Asking the user to make the decision will only help those who are tech-savvy. Most users click "allow" on everything. They don't know better and per default use "allow" because otherwise things they need don't work anymore. So, this is only beneficial to a certain type of user. It's preferred to have a decision by the AV product itself.
With that said, there is no wide-spread ransomware that doesn't provide any of the other features I mentioned if they want to be somewhat profitable. E.g. all of them have shadow copy deletion by now. Those are the behaviours that---in combination with the encryption and renaming---might be detected with heuristics.
Once the ransomware is known, we also catch the newly packaged variants by other means than heuristics.
I agree that prompting is not a great approach, but I think the way that the prompting is phrased generates a different user reaction. For example, something like Windows SmartScreen or a self-signed certificate warning in a web browser is basically phrased as:
"This thing you're trying to do is not known to be safe. It could be anything. I'm gonna block it. Do you want to allow it?"
Meanwhile, most AV behavior blocker warnings come in the form of:
"I observed behavior from this program that looks like ransomware. I'm going to kill it in 10 seconds unless you tell me not to".
I still expect most users will react more seriously to the latter, compared to the former which pops up on virtually a weekly basis for the average person.
With that said, you're absolutely right that most of the times, ransomware is either existing variations of known ransomware or a new download mechanism to sneak known ransomware onto the system, or it performs a wide range of tasks beyond just encrypting files. These additional behaviors further serve to trigger antimalware software because they usually all use a "scoring" system where a certain number of suspicious activities added together will trigger an alert.
With that said, these kinds of tests are still interesting for testing the dynamic behavior blocking aspect. Other than ESET and a few others, the vast majority of the industry believes that a behavior blocker is an important part of their emerging threats / zero-days story. We have a ton of testers already who give us a lot of data points on how both static scanners and behavior blockers react to real ransomware.
I see these tests, instead, as a part of the scientific process of isolating each component of ransomware and seeing how an AV reacts to it. Just like the disclaimer in the MalwareHub, these individual data points do not justify saying one AV software is better than the other, but all of this has been very valuable in helping us to understand the strengths and weaknesses of these products, and I think they've projected pretty well onto predictions of how well this software works in the real world.
