Ransomware vs Microsoft Defender for Endpoint: A Behavioural Analysis (2024)

The broad definition of ransomware is when a hacker takes control of your data and prevents you from accessing it. Your files are only returned when you pay the ransom demand.

There are many categories of ransomware, including the following common examples:

• Crypto ransomware: This is the most common type of ransomware. This type encrypts files and makes them accessible only with a decryption key. It is often spread via emails and websites.
• Scareware: With this type of ransomware, a user is tricked into thinking a virus is present with multiple pop-ups and “urgent” messages. To fix the presumed issue, users are directed to pay, or click on something that deploys even more damaging ransomware.
• Locker ransomware: Appropriately named, this type of ransomware is when the user is completely locked out of their applications. There is often a ransom payment demand along with a deceiving message making the user feel like they have done something wrong.
• Ransomware as a Service: RaaS is a delivery method for ransomware. Any amateur bad actor can subscribe to RaaS so they can easily execute ransomware. But the RaaS provider is a professional hacker that will manage the details including dark web distribution, payment collection, access restoration, and more.

Within these categories are hundreds of ransomware programs. Curtis Slade, a Security Analyst at Bulletproof, has taken the top 30 ransomware programs and executed them in a controlled sandbox environment. A sandbox environment is an isolated testing environment that does not impact the network or platform. This environment was running a fully updated Microsoft Defender for Endpoint.

Putting Microsoft Defender for Endpoint to the Test

Microsoft Defender for Endpoint is a security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

The endpoint behavioral sensors collect and process signals from the operating system and send it to Microsoft Defender for Endpoint. These signals are then translated into insights, detections, and recommended responses to advanced threats.

The Test

When Curtis Slade set out to test the detection and response capabilities of Defender, he used the following ransomware samples:

Curtis began by extracting samples from password protected ZIP files to the filesystem of the sandbox environment to see if Defender would detect when the file was written to the system. The following methodology was employed to ensure the testing process was thorough:

1. If the file is detected by Defender, then is it allowed or whitelisted on the system to further execute?
2. Upon execution, will Defender detect the running process on the system and allow it to run or is it further quarantined?
3. Was every effort made to allow or whitelist the process on the system to see if it would further encrypt the filesystem?
4. Sometimes a reboot of the infected host is required to further test persistence mechanisms within the ransomware to see if encryption will take place.

The Results

Microsoft Defender for Endpoint had 100 percent protection coverage of all 30 ransomware samples. It protected the endpoint in at least one of three main stages of the attack, which exemplifies its strength against one of the most common and devastating attacks threatening businesses today.

If we’re also looking at the attack stages, Defender performs the way we would want it to perform—by detecting it better in the earliest stages.

Defender had almost a perfect detection rate when the ransomware was successfully executed on the filesystem (29/30). This is the critical point where we want to detect the malware before it even gets to execute.

Malware/ransomware developers are getting smarter, and there are now ways to get malware to execute without ever writing to the filesystem. Historically, ransomware developers and their RaaS business model are not interested in advanced techniques as most look for a simple way to gain access, hit the system, and get paid approach. This model has been extremely effective to date, unfortunately, but if businesses are protected with endpoint products like Defender that are successfully stopping their attacks, they’ll see the need to advance their software.

Almost half of the ransomware that was ‘forced’ to execute, still did not encrypt the filesystem—this was impressive. As described in the methodology, Defender has to be strongly encouraged to accept the suspect files to be allowed to execute, let alone get to the point where it’s allowed to run on the system and encrypt the files. Filesystem encryption can be further mitigated by Controlled Folder Access, which helps protect overwriting of important and system folders.

Malware developers have techniques at their disposal to detect when they’re running in a sandboxed or virtual environment. However, most ransomware developers do not resort to advanced malware techniques such as these. They simply do not need to because they’re in it for the quick win.

Protect Your Files with Microsoft Defender for Endpoint

As proven in Curtis’ testing, Microsoft Defender for Endpoint is a valuable component of a cybersecurity solution, certainly when it comes to protecting your files and data against ransomware. With hundreds of ransomware programs ready to encrypt your files, Defender offers peace of mind for threat detection.

As the 2021 Microsoft Global Security Partner of the Year, Bulletproof has the expertise you need to fully understand the benefits and capabilities of Microsoft Defender for Endpoint. Contact us for a consultation on how Microsoft Defender for Endpoint can be integrated with your security software.