All posts

Ransomware vs. Endpoint Security

Written By

SE Labs Team

Published on

November 6, 2023

Results from the largest public ransomware test

CrowdStrike Falcon Ransomware

Ransomware is the most visible, most easily understood cyber threat affecting businesses today. Paralysed computer systems mean stalled business and loss of earnings. We tested CrowdStrike Falcon’s endpoint security vs. ransomware.

Ransomware vs. Endpoint Security. Why is ransomware so popular?

One reason why ransomware is so ‘popular’ is that the attackers don’t have to produce their own. They outsource the production of ransomware to others, who provide Ransomware as a Service (RAAS). Attackers then usually trick targets into running it, or at least into providing a route for the attackers to run it for them. Artificial intelligence systems make the creation of such social engineering attacks easier, cheaper and more effective than ever before.

Given the global interest and terror around ransomware, we have created a comprehensive test that shows how effective security products are when faced with the whole range of threats posed by ransomware itself and the criminal groups operating in the shadows.

In this report, we have taken two main approaches to assessing how well products can detect and protect against ransomware.

Ransomware Deep Attacks

For the first part of this test, we analysed the common tactics of ransomware gangs and created two custom gangs that use a wider variety of methods. In all cases, we run the attack from the very start, including attempting to access targets with stolen credentials or other means. We then move through the system and sometimes the network, before deploying the ransomware as the final payload.

In the first two attacks for each group, we gain access and deploy ransomware onto the target immediately. In the third, fourth and fifth attacks, we move through the network and deploy ransomware on a target deeper into the network.

This test shows a product’s ability to track the movement of the attacker through the entire attack chain. We disable the product’s protection features and rely on its detection mode for this part of the test. The results demonstrate how incident response teams can use the product to gain visibility on ransomware attacks.

Download the report for enterprise now! (free – no registration)

Ransomware Direct Attacks

The second part of the test takes a wide distribution of known malware and adds variations designed to evade detection. We sent each of these ransomware payloads directly to target systems using realistic techniques, such as through email social engineering attacks. This is a full but short attack chain. In this part of the test, we ensure any protection features are enabled in the product.

If products can detect and protect against the known version of each of these files, all is well and good. But if they also detect and block each ransomware’s two variations then we can conclude that the protection available is more proactive than simply reacting to yesterday’s unlucky victims.

Featured podcast:

[buzzsprout episode=’8153070′ player=’true’]

Contact us

Give us a few details about yourself and describe your inquiriy. We will get back to you as soon as possible.

Get in touch

Feel free to reach out to us with any questions or inquiries

info@selabs.uk Connect with us Find us