Ransomware continues to terrorize businesses around the globe and while a lot of anti-malware and cybersecurity vendors claim that their product protects against ransomware, in reality, it may be not entirely true. In their Advanced Protection tests, the famous German testing institute, AV-Test.org, wanted to accent how various products deal with ransomware in reality, and at what stage and how threats are actually detected and stopped. The test was commissioned in February 2022, but the results were published in June.
The methodology based on MITRE
As testers from AV-Test explained that a ransomware attack is not simply a matter of black or white, or successful or unsuccessful. When ransomware is detected by a protection product, this does not mean that its execution is completely prevented. In the same way, a failure to detect ransomware at the beginning does not mean that its execution may not be prevented further down the line. That is why the Advanced Threat Protection test explains each step of an attack scenario with a malware sample. Based on the matrix of a MITRE ATT&CK Matrix chart, each step was visualized using a brief description and color coding. If an attack is fended off at the beginning (during the initial access or execution), the field is highlighted in green to indicate that the attack has been successfully prevented. The sooner a green field can be seen, the better. If a field remains orange, the test item is considered undetected (no detection). A yellow field signalizes that the test item has only been partially detected or blocked. In the case of ransomware, this means that some, but not all of the files were encrypted (some files encrypted). And if the last field is orange, everything has been encrypted (files encrypted).
If everything is detected and blocked, the product receives the maximum point total for its protection score. In this test, it is four points. In the final overview, a product can therefore achieve up to 40 points in a total of 10 scenarios. The primary mode of attack is an email with an infected attachment. The attachment always contains dangerous attackers — for example, in the form of Office files with scripts, which then execute further steps via tools such as PowerShell.
Excellent results from Acronis Cyber Protect
While many other products can detect ransomware, not all can successfully stop it and prevent further damage. For Acronis Cyber Protect, 8 out of 10 attacks were detected and prevented on the first stage of initial access which is an excellent result. Two remaining attacks were stopped at the next stage – the execution of which you can see on the “test results” screenshots below.
The only reason this Acronis product did not receive the “Advanced Approved Endpoint Protection” certificate is because AV-TEST only certifies products that achieve certification in their regular monthly tests which Acronis Cyber Protect had not participated in up to this point.
To get started with the only cyber protection solution that integrates data protection, cybersecurity and workload management, sign up for your 30-day free trial of Acronis Cyber Protect Cloud for service providers, or try out Acronis Cyber Protect free for 30 days as a corporate customer.