Windows Defender vs Ransomware 2022

Lets test Windows Defender against ransomware to see where we're at when it comes to real-time protection. As usual we're going to use some of the most infamous threats from The Last Five Years including ransomware like rayuk, Patia, Wanna, Cry, all of that good stuff and there are new additions that we have picked up from the last few months. We're going to run a script that is going to automate the execution of these samples. Now, as some of you who've read the blogs know, we've had mixed results with this test before. So I am curious to see, if there are any improvements.

So let the testing begin. So far so good. We're seeing some detections from Windows Defender and a detection ratio of 90 plus percent. But I'm pretty sure, we've got some ransomware. To execute, here we've got F Society screen locking. It's the jester that's locked us. It's going to get rid of that. We're gonna have to wait and see, if any of our data is encrypted, after the test. But so far, it looks good. We don't have any Ransom note on desktop yet and we're almost done. So we've executed all 71 files and we've got three misses interestingly. So black fly of society and Scarab were not blocked immediately. Now that doesn't mean they were not blocked at all. They may have been blocked reactively or later on in the execution chain but they were at least allowed to launch into memory. That's what the test tracks just out of curiosity though you know what I'm just gonna rerun this test. Because I swear last time around this test Scarab and F Society were blocked at least with the internet turned on. 

So go ahead and try to re-execute the task. See if we get the same result or if it starts doing something different. So now it's only Scarab. Now we actually have a ransom note showing up on the desktop interestingly. So even though in theory, Windows Defender should be detecting all of these samples. If we take a look at our documents, they are actually encrypted by Scarab and this is on Windows 11 with Windows Defender fully turned on, enabled. So that's a pretty big surprise. As far as I'm concerned, now in our previous test, Windows Defender did successfully protect our files in the online test. It didn't block these threats in the offline test. But guess the online detection is unreliable, I wasn't expecting this at all this. But it does seem like all our pictures and everything in the documents folder is now encrypted. Damn, if we take a look at the extension, I think this is Scarab. So Scarab seems to be like an Achilles heel for Windows Defender, because it was the one that was missed in one of the previous tests as well. But it was detected in a later test and now it's gone back to being missed. Now I do want to do a couple of other tests to see how it goes. Even though, it's quite disappointing that, it managed to let around somewhere a well-known ransomware. At this point, encrypt all of our data in the very first test but we are going to restore snapshot and now we're gonna try to run the same test but offline and we're going to try to test the offline protection of Windows Defender. Because we do know that relies a lot on those Cloud queries and I just want to see what is the on system component that's protecting our data and the system Integrity. So here we go, once again, black Claw is not detected. Now I'm hearing my fans round up a lot more so Windows Defender seems to be doing more analysis, taking up more resources, when these samples are being run offline. You can see, the CPU usage go all the way up to 25 percent when it's offline. Almost 30 percent now, 35 I think, it is doing some sort of intensive static analysis at least on these files if not behavioral but we'll see if that results in a difference in terms of the outcome. It seems like, we're having more executions of ransomware as I would have expected. I suppose now that it's offline and the cloud protection can't help our system is totally being encrypted nuked right now. So I'm not gonna bother waiting for this to complete so we're back online and we have one final test to run and this is going to be slightly different. So we're not gonna run real ransomware for this one, well not technically, what we have a simulated script that's going to try and encrypt our data in the same pattern that ransomware does. 

So we're going to have a public key and a private key. So it's going to use RSA obviously. It's going to use AES to encrypt the data. RSA for sharing the key with the attacker, I'm gonna set it up similarly have a python script that does just that. So just need to run it. It's going to be called incrypt.py. Now we want to see if Windows Defender is able to intercept this. There's no way Windows Defender would have raw signatures with this. Because we just wrote it ourselves. Just misspelled it there, so I'm just going to fix that and as you can see, when we try it out, it says ransomware found and it does not execute successfully. So it is able to block threats without explicitly knowing them beforehand or having the specific hash in the cloud. So there is some kind of static analysis that's happening in the background but it wasn't effective enough to prevent a real world threat from encrypting our data and more importantly the behavioral ransomware component did not notice the fall encryption or any of the activities that ransomware data is suspicious. So that's more my concern, because if it's not able to block a well-known threat, is it really going to be able to block a zero day around somewhere that comes your way?

The results were surprising to me. I was expecting it to fail the test in the later parts of the test but not so much. The first part, I was expecting to block the well-known threats with its signatures and that didn't happen and I think it may surprise many others.

Cyber protect home, office, a product that actually ties in all the different aspects of ransomware protection that I talk about all the time. First one, backup. It's got on system as well as Cloud backup built in. So you can recover from any ransomware attack. It's also got real-time protection against ransomware and illicit crypto mining. If you go into settings, it's got all the bells and whistles it can protect your Nas. It can protect your backup files very important. It's also got proper real-time protection along with behavioral monitoring. So it can detect malicious behavior and process where web filtering as well and even a vulnerability assessment module.