In the 2024 SE Labs Enterprise Advanced Security (EDR) Ransomware Test, the CrowdStrike Falcon platform achieved a perfect score of 100% in detection, protection, and accuracy, earning the prestigious AAA Award for Advanced Security EDR Protection for the third time in a row.
The Falcon platform detected and blocked 100% of ransomware files and protected endpoints across multiple stages during all simulated ransomware attacks. These results underscore the power of the Falcon platform’s unified, cloud-native architecture and continuous AI innovation, stopping all threats across systems and attack paths with unparalleled speed and precision.
The goal of SE Labs’ 2024 EDR Ransomware Test was to evaluate the Falcon platform’s ability to detect and protect against ransomware using the same tactics, techniques, and tools today’s adversaries employ. Its testing methodology used realistic scenarios based on current threat intelligence and hundreds of known and novel ransomware files from 15 prominent ransomware families. The evaluation spanned the full attack chain to assess detection of all relevant elements of an attack, from delivery and execution to privilege escalation and lateral movement.
SE Labs describes the Falcon platform’s impressive performance in what the company calls the largest public ransomware test:
“CrowdStrike Falcon performed exceptionally well, providing complete detection and protection against all direct ransomware attacks. It also provided thorough insight into the full network breaches that concluded with ransomware deployments. There were no false positive results. An excellent result in an extremely challenging test.”
Inside the SE Labs 2024 EDR Ransomware Test
SE Labs put the Falcon platform through exhaustive testing to evaluate its effectiveness in detecting and protecting against ransomware attacks. This included assessing its ability to accurately detect known and new ransomware variants, identify multi-stage attacks, and block ransomware from deploying on internal targets.
To ensure its evaluation accurately reflects the threats modern organizations face, SE Labs employs current threat intelligence to replicate the tactics, tools, and techniques used by global adversaries carrying out ransomware attacks. The deep attack scenario used in the evaluation includes a full attack chain, from a phishing email or infected website through reconnaissance, privilege escalation, lateral movement, and ransomware deployment. The evaluation also assessed whether the security solution impacts access to legitimate software and websites, and whether it generates false positives, both of which affect the operational cost of a security solution.
SE Labs testers modeled their attacks based on the below 15 ransomware families, including ransomware-as-a-service (RaaS) providers. They used 443 ransomware files, roughly one-third of which were originals and two-thirds were new variants.
- AvosLocker
- BlackMatter (CARBON SPIDER)
- Cerber
- Darkside (CARBON SPIDER)
- DeathRansom
- GandCrab (PINCHY SPIDER)
- LockBit (BITWISE SPIDER)
- Maolao
- Netwalker (CIRCUS SPIDER)
- Phobos
- Pysa (CYBORG SPIDER)
- Ragnar Locker (VIKING SPIDER)
- Ryuk (WIZARD SPIDER)
- TeslaCrypt
- WastedLocker (INDRIK SPIDER)
In one example of a deep attack test, SE Labs initiated the intrusion with spearphishing, executed malicious code using tools including PowerShell and Visual Basic, then established persistence on external remote services. The attack progressed to privilege escalation, employing techniques such as UAC bypass, process creation with tokens and token impersonation. Finally, attackers attempted defense evasion using techniques including disabling tools and deleting files.
The Falcon platform demonstrated its effectiveness throughout this multi-stage attack, using AI-powered indicators of attack, on-sensor machine learning (ML), and cloud-based ML to detect each stage. Its comprehensive AI-powered capabilities successfully stopped the ransomware attack.
SE Labs reports the Falcon platform detected all ransomware attacks, earning a 100% Detection Accuracy Rating. It generated alerts for all stages in every attack and provided valuable visibility into every stage. The Falcon platform detected and blocked all ransomware files during direct attacks, including the new variants, earning a 100% Protection Rating. It also correctly identified all legitimate software and URLs. Throughout the evaluation, the Falcon platform generated no false positives, scoring a 100% Legitimate Application Rating.
An Industry Leader in Ransomware Defense
In summing up the Falcon platform’s performance in the largest public ransomware test, SE Labs reports:
“CrowdStrike Falcon performed exceptionally well at protecting against known and new variants of ransomware, as well as tracking network attacks that concluded with ransomware payloads. It has improved its already excellent performance in a previous ransomware test and is fully deserving of its AAA Enterprise Advanced Security Award.”
These results are a testament to the Falcon platform’s capabilities:
- Unified Protection Across the Attack Lifecycle: CrowdStrike unifies endpoint, cloud, identity, and data protection in a single platform, providing comprehensive visibility and protection across the full attack lifecycle. The Falcon platform’s ability to generate alerts for, and provide insight on, each stage of an attack enables security teams to detect lateral movement, block credential misuse, and stop attacks before they disrupt operations.
- AI-Driven Detection and Response: CrowdStrike uses innovative behavioral AI and machine learning trained on trillions of security events to proactively stop ransomware, including unknown variants. During SE Labs’ testing, the Falcon platform detected malicious patterns and correlated activity across endpoints, networks, and users to identify threats before execution. It blocked sophisticated lateral movement techniques used by ransomware families like DeathRansom and Ryuk as they attempted to spread deeper into the network.
- Cloud-Native Architecture Built for Speed and Scale: CrowdStrike’s cloud-native architecture enables rapid deployment, scalability, and centralized management for endpoint and workload protection. By processing endpoint telemetry in the cloud, the Falcon platform provides real-time analysis and threat detection without straining resources. This approach allowed CrowdStrike to block ransomware families like GandCrab and LockBit, preventing file encryption and tool modifications while ensuring immediate threat containment across distributed environments.
The Falcon platform’s performance in public, third-party evaluations upholds CrowdStrike’s reputation as a cybersecurity industry leader. Independent assessments like the SE Labs Ransomware test consistently show that CrowdStrike’s powerful integration of cloud-native technology, AI, and machine learning, coupled with our extensive threat intelligence network, effectively halts advanced cyber threats and prevents breaches.
Leave a Reply