Ransomware Test Report - 2025

-

 Ransomware Test Report - 2025

Test summary


This report has been prepared to evaluate the activities of Malwarebytes, Avast and Windows Defender against Ransomware attacks. In the test, a specially developed Ransomware Pyload tool was used.


Software used in the test

Malwarebytes

Avast antivirus

Microsoft Windows Defender (Windows 10/11 versions)

Attack vector: pyload


The pyload used in the test is a Ransomware module that encrypts certain file extensions (.TXT, .PNG, etc.) in the target system using a Fixed Switch and IV with a CBC algorithm. After encryption, encrypted content is written on the original files and the .dust suffix is ​​added to the file extensions. In addition, a ransom note is left to the desktop user.


Pyload takes the following steps:


Scans the target extension files under the user's profile directory.

Passwords with AES-256 CBC.

Changes the extensions of files to .dust.

Leaves the ransom note on the desktop.

Test results

Three antivirus software could not detect the file encryption attack by Pyload.

The encryption of the files has been completed and file access was prevented.

The ransom grade has become visible in the system.

Real -time protection modules of antiviruses could not stop the attack and no warning or quarantine was performed.

Evaluation


Tested antivirus software failed to detect the AES-256-based Ransomware attack by PYLOAD. This shows that although the unique signature cannot be created due to the use of fixed switches and IV, and that the Pyload code is not polymorphic or obfuske, an effective detection mechanism is not activated.


Suggestions

Strengthening of behavioral analysis and anomalial detection modules of antivirus products.

Integration of real -time -following systems of file encryption activities.

Using unique switches in each installation instead of fixed cryptographic switches.

Development of user training and system backup policies.

Video

Yorumlar

Yorum Gönder

Bu blogdaki popüler yayınlar

New Amsi bypass 2025

-
  AMSI Bypass Techniques: Evading Windows Defender with Modern Methods Introduction Hello Microsoft team and fellow cybersecurity enthusiasts, In this post, I’ll walk you through the process of bypassing the Antimalware Scan Interface (AMSI) on Windows. We’ll explore traditional evasion methods, their limitations, and how modern, more sophisticated techniques—especially those implemented using a tool I developed called Micrasota —can be used to defeat AMSI and Windows Defender effectively. What is AMSI? AMSI is a Microsoft security feature designed to scan and block malicious code, especially scripts executed via PowerShell, CMD, WScript, or CScript. While powerful, AMSI has several design limitations that make it vulnerable to certain evasion techniques. Traditional Methods vs. Micrasota Old-school bypass techniques include: Code fragmentation Variable manipulation Instruction concatenation These methods were once effective but are now easily detected by Wind...
Devamı

Defender bypass methot

-
Defender bypass methot: Command Execution via gatherNetworkInfo.vbs and Defender Bypass: A Technical Analysis 📅 Date: 19.02.2025 ✍️ Author: Eneshan Erdoğan Karaca 🎯 Topic: System32, Command Execution, Defender Dynamics, LOLBins 📂 Analyzed File: gatherNetworkInfo.vbs 🔍 Introduction Certain built-in script files in Windows are designed for system-related tasks. One such file, gatherNetworkInfo.vbs, is used to collect network information and resides in the System32 directory. This article provides a technical examination of the script’s structure, its command execution capabilities, and how Windows Defender approaches this file. 1️⃣ Command Execution Behavior in gatherNetworkInfo.vbs 🧠 Script Behavior The gatherNetworkInfo.vbs script utilizes the WScript.Shell object to perform command-line operations. For example, the script can be structured as follows: vbscript Set shell = CreateObject("WScript.Shell") shell.Run "cmd /c echo Hello World!" This setup allows sile...
Devamı

2025 apt Antivirus test

-
APT Simülasyon Test Raporu - 2025 APT Simülasyon Test Raporu - 2025 Hazırlayan: Enes Amaç: Farklı antivirüs yazılımlarına karşı hedef sistemde gerçekleştirilmiş APT (Advanced Persistent Threat) saldırı senaryolarının tespit edilebilirliğini değerlendirmek. Test Ortamı İşletim Sistemi: Windows 10 Pro (21H2), 64-bit Test Makinesi: VM ortamında, internet bağlantılı, 4 GB RAM, 2 CPU Antivirüsler: Varsayılan ayarlar ile yüklü (gerçek zamanlı koruma açık) Test Süreci: Tüm saldırılar manuel olarak tetiklenmiş, sonuçlar anlık izleme ile kaydedilmiştir. 1. Saldırı Senaryoları Senaryo Açıklama Teknik 1 DLL dosyası aracılığıyla kötü amaçlı yük sistemde çalıştırıldı. DLL, PowerShell tabanlı AES şifreli komut alma ve sonuç gönderme mekanizması ile komut ve kontrol (C2) kanalı kurdu. Saldırgan, bu yöntemle hedef sistem üzerinde sürekli ve gizli iletişim sağladı. Reflective DLL Injection, AES 2 VBS script ile PowerSh...
Devamı