APT groups that attack with ransomware use many different attack tactics to achieve their objectives. AV-TEST staged attacks on security products for consumer users and corporate users in 10 currently used scenarios each deploying the techniques ".Net Reflective Assembly loading”, ".Net Dynamic P/Invoke" and "AMSI Bypass". The Advanced Threat Protection tests were quite exciting as some of the programs were not able to withstand all the attack techniques.
The latest attack techniques used in the test
.Net Reflective Assembly loading: In order to obfuscate malware code, a typical technique is to load it reflectively during run time. Reflective loading enables the assignment and execution of a payload (executable malware code) directly in the memory of the process or to create a thread or process. DotNet offers the possibility of loading assemblies with Assembly.Load.
In our examples, an encrypted assembly is saved and the ransomware is implemented. It is decrypted, loaded and executed during run time, without creating an image on the hard drive.
.Net Dynamic P/Invoke: DotNet is capable of executing unmanaged code (code not specified for DotNet), which can be used to initiate standard Windows API calls. This enables the implementation of specific behavior that is not provided in DotNet. This is normally achieved by using the platform Invoke (P/Invoke). API calls used via P/Invoke can be monitored by defenders and easily intercepted. If P/Invoke is not used statically, libraries can be dynamically loaded during run time and the functions contained in them called up via the memory address. In the process, their use is obfuscated in order to avoid detection from security programs.
In our examples, we use Dynamic P/Invoke to call up API functions (VirtualAlloc, CreateThread) in order to load encrypted, reflective ransomware into the memory and execute it.
AMSI Bypass: The Antimalware Scan Interface (AMSI) is a scan API provided by Microsoft that can also be used by antivirus solutions. Part of its task consists of scanning script data before they are executed by a scripting engine. An attacker can manipulate the interface functions within a process, however, in order to interfere with the AMSI functionality.
In our examples, we use a PowerShell ransomware payload and try to execute it after the deactivation of AMSI. In another example, we launch a PowerShell process, inject a small shell code, which deactivates the AMSI, and then transfer the malicious ransomware to it.
Test scenarios
All attack scenarios are documented according to the standard of the MITRE ATT&CK database. The individual sub-techniques, for example "T1566.001", are listed in the MITRE database for "Techniques" under "Phishing: Spearphishing Attachment". Each test step is thus defined among the experts and can be logically understood. In addition, all attack techniques are explained, along with how successful the malware is.
Advanced test: protection for consumer users
In the current evaluation, the 10 security packages for consumer users were put to the advanced test. The products involved were from AhnLab, Bitdefender, G DATA, Kaspersky, McAfee, Microsoft, Microworld, Norton, PC Matic and VIPRE Security. Each product was required to stand up against 10 test scenarios, in which different attempts were made to inject and execute ransomware in the system.
The packages from Bitdefender, G DATA, Kaspersky, McAfee, Microsoft and PC Matic were able to detect all 10 attacks and block the ransomware before it was able to create any damage. Each product received 30 points on its protection score for this performance.
While Microworld and Norton also managed to detect the 10 attacks, they were not able to completely block the attacks in one case. Microworld had a point taken off, as individual files were encrypted: 29 points. With Norton, there was a total cave-in after the detection of the attack – the system was encrypted. But the product still achieved 27.5 points on its protection score.
AhnLab and VIPRE Security each detected only 9 out of 10 attacks. As a result, each lost a full 3 points in one instance. But VIPRE Security also had problems in a second instance: despite detection of the attack and the use of countermeasures, the system was encrypted in the end. This led to a deduction of an additional 1.5 points. AhnLab finished the test with 27 out of 30 points for the protection score, and VIPRE Security earned 25.5 points.
Because all products for consumer users were above the threshold of 22.5 points, they received the AV-TEST certificate "Advanced Certified".
Advanced test: solutions for business users
In the advanced test lineup of endpoint security solutions were products from AhnLab, Bitdefender (2 versions), Check Point, G DATA, Kaspersky (2 versions), Microsoft, Sangfor, Symantec, Trellix, VMware, WithSecure and Xcitium.
Each product was required to detect the attack technique and fend off ransomware in 10 scenarios. For each ransomware detected and stopped completely, the lab awarded 3 points. Delivering stellar performance with error-free detection of all attacks, and successful blocking of ransomware were the products from Bitdefender (Endpoint and Ultra version), Check Point, G DATA, Kaspersky (Endpoint and Small Office Security version), as well as Xcitium. For this they all received the maximum 30 points for the protection score.
Symantec and Microsoft did also detect all 10 attack scenarios, but they had difficulty in one instance: it is true they detected the attack, along with the ransomware. Both even initiated additional steps against the attack. But in the end, encryption occurred in individual files with Symantec, and for Microsoft even the entire system was encrypted. As a result, Symantec received 29 points and Microsoft earned 28.5 points for the protection score.
AhnLab, Sangfor and WithSecure all had the same problem. In one case, they detected neither the attack technique nor the ransomware. The system was ultimately encrypted, and all the products lost the full 3 points in one instance: they ended up with 27 points each for the protection score.
The solutions from Trellix and VMware came out the worst. Trellix was able to detect 9 out of 10 attack scenarios. In one instance, the ransomware was able to fully unfold. In two further instances, while the attack and the ransomware were detected, partial encryption of data could not be prevented. A total 24 points for the protection score.
VMware staged an even weaker finish. In two instances, there was no detection of the attack. In a third instance, while attack detection was successful, even stopping the ransomware, in the end a malicious VB script was left in the autostart of the system. At least nothing was encrypted. In final analysis, only 22.5 points remained for the protection score, and thus the number of points that are needed at least to receive the Advanced Protection certificate.
Real-life test attacks challenge the capabilities to fend off malware
It is very interesting to see how many steps the security programs take in protecting against the various, latest attack techniques. To be sure, the best defense is immediate detection of an attack. But as the test indicates, sometimes an attack is not detected immediately, but additional security barriers block it to a large extent or altogether. The 10 scenario charts explain which security barriers or steps are involved in an individual test run. Listed there are the internationally defined "Techniques" Codes from MITRE ATT&CK. Based on this data, experts can precisely track how a ransomware attack proceeds.
The final tables also quickly indicate which products stood up to all 10 attack scenarios with the various techniques. For their performance, they received the full 30 points for the protection score. Among the products for consumer users were the packages from Bitdefender, G DATA, Kaspersky, McAfee, Microsoft and PC Matic.
Among the solutions for corporate users, the following products detected all 10 attack scenarios and received 30 protection score points: Bitdefender (Endpoint and Ultra version), Check Point, G DATA, Kaspersky (Endpoint and Small Office Security version), and Xcitium.
