the ransomware deployed. This cost a full 8 points and in the end, the product still reached 32 points.
All of the business products were awarded the “Advanced Approved Endpoint Protection” certificate because they achieved 75 percent (30 points) of the maximum protection score of 40 points.
Ransomware fended off – with or without service
While many of the leading products are able to finish in flying colors in the traditional detection test, in the Advanced Threat Protection test from AV-TEST they also have to show their performance after detection or non-detection of the ransomware. Especially when it comes to the topic of ransomware, this is enormously important, because if ransomware makes its way through and is allowed to fully deploy, then the system is encrypted and the rest of the network is in grave danger.
The security packages for consumer users showed a positive result in the test. 12 of the 17 packages achieved the full 40 points. In the mix were the freeware Avast Free Antivirus and Microsoft Defender. Those seeking a reliable security packages with a wider range of features will find it in the paid products from AhnLab, AVG, Avira, F-Secure, Kaspersky, McAfee, NortonLifeLock, PC Matic, Protected.net or VIPRE Security.
The result for corporate solutions was also equally compelling. Here 12 out of 17 products reached the full 40 points: AhnLab, Avast, Comodo, Kaspersky (with 2 versions), Malwarebytes, Microsoft, Sangfor Technologies, Symantec (Broadcom), Trellix, VMware and WithSecure (formerly F-Secure Business). Corporate users will thus find a broad range of solutions bearing the certificate “Advanced Approved Endpoint Protection” to protect their network and their endpoints.
