The CISO Asked Me to Run Ransomware on His Laptop

Polito Inc logo

While attending the recent AppGuard CISO Summit in Colorado, an executive from a major financial corporation mentioned that he had just completed an enterprise wide purchase of the latest and greatest "next-gen" EDR (Endpoint Detection and Response) tool. Although he was confident in his decision, he wanted an independent test just to be sure. We do not recommend testing your own security using the malware from people you meet at conferences, but in this case we created our own custom “ransomware” to do three very specific things:

  • Encrypt only files with .docx or .jpg extensions in the current working directory

  • Securely send these files and the encryption keys to our AWS command and control server

  • Replace the desktop with a generic ransomware graphic

Within seconds of running our ransomware, his desktop wallpaper changed and the sample files he placed into a test directory were both encrypted and transferred to our server.

The executive’s laptop had the very latest version of a cloud-based, next-generation antivirus endpoint detection and response software, which is likely very good at stopping the majority of attacks and threats his organization might face. Unfortunately, these systems still rely on signatures and known TTPs (tactics, techniques, and procedures) to protect the user and even heuristics will not guarantee detection. Cloud-based antivirus still requires that the system has seen some sample of the malware previously. This can be effective when dealing with malware campaigns where the malware is emailed to multiple users and the antivirus has a chance to learn either through machine learning or with direct human interaction. A custom, independently developed malware program will be brand new to these systems and is unlikely to be detected.

We tested multiple other EDR solutions that day and while none of these systems detected our ransomware, AppGuard was able to stop the execution, preventing data from being encrypted and exfiltrated to a remote server. In our testing, we found that AppGuard is not relying on signatures at all and will block the execution of any inappropriate or non policy conforming behavior. We also tested other common attack vectors like powershell, office macros, and browser vulnerabilities. In those cases, even if the applications were vulnerable, AppGuard was still able to stop the attacks. While we are impressed with AppGuard’s blocking abilities, we do note that detection is still a necessary requirement and we see antivirus and EDR solutions as a valuable part of any organization’s defenses. We also recommend organizations perform rigorous and independent testing of their security solutions to be sure that they are getting the level of protection that they expect.