All postsWe made our latest ransomware counter-measures testing our largest yet.
Ransomware is rarely out of the headlines. It’s probably the most visible, most easily understood cyber threat affecting businesses today. And yet it still finds victims. This is why in our latest public report of ransomware solutions testing we increased the number of attack scenarios used by over 25%.
These included attempts to compromise target systems using techniques deployed by 15 different threat groups. To determine which attacks to deploy, we used current threat intelligence to look at what the bad guys have been doing recently and copied them quite closely. This way we can test how well security products and services handle similar threats to those faced by global governments, financial institutions and national infrastructure every day.
Ransomware vs. Endpoint
One of the reasons why ransomware is so ‘popular’ is that the attackers don’t have to produce their own. They outsource the production of ransomware to others, who provide Ransomware as a Service (RAAS). Attackers then usually trick targets into running it, or at least into providing a route for the attackers to run it for them. AI is now making the creation of such social engineering attacks easier, cheaper and more effective than ever before.
Given the global interest and terror around ransomware, we created a comprehensive test that shows how effective security products are when faced with the whole range of threats posed by ransomware itself and the criminal groups operating in the shadows. We use two approaches to do so: deep attacks and direct attacks.
Ransomware Deep Attacks
This test shows a product’s ability to track the movement of the attacker through the entire attack chain. We disable the product’s protection features and rely on its detection mode for this part of the test. The results demonstrate how incident response teams can use the product to gain visibility on ransomware attacks.
In devising the test, we analysed the common tactics of ransomware gangs and created our own two gangs that use a wider variety of methods. In all cases, we ran the attack from the very start, including attempting to access targets with stolen credentials or other means. We then moved through the system and sometimes the network, before deploying the ransomware as the final payload.
In the first two attacks for each group, we gain access and deploy ransomware onto the target immediately. In the third, fourth and fifth attacks, we move through the network and deploy ransomware on a target deeper into the network. The ransomware payloads used in this part of the report are known files from the families, which are listed on the Attack Details page of each report.
The perfect product will detect all relevant elements of an attack. The term ‘relevant’ is important, because sometimes detecting one part of an attack means it’s not necessary to detect another. This kind of visibility can be a significant advantage for a security professional who is battling a persistent attacker in real time.
Ransomware Direct Attacks
The second part of the test takes a wide distribution of known malware and adds variations designed to evade detection. We sent each of these ransomware payloads directly to target systems using realistic techniques, such as through email social engineering attacks. This is a full but short attack chain. In this part of the test, we ensure any protection features are enabled in the product.
If products can detect and protect against the known version of each of these files, all well and good. But if they also detect and block each ransomware’s two variations, then we can conclude that the protection available is more proactive than simply reacting to yesterday’s unlucky victims.
Protecting Against Ransomware
Attackers used to rely on random and widespread ransomware deployment to extort payment from as many hapless victims as they could. Today’s ransomware attacks are much more targeted and persistent–aimed at large organisations that can pay in the millions of dollars.
While educating users is still vital in protecting your business, Endpoint Protection and Detection systems do a lot of the heavy lifting. Real-world testing the marketing claims of cyber security vendors is one of the reasons we devised this test. It doesn’t just provide you with details of products you can trust, but also informs vendors where their product doesn’t reach the standard to receive an AAA award from SE Labs, and can be improved.
In the end, it’s a win for everyone – except of course for the attackers.
You can see for free our latest ransomware tests on products from Symantec and Carbon Black that received an AAA rating, and don’t forget to look at the CrowdStrike report too from earlier this year.
