How effective are security solutions against ransomware?

Testing 11 advanced security solutions against the latest ransomware threats.

Almost every developer of information security solutions claims their products repel ransomware attacks. That’s true: All of them do provide some degree of protection against ransomware. But how strong is that protection? How effective are those technologies?

Those aren’t idle questions: Partial protection against ransomware is a dubious achievement. If a solution can’t stop a threat in its tracks, then where is the guarantee that it at least kept critical files safe?

With that in mind, independent company AV-Test put 11 endpoint protection platform products through their paces in 113 different attacks to determine to what extent they actually protect users. AV-Test selected Kaspersky Endpoint Security Cloud for testing, and our product performed flawlessly throughout. The tests used three scenarios:

Protection of user files against prevalent ransomware

The first test scenario envisaged the most typical ransomware attack, one in which the victim runs malware on their computer, and the malware tries to get to local files. A positive result means the threat was neutralized (that is, all malware files deleted, execution of processes stopped, all attempts to gain a foothold in the system thwarted), with every single user file unencrypted and accessible. AV-Test performed a total of 85 tests in this scenario with the following 20 ransomware families: conti, darkside, fonix, limbozar, lockbit, makop, maze, medusa (ako), mountlocker, nefilim, netwalker (aka mailto), phobos, PYSA (aka mespinoza), Ragnar Locker, ransomexx (aka defray777), revil (aka Sodinokibi or Sodin), ryuk, snatch, stop, and wastedlocker.

In this scenario, nearly every security solution did an excellent job, which is not surprising; it used well-known malware families. The next scenarios were more difficult.

Protection against remote encryption

In the second scenario, the protected machine held files that were accessible over the local network, and the attack came from another computer on the same network (the other computer had no security solution, leaving the attackers free to run the malware, encrypt local files, and then search for accessible information on neighboring hosts). The malware families were: avaddon, conti, fonix, limbozar, lockbit, makop, maze, medusa (ako), nefilim, phobos, Ragnar Locker, Ransomexx (aka defray777), revil (aka Sodinokibi or Sodin), and ryuk.

The security solution, seeing a system process manipulating local files but unable to see the launch of the malware, could not check the reputation of the malicious process or the file that initiated it — or scan the file. As it turned out, of the 11 testees, only three offered any kind of protection against this type of attack, and only Kaspersky Endpoint Security Cloud handled it perfectly. Moreover, although Sophos’ product was triggered in 93% of cases, it fully protected the user’s files in only 7%.

Protection against proof-of-concept ransomware

The third scenario shows how products cope with malware that they cannot possibly have encountered before and that could not, even hypothetically, be present in malware databases. Because security can identify a yet-unknown threat only by means of proactive technologies that react to the malware’s behavior, the researchers created 14 fresh ransomware samples that employed methods and technologies that cybercriminals rarely use, as well as some original never-before-seen encryption techniques. As in the first scenario, they defined success as threat detection and blocking, including maintaining the integrity of all files on the victim’s machine and completely removing all traces of the threat from the computer.

Results varied, with some (ESET and Webroot) not detecting the custom-made malware at all and others performing better (WatchGuard 86%, TrendMicro 64%, McAfee and Microsoft 50%). The only solution that demonstrated 100% performance was Kaspersky Endpoint Security Cloud.

Test results

To sum up, Kaspersky Endpoint Security Cloud outperformed its competitors in all of AV-Test’s scenarios, protecting users against threats both known in the wild and newly created.

Aggregate results of all three test scenarios.

Aggregate results of all three test scenarios.

Incidentally, the second scenario revealed another, somewhat unexpected fact: Most of the products that failed to protect users’ files nevertheless removed the ransom note files. Even leaving aside the failure, that’s not good practice; such files may contain technical information that could help incident investigators recover data.

You can download the full report, with a detailed description of the test malware (both known and created by testers), after filling the form below.