22 December 2020
We wanted to conduct a small proof of concept experiment with modern-day EDR solutions and a couple of ransomware samples.
For testing and automation purposes, we found it useful to use rThreat a breach and attack simulation framework. This provided us with a collection of ransomware samples ranging from known to obfuscated known samples.
Four EDRs were selected and configured using the suggested industry-standard configurations and agents were installed in an up-to-date Windows 10 machine. Samples were run and the outcome was evaluated by rThreat, tracking if the file executed, for how long, and if it was stopped.
Our results for the 23 samples demonstrated the different approaches EDRs have as they did not act in the same way and do not have the same signature databases which did not come as a surprise. Of course, it is difficult to compare EDR solutions as there are so many factors in play and so many configuration options.
We also do acknowledge that in retrospect, all the tests should have been run simultaneously in case there is signature sharing between the different solutions. It must also be noted that the tests were run over two days.
18/23 failed to execute.
5/23 samples executed for more than 10 seconds, 3 being obfuscated known samples, 2 stopped.
3/23 samples executed successfully and encrypted files, 2 obfuscated known samples and 1 known.
From this we can see that 18 samples were picked up by static analysis and 5 were missed. Of the 5 samples that could execute, 2 were stopped by behavioral analysis and 3 could run successfully.
EDR 2
18/23 failed to execute.
5/23 samples executed for more than 10 seconds (all different from EDR 1), all known, all stopped by behavioral analysis.
From this we can see that 18 samples were picked up by static analysis and 5 were missed but picked up by behavioral analysis.
EDR 3
22/23 failed to execute.
1/23 samples ran for more than 10 seconds, obfuscated known sample, stopped.
From this we can see that 22 samples were picked up by static analysis and the one that got away was detected by behavioral analysis.
EDR 4
23/23 ran for more than 10 seconds, samples were terminated by the EDR.
From this, we can see that this EDR configuration allowed for the execution of all the samples, but they were all promptly stopped. This solution seems to rely mostly on behavioral analysis.
On a technical level, our small experiment showed that commercial EDR/EDP solutions did manage to stop the execution of most of the ransomware samples. Even when some of the samples slipped through the static analysis, they were generally picked up by behavioral analysis.
The configurations of these solutions are very dependent on the success rate and defenders must ensure they have chosen and tested the most effective configurations for them.
However, in a world where operating systems and applications constantly have new vulnerabilities to exploit and functionalities to abuse, it makes it a difficult task to keep up prevention and detection rules as ransomware gangs will be incentivized to find new ways to run their malware. This creates an environment for both defenders and attackers to continue the fight they have been in since the start.
As targeted attacks are becoming more popular, where attackers navigate around a network and are using a variety of tools for reconnaissance and exporting data, it would be beneficial to ensure that this behavior is detected before the actual encryption takes place.
We briefly mentioned initial access brokers. These threat actors find a way to get to the internal network of an organization and then sell it on dark web forums. If this initial activity is detected, then a ransomware attack could potentially be prevented.
Also considering that ransomware groups are not just going after endpoints and are encrypting network drives, and recently virtual hard drives, it is important to implement solutions to protect those areas too. All of this points to the complexities of defending against ransomware and that there is currently no one solution to the problem.
Given the large payout of a ransomware attack and the fact there are so many organizations with a presence on the Internet, groups may not even need a high success rate to make a decent living. Making sure that there is no one straightforward way to access your internal network may help your organization to be a less attractive target to ransomware groups.