A successful ransomware attack always has disastrous consequences. While only individual PCs may become infected in a private environment, ransomware can quickly spread via a corporate network to all available PCs and drives. In its Advanced Threat Protection test, AV-TEST evaluated how well security solutions can protect consumer PCs and workstations in corporate environments against ransomware. In each of the 10 scenarios, several solutions had their work cut out for them.

"Disastrous" is the best term to describe a successful ransomware attack. Just how disastrous the situation can be, is something many companies have already had to learn. In Germany, leading companies such as Hipp, dpa or the Chamber of Industry and Commerce were affected, and in Europe and around the world, victims included Energias de Portugal, Rockstar Games or Colonial Pipeline. With nearly all the victims, production PCs, servers and drives were encrypted, and ransom was demanded. As a result, production often came to a standstill, and the companies suffered additional daily losses.

Many consumers and corporate users install a security solution for their Windows systems to defend against ransomware. In its Advanced Threat Protection tests, AV-TEST examined just how well 29 of these products offered protection against a ransomware attack. In doing so, each security solution was required to successfully hold up against the attackers in 10 practical scenarios. Most of the products performed very well, but there were a few missteps here and there, dampening the result.

29 products put to a practical test

In a classical detection test, the only result is "detected" or "not detected". In this advanced test, it's a different story. In the first step, as always, detection or non-detection is documented. There is an opportunity, however, for the protection program to detect the attack after all through additional actions, blocking it and at least partially deleting the attackers.

That is why the Advanced Threat Protection test shows all the attack steps of ransomware in the evaluation charts, thereby indicating the point at which the security solution thwarted the attack fully, partially or perhaps not at all. In the process, all the steps are assessed, and the lab awards up to 4 points in each scenario in this test. Thus, in the 10 scenarios, the products are able to achieve up to 40 points for their protection score.

The products examined for consumer users come from: Ahnlab, Avast (with 2 versions), AVG, Avira, Bitdefender, G DATA, K7 Computing, Malwarebytes, McAfee, Microsoft, Microworld, NortonLifeLock, PC Matic, Trend Micro and VIPRE Security.

The tested solutions for corporate users come from: Ahnlab, Avast, Bitdefender (with 2 versions), Check Point, Comodo, G DATA, Malwarebytes, Microsoft, Seqrite, Trellix, Trend Micro and VMware.

The outcome is very interesting for these two user groups. All products for consumer users detected the ransomware already in the beginning, but only 10 out of 16 protection packages prevented all further attack steps. The lowest overall point score here was even a mere 31 points.
Among the solutions for corporate users, there was one case of non-detection, but 8 out of 13 products achieved the full point score of 40. While several products were unable to prevent all attack steps, the lowest value for the overall point score was at a high level of 36 out of 40 points.

Screenshot 2022-11-09 17.00.01.jpg

Advanced test against ransomware

Screenshot 2022-11-09 17.00.44.jpg

Ransomware: good protection for corporate users

Test: 10 tough opponents for each solution

The charts below provide a definition and precise technical description for each of the 10 test scenarios. One of the attacks, for example, is preceded by a spear-phishing attack, and an e-mail with an attachment is extracted. A file concealed within is launched, and begins with the functional attack on the system and with the encryption. The lab lists all the steps of the scenario in "techniques" codes from MITRE ATT&CK. The scenario itself can thus be tracked very precisely, also for professionals. The lab also explains the technical steps of an Advanced Threat Protection test in the already released article: New Lines of Defense: EPPs and EDRs Put to the Test Against APT and Ransomware Attacks.

The individual charts of results are to be interpreted as follows: The test procedure per attacking ransomware is depicted in one row. That is why there are 10 rows with results. If a security solution detects ransomware in one of the first two steps (initial access or execution), the attack is considered thwarted. If this is the case, it is color-coded in green: attack stopped. Yellow means: only partially stopped. Orange indicates: attack not stopped (no detection). The yellow field at the end can indicate two results: if the attack is only partially detected, then there is either encryption of individual files (some files encrypted) or the ransomware was indeed prevented from encrypting files but it is able to remain on the system (malware remains on system). If there is an orange field at the end of the row of fields in the chart, the attack is considered undetected and the ransomware is able to launch completely (files encrypted).

For each ransomware detected and stopped completely, the lab awards 4 points. There is a point deduction for partial detections. Naturally, no points are awarded for non-detection. In this test, a solution can achieve 4 points per scenario – 40 points for its overall protection score. Please note: while the Advanced Threat Protection tests do occur regularly every two months, the scenarios may vary, and thus also the maximum points of the protection score.

Test scenarios

All attack scenarios are documented according to the standard of the MITRE ATT&CK database. The individual sub-techniques, for example “T1059.001”, are listed in the MITRE database for “Techniques” under 1059.001 “Command and Scripting Interpreter: PowerShell”. Each test step is thus defined among the experts and can be logically understood.