5 Attachment(s)
ATP test: defending against attacks by ransomware and info stealers
They are the leading vectors for attacks: ransomware and info stealers. If attacks are successful, what follows is extortion for ransom, the data ends up for sale on the Internet, or both. None of this happens if good protection software thwarts the attacks immediately. But is the software capable of doing so? The current Advanced Threat Protection – ATP – test examines 25 security packages for consumer users and corporate users in 10 scenarios in a live battle to fend off ransomware and data stealers. The Advanced Threat Protection test shows that many providers fulfill their protection promises. The test also reveals errors in some products that have consequences, however: the systems are encrypted and the data is stolen.
Reports from those affected by successful attacks with ransomware or info stealers almost always sound the same: If one PC is infected in a network, the attacker quickly proliferates and encrypts almost everything it finds there or hijacks the data. Without backups and contingency plans, companies in particular run into problems and sometimes even face the prospect of bankruptcy, as some media reports recently have indicated.
But it doesn't have to lead to such drastic outcomes if users or companies deploy a good protection solution that fends off the attackers. Other protective measures, such as updates, backups and contingency plans, are still necessary elements in the mix.
The latest ATP test from January/February 2025 examined 25 security solutions for consumer users and corporate users in 10 live scenarios in which 5 samples of ransomware and 5 variants of info stealers attacked Windows 10 systems in the lab. Almost 75 percent of PCs worldwide run a Windows operating system. Of these PCs, Windows 10 reaches a share of just under 60 percent. However, Windows 11 is increasingly catching up, now accounting for nearly 40 percent.
ATP: 25 protection products in a live test
The test was completed by 10 products for consumer users and 15 solutions for corporate users and their endpoints. The packages for consumer users came from AhnLab, Avast, AVG, Avira, Bitdefender, ESET, F-Secure, G DATA, McAfee and Norton.
The solutions for corporate users came from AhnLab, Avast, Bitdefender (with 2 versions), Crowdstrike, ESET, Kaspersky (with 2 versions), Microworld, Qualys, Rapid7, Sophos, Symantec, Trellix and WithSecure.
Many of the security manufacturers achieved the maximum of 35 points for their protection score in the test. This is a composite of the results from the 10 real-life scenarios, involving 5 ransomware and 5 info stealer samples. For each ransomware sample blocked, up to 3 points are awarded, and for each info stealer, up to 4 points. A product is able to earn a half or full point for each action that is fended off. The laboratory describes all operations in a matrix according to the MITRE ATT&CK standard. The interesting aspect about the ATP test is that even if a product does not immediately detect the attacker, further defensive actions can take effect and thus stop the attack. The test shows exactly at which step this occurs – or doesn't occur.
While many products received the full 35 points for their protection score, a total of 5 known products had isolated issues with attackers and therefore lost important points.
Attack scenarios and techniques
In the 10 scenarios, a special attack technique under Windows was used in this ATP test. Here is a technical explanation of the attack.
UAC bypass: User Account Control (UAC) is a Windows security function designed to protect the operating system from unauthorized changes. Attackers can bypass the UAC mechanism to elevate their privileges and carry out tasks. In our tests, we implemented a UAC bypass by exploiting the IFileOperation COM interface to copy or move files having elevated privileges, without displaying a UAC prompt. The method works by launching a process that already has elevated privileges (a process with an auto-elevate function), such as mmc.exe, the Windows executable for the Microsoft Management Console, in the test. As a result, the malicious DLL was loaded into an elevated process. We used this environment to execute our attack malware directly or to install a controlled Windows service.
