AV-TEST Fending off Ransomware even Against State-of-the-art Attack Techniques

Disclaimer
  1. This test shows how an antivirus behaves with certain threats, in a specific environment and under certain conditions.
    We encourage you to compare these results with others and take informed decisions on what security products to use.
    Before buying an antivirus you should consider factors such as price, ease of use, compatibility, and support. Installing a free trial version allows an antivirus to be tested in everyday use before purchase.

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,566
APT groups that attack with ransomware use many different attack tactics to achieve their objectives. AV-TEST staged attacks on security products for consumer users and corporate users in 10 currently used scenarios each deploying the techniques ".Net Reflective Assembly loading”, ".Net Dynamic P/Invoke" and "AMSI Bypass". The Advanced Threat Protection tests were quite exciting as some of the programs were not able to withstand all the attack techniques.

The Advanced Threat Protection tests are indeed quite special, but they continuously test security software using the latest attack techniques of the APT groups. Such as ".Net Reflective Assembly loading", a technique used in a basic form in attacks from Cobalt Strike, Cuba or Lazarus. The techniques ".Net Dynamic P/Invoke" and "AMSI Bypass" are also popular, however, in latest attacks with ransomware. Following a successful attack, the systems are encrypted, and the blackmail by the APT groups ensues. Unless of course: the security products for consumer users and corporate users detect the attack techniques being used, stop the attack and liquidate the ransomware.
The latest attack techniques used in the test

.Net Reflective Assembly loading:
In order to obfuscate malware code, a typical technique is to load it reflectively during run time. Reflective loading enables the assignment and execution of a payload (executable malware code) directly in the memory of the process or to create a thread or process. DotNet offers the possibility of loading assemblies with Assembly.Load.

In our examples, an encrypted assembly is saved and the ransomware is implemented. It is decrypted, loaded and executed during run time, without creating an image on the hard drive.

.Net Dynamic P/Invoke: DotNet is capable of executing unmanaged code (code not specified for DotNet), which can be used to initiate standard Windows API calls. This enables the implementation of specific behavior that is not provided in DotNet. This is normally achieved by using the platform Invoke (P/Invoke). API calls used via P/Invoke can be monitored by defenders and easily intercepted. If P/Invoke is not used statically, libraries can be dynamically loaded during run time and the functions contained in them called up via the memory address. In the process, their use is obfuscated in order to avoid detection from security programs.

In our examples, we use Dynamic P/Invoke to call up API functions (VirtualAlloc, CreateThread) in order to load encrypted, reflective ransomware into the memory and execute it.

AMSI Bypass: The Antimalware Scan Interface (AMSI) is a scan API provided by Microsoft that can also be used by antivirus solutions. Part of its task consists of scanning script data before they are executed by a scripting engine. An attacker can manipulate the interface functions within a process, however, in order to interfere with the AMSI functionality.

In our examples, we use a PowerShell ransomware payload and try to execute it after the deactivation of AMSI. In another example, we launch a PowerShell process, inject a small shell code, which deactivates the AMSI, and then transfer the malicious ransomware to it.
Advanced test: protection for consumer users

In the current evaluation, the 10 security packages for consumer users were put to the advanced test. The products involved were from AhnLab, Bitdefender, G DATA, Kaspersky, McAfee, Microsoft, Microworld, Norton, PC Matic and VIPRE Security. Each product was required to stand up against 10 test scenarios, in which different attempts were made to inject and execute ransomware in the system.

The packages from Bitdefender, G DATA, Kaspersky, McAfee, Microsoft and PC Matic were able to detect all 10 attacks and block the ransomware before it was able to create any damage. Each product received 30 points on its protection score for this performance.

While Microworld and Norton also managed to detect the 10 attacks, they were not able to completely block the attacks in one case. Microworld had a point taken off, as individual files were encrypted: 29 points. With Norton, there was a total cave-in after the detection of the attack – the system was encrypted. But the product still achieved 27.5 points on its protection score.

AhnLab and VIPRE Security each detected only 9 out of 10 attacks. As a result, each lost a full 3 points in one instance. But VIPRE Security also had problems in a second instance: despite detection of the attack and the use of countermeasures, the system was encrypted in the end. This led to a deduction of an additional 1.5 points. AhnLab finished the test with 27 out of 30 points for the protection score, and VIPRE Security earned 25.5 points.

Because all products for consumer users were above the threshold of 22.5 points, they received the AV-TEST certificate "Advanced Certified".
Advanced test: solutions for business users

In the advanced test lineup of endpoint security solutions were products from AhnLab, Bitdefender (2 versions), Check Point, G DATA, Kaspersky (2 versions), Microsoft, Sangfor, Symantec, Trellix, VMware, WithSecure and Xcitium.

Each product was required to detect the attack technique and fend off ransomware in 10 scenarios. For each ransomware detected and stopped completely, the lab awarded 3 points. Delivering stellar performance with error-free detection of all attacks, and successful blocking of ransomware were the products from Bitdefender (Endpoint and Ultra version), Check Point, G DATA, Kaspersky (Endpoint and Small Office Security version), as well as Xcitium. For this they all received the maximum 30 points for the protection score.

Symantec and Microsoft did also detect all 10 attack scenarios, but they had difficulty in one instance: it is true they detected the attack, along with the ransomware. Both even initiated additional steps against the attack. But in the end, encryption occurred in individual files with Symantec, and for Microsoft even the entire system was encrypted. As a result, Symantec received 29 points and Microsoft earned 28.5 points for the protection score.

AhnLab, Sangfor and WithSecure all had the same problem. In one case, they detected neither the attack technique nor the ransomware. The system was ultimately encrypted, and all the products lost the full 3 points in one instance: they ended up with 27 points each for the protection score.

The solutions from Trellix and VMware came out the worst. Trellix was able to detect 9 out of 10 attack scenarios. In one instance, the ransomware was able to fully unfold. In two further instances, while the attack and the ransomware were detected, partial encryption of data could not be prevented. A total 24 points for the protection score.

VMware staged an even weaker finish. In two instances, there was no detection of the attack. In a third instance, while attack detection was successful, even stopping the ransomware, in the end a malicious VB script was left in the autostart of the system. At least nothing was encrypted. In final analysis, only 22.5 points remained for the protection score, and thus the number of points that are needed at least to receive the Advanced Protection certificate.
 

Bot

AI-powered Bot
Verified
Apr 21, 2016
3,405
This article highlights the various attack techniques employed by APT groups in the context of ransomware attacks, including ".Net Reflective Assembly Loading", ".Net Dynamic P/Invoke", and "AMSI Bypass". It also describes the Advanced Threat Protection tests conducted by AV-TEST on security products for both consumer and corporate users to assess their ability to withstand these attack techniques. The article reports that while some security products were successful in detecting and stopping all attacks, others had difficulties in encrypting individual files or even the entire system. Overall, all products for consumer users received the AV-TEST certificate "Advanced Certified", while some products for business users fell short of the required 22.5 points needed to receive the Advanced Protection certificate.
 

NormanF

Level 8
Verified
Jan 11, 2018
351
In the real world, you'll have a layered defence to avert a malware attack.

Ultimately, you'll never have to face one in using prudence when surfing the Internet and blindly downloading unknown files.

Security software at best is an aid in deciding how to making safe decisions while online.

If this thread demonstrated the obvious, is that no security software will ever be 100% bulletproof against malware out there.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,024
In the real world, you'll have a layered defence to avert a malware attack.

Ultimately, you'll never have to face one in using prudence when surfing the Internet and blindly downloading unknown files.

Security software at best is an aid in deciding how to making safe decisions while online.

If this thread demonstrated the obvious, is that no security software will ever be 100% bulletproof against malware out there.
So you agree that a backup and rollback software/feature is needed in addition to having a strong security?
 

piquiteco

Level 14
Oct 16, 2022
626
So you agree that a backup and rollback software/feature is needed in addition to having a strong security?
I was going to answer and I was typing and @Digmor Crusher answered. Yes, backup, backup and backup is the safest way to prevent against ransomware or some disaster like disk failure. About backup protection, the only backup software I know of that has protection against ransomware is Macrium Reflect called Macrium Image Guardian paid version only and Acronis called Acronis Active Protection, but macrium needs to be tested one day in practice to see how it does in tests. The only one I tested was Acronis since they released Active Protection in version 2017 to version 2021. All versions protected against ransomware and blocked and restored encrypted files successfully never failed except in version 2021, which curiously one of the last versions Acronis integrated AV, but when I tested it failed and all files were encrypted in the last version 2021 and the 2020 version did not fail, until today I do not understand why. Now they have changed their name it is called Acronis Cyber Protect Home Office (formerly Acronis True Image)in this version already Acronis Cyber Protect Home I didn't get excited about testing it. The complaint about acronis these days is that it is very bloated software and many people complain on Acronis forums and on web forums that the backup restoration has failed. (y)
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,024
I was going to answer and I was typing and @Digmor Crusher answered. Yes, backup, backup and backup is the safest way to prevent against ransomware or some disaster like disk failure. About backup protection, the only backup software I know of that has protection against ransomware is Macrium Reflect called Macrium Image Guardian paid version only and Acronis called Acronis Active Protection, but macrium needs to be tested one day in practice to see how it does in tests. The only one I tested was Acronis since they released Active Protection in version 2017 to version 2021. All versions protected against ransomware and blocked and restored encrypted files successfully never failed except in version 2021, which curiously one of the last versions Acronis integrated AV, but when I tested it failed and all files were encrypted in the last version 2021 and the 2020 version did not fail, until today I do not understand why. Now they have changed their name it is called Acronis Cyber Protect Home Office (formerly Acronis True Image)in this version already Acronis Cyber Protect Home I didn't get excited about testing it. The complaint about acronis these days is that it is very bloated software and many people complain on Acronis forums and on web forums that the backup restoration has failed. (y)

Actually, there are a couple of backup and recovery software with built-in ransomeware protection

 

piquiteco

Level 14
Oct 16, 2022
626
Actually, there are a couple of backup and recovery software with built-in ransomeware protection
These software I mentioned above are dedicated and unique to protection against ransomware, all AVs, including Kasperky, Bitdefender,Trend Micro, MS Defender among others I will not remember all the names of security suites because they are many, all have protection against ransomware. Bitdefender they released the ransomware protection feature in 2016 that I even used when they released this version with this feature , similar to MS Defender folder protection, which now bitdefender removed in version 2020 or 2021 if I do not remember, and they released well before acronis launched Acronis Active Protection in 2017, there are other dedicated ransomware protection software, but is not very well known, I could not prove the effectiveness of them so I did not mention here. MS Defender and Trend Micro you can select the folders you want to be protected only processes or trusted files that are only allowed by you by adding them to the list of trusted programs. The other AVs I know of like Kasperky, Bitdefender and others is protected based on behavior, I can't remember the name of Bitdefender I think it is advanced protection something like that, and kasperky has a feature I can't remember the name of @harlan4096 should remember. It seems to me that Kasperksy when it notices some suspicious process that changes some file or folder or something in the system it blocks, terminates the malicious app and reverses what was changed by the malicious app, and it seems to me that it still has a feature, that you can close a full screen that the malicious app displays similar to ransomware screen that its not me wrong a shortcut combination Ctrl + Shift + F4 something like that. All AVs that exist today have protection against ransomware either a dedicated ransomware protection module, folder protection, behavior based protection and signature protection, but you never blindly trust it 100%, if you have a lot of important data and always open email attachments, be prepared one hour you may cry, don't mess around with ransomware, when you least expect it the next victim is you. Seriously, it can happen to anyone, click and bingo, when you see it, not even your AV was able to block it. But since you are a smart, veteran and informed guy, old horse, lol you participate in security forum I don't think you will have problems with ransomware. ;)
 
Last edited:

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,024
These software I mentioned above are dedicated and unique to protection against ransomware, all AVs, including Kasperky, Bitdefender,Trend Micro, MS Defender among others I will not remember all the names of security suites because they are many, all have protection against ransomware. Bitdefender they released the ransomware protection feature in 2016 that I even used when they released this version with this feature , similar to MS Defender folder protection, which now bitdefender removed in version 2020 or 2021 if I do not remember, and they released well before acronis launched Acronis Active Protection in 2017, there are other dedicated ransomware protection software, but is not very well known, I could not prove the effectiveness of them so I did not mention here. MS Defender and Trend Micro you can select the folders you want to be protected only processes or trusted files that are only allowed by you by adding them to the list of trusted programs. The other AVs I know of like Kasperky, Bitdefender and others is protected based on behavior, I can't remember the name of Bitdefender I think it is advanced protection something like that, and kasperky has a feature I can't remember the name of @harlan4096 should remember. It seems to me that Kasperksy when it notices some suspicious process that changes some file or folder or something in the system it blocks, terminates the malicious app and reverses what was changed by the malicious app, and it seems to me that it still has a feature, that you can close a full screen that the malicious app displays similar to ransomware screen that its not me wrong a shortcut combination Ctrl+#####+F4 something like that. All AVs that exist today have protection against ransomware either a dedicated ransomware protection module, folder protection, behavior based protection and signature protection, but you never blindly trust it 100%, if you have a lot of important data and always open email attachments, be prepared one hour you may cry, don't mess around with ransomware, when you least expect it the next victim is you. Seriously, it can happen to anyone, click and bingo, when you see it, not even your AV was able to block it. But since you are a smart, veteran and informed guy, old horse, lol you participate in security forum I don't think you will have problems with ransomware. ;)

Yes, all AV/AM software come with ransomware protection either as a dedicated feature or included in their real-time protection. And they are multi-layered utilising a combo of AI/ML/sandbox/BB/signature etc. All technologies have their shortcomings and that's why they need to mutli-layer them.

Nowadays, ransomware is like a missile carrying multiple warheads(payloads). On attack it hope that one warhead(payload) will get through your defense system and you are done for damage repair............hopefully can recover without paying a ransom.

JFI, recently I was into ransomware that now I'm in the process of setting up one laptop for protection strongly in mind.
 
Last edited:

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,714
Trend Micro and Kaspersky manage access permissions and in addition, restores encrypted files from repository. They identify ransomware by behaviour. Bitdefender no longer manages access permissions, but can restore encrypted files, similar to ZoneAlarm anti-ransomware (also included in ZA Extreme Security) and Acronis eventually (not tried it recently).

Microsoft Defender can manage permissions and restore encrypted files which works best if you have OneDrive subscription, where the generous storage will be used to back-up your information.
Similar setup with Norton.

Avast manages access permissions but can neither revert the encryption, nor can it restore files from a backup, you will need to have a copy of your files somewhere else (and it should have remained out of the attackers sight).

The Kaspersky ctrl+shift+alt+F4 is for screen lockers, it terminates everything operating in full screen and this will suspend the locker (early ransomware used to lock your screen and demand that an SMS is sent to a premium number to get a code).
 

piquiteco

Level 14
Oct 16, 2022
626
Yes, all AV/AM software come with ransomware protection either as a dedicated feature or included in their real-time protection. And they are multi-layered utilising a combo of AI/ML/sandbox/BB/signature etc. All technologies have their shortcomings and that's why they need to mutli-layered them.
Yes, exactly, you said it all in a few words.(y)
Nowadays, ransomware is like a missile carrying multiple warheads(payloads). On attack it hope that one warhead(payload) will get through your defense system and you are done for damage repair............hopefully can recover without paying a ransom.
In this case the ransomware has already evolved and somehow risen to the next level and become ICBM.:LOL:
JFI, recently I was into ransomware that now I'm in the process of setting up one laptop for protection strongly in mind.
In your case, in the first instance if you have a lot of important data that goes over terabytes, and you can't afford to back it up frequently, the cost $$$ for cloud backup is high at the end of the month in your pocket, so maybe you can use something other than AV to protect your files. Many backup programs they have so called continuous, incremental, and differential backup, but as I said not everyone will use this way. Now if you can do it and have storage space to spare, then just set up and schedule your backups. :)
 

piquiteco

Level 14
Oct 16, 2022
626
The Kaspersky ctrl+shift+alt+F4 is for screen lockers, it terminates everything operating in full screen and this will suspend the locker (early ransomware used to lock your screen and demand that an SMS is sent to a premium number to get a code).
Thank you so much! you saved my ass in @Trident you are always ON/Online, you are looking like a Bot lol, or bug in your status every time I see your status ONLINE 24 HOURS wow. I who used kasperky a lot did not remember the shortcut key combinations ctrl+shift+alt+F4 I will not edit my post, because it will be annoying and unethical on my part. Thanks buddy. (y)
 

Sorrento

Level 9
Verified
Well-known
Dec 7, 2021
402
I don't overly trust my AV as I don' know what new ideas the evil ones ae going to come up with - I have several external backups most 4TB with around 3 months Reflect images plus my original install & all data on them - Also have data a several USB sticks - I don't backup to external drives in the same week, I never leave any external drive plugged in. Some of my backed up info is extremely precious such as seventeen years of photographs & thousands of music albums in FLAC & much MP3 - I can't afford to take chances. :rolleyes::rolleyes:
 

cruelsister

Level 42
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,142
Although ransomware continues to be a hot topic, in actuality the threat is more of perception than actuality. The breaches that one may see in the News are more likely the result of inside jobs by disgruntled employees than any extrinsic attack. One can conclude that this is the case simply due to the paucity of any new ransom mechanism; recent stuff in the Wild are primarily clones of well known ransom types like Phobos and BlackBasta which present no detection issues for the majority of AM products.

Concentration instead should be placed on the current Clear and Present danger of Data Stealers which are much more prevalent, diverse, and a great deal more financially profitable for the malware writer (and much more destructive for the home user).
 

NormanF

Level 8
Verified
Jan 11, 2018
351
Although ransomware continues to be a hot topic, in actuality the threat is more of perception than actuality. The breaches that one may see in the News are more likely the result of inside jobs by disgruntled employees than any extrinsic attack. One can conclude that this is the case simply due to the paucity of any new ransom mechanism; recent stuff in the Wild are primarily clones of well known ransom types like Phobos and BlackBasta which present no detection issues for the majority of AM products.

Concentration instead should be placed on the current Clear and Present danger of Data Stealers which are much more prevalent, diverse, and a great deal more financially profitable for the malware writer (and much more destructive for the home user).

Ransomware targets corporate enterprises because its easier to hold them hostage than home users and the victims are more to likely to avoid the embarrassment of revealing how compromised they were.
 

HarborFront

Level 71
Verified
Top Poster
Content Creator
Oct 9, 2016
6,024
Although ransomware continues to be a hot topic, in actuality the threat is more of perception than actuality. The breaches that one may see in the News are more likely the result of inside jobs by disgruntled employees than any extrinsic attack. One can conclude that this is the case simply due to the paucity of any new ransom mechanism; recent stuff in the Wild are primarily clones of well known ransom types like Phobos and BlackBasta which present no detection issues for the majority of AM products.

Concentration instead should be placed on the current Clear and Present danger of Data Stealers which are much more prevalent, diverse, and a great deal more financially profitable for the malware writer (and much more destructive for the home user).

Running in a sandbox/VM and a strong AV/AM should stop data stealer
 
  • Like
Reactions: Back3 and Oldie1950

NormanF

Level 8
Verified
Jan 11, 2018
351
I have sandbox enabled. The issue of an untrusted app running on MacOS is extremely low! Untrusted apps are simply not allowed to run thanks to the built-in Gatekeeper.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top