Ransomware vs Microsoft Defender for Endpoint: A Behavioural Analysis

The broad definition of ransomware is when a hacker takes control of your data and prevents you from accessing it. Your files are only returned when you pay the ransom demand. 

There are many categories of ransomware, including the following common examples: 

• Crypto ransomware: This is the most common type of ransomware. This type encrypts files and makes them accessible only with a decryption key. It is often spread via emails and websites.
• Scareware: With this type of ransomware, a user is tricked into thinking a virus is present with multiple pop-ups and “urgent” messages. To fix the presumed issue, users are directed to pay, or click on something that deploys even more damaging ransomware.
• Locker ransomware: Appropriately named, this type of ransomware is when the user is completely locked out of their applications. There is often a ransom payment demand along with a deceiving message making the user feel like they have done something wrong.
• Ransomware as a Service: RaaS is a delivery method for ransomware. Any amateur bad actor can subscribe to RaaS so they can easily execute ransomware. But the RaaS provider is a professional hacker that will manage the details including dark web distribution, payment collection, access restoration, and more. 
  
  

Within these categories are hundreds of ransomware programs. Curtis Slade, a Security Analyst at Bulletproof, has taken the top 30 ransomware programs and executed them in a controlled sandbox environment. A sandbox environment is an isolated testing environment that does not impact the network or platform. This environment was running a fully updated Microsoft Defender for Endpoint.

Microsoft Defender for Endpoint is a security platform designed to help enterprise networks prevent, detect, investigate, and respond to advanced threats.

The endpoint behavioral sensors collect and process signals from the operating system and send it Microsoft Defender for Endpoint. These signals are then translated into insights, detections, and recommended responses to advanced threats.

Microsoft Defender for Endpoint had 100 percent protection coverage of all 30 ransomware samples. It protected the endpoint in at least one of three main stages of the attack, which exemplifies its strength against one of the most common and devastating attacks threatening businesses today. 

If we’re also looking at the attack stages, Defender performs the way we would want it to perform—by detecting it better in the earliest stages.
 
Defender had almost a perfect detection rate when the ransomware successfully executed on the filesystem (29/30). This is the critical point where we want to detect the malware before it even gets to execute. 

Malware/ransomware developers are getting smarter, and there are nowways to get malware to execute without ever writing to the filesystem. Historically, ransomware developers and their RaaS business model are not interested in advanced techniques as most look for a simple gain access, hit the system, and get paid approach. This model has been extremely effective to date, unfortunately, but if businesses are protected with endpoint products like Defender that are successfully stopping their attacks, they’ll see the need to advance their software. 

Almost half of the ransomware that was ‘forced’ to execute, still did not encrypt the filesystem—this was impressive. As described in the methodology, Defender has to be strongly encouraged to accept the suspect files to be allowed to execute, let alone get to the point where it’s allowed to run on the system and encrypt the files. Filesystem encryption can be further mitigated by Controlled Folder Access, which helps protect overwriting of important and system folders. 

Malware developers have techniques at their disposal to detect when they’re running in a sandboxed or virtual environment. However, most ransomware developers do not resort to advanced malware techniques such as these. They simply do not need to because they’re in it for the quick win.