The Heads Up: Solving Ransomware with AV...the definition of insanity?

Posted by: Alex Kurz  /  18 April 2017 10:00:00 BST

CensorNet Blog: Solving Ransomware with AV...the definition of insanity?

 

In the light of the recent global ransomware cyber attack, we felt it appropriate to repost this blog for your information. The original post was dated 18 April, 2017.

The speed at which ransomware is proliferating is mind blowing. In 2015, SonicWall’s Global Response Intelligence Grid recorded around 3.8 million attacks. By last year, that had grown to 638 million. Yes, you read it right – 638 million! That’s a staggering 167 times the number of attacks in 2015. Wow! And it’s easy to see why. Ransomware is particularly profitable for hackers. It’s a nasty type of malware that holds your data hostage by encrypting it and then asking you to pay for a decryption key. Stand and deliver on steroids.

So, what’s the answer? AV, AV and more AV?

Despite the fact that it evidently isn’t working, it seems the industry’s response to ransomware is that AV scanning is the best possible protection. Maybe positioned and marketed in a slightly different way, but still AV.

AV scanners have been ubiquitous for many years. Computers come with AV pre-installed. There are server-based versions, AV-as-a-Service offers and most traditional web gateways integrate major AV engines as well. The problem is that ransomware is purpose-built and unique for every attack. New versions are created and distributed way too fast for AV vendors to keep track, making traditional AV practically worthless against these attacks.

So why is AV still a "must have" checkbox for web filtering?

We see it time and time again. AV is always a "must have" in any tender for web filtering. Why? Because admins are used to it. Because it’s always been there. Because they would feel exposed without it. Because server AV, desktop AV, smart firewalls and whatever else they have in place just doesn’t seem to be enough. So, let’s just go and throw another AV engine on it?

As Albert Einstein famously said, "The definition of insanity is doing the same thing time and time again and expecting a different result". And that approach clearly isn’t working with ransomware.

New threats, new approach…

New threats call for new solutions. Take an approach like unified security. It deals with ransomware in a completely different way: it doesn’t identify bad stuff by analyzing it at the binary level (which is done on the desktop anyway). It takes advantage of the fact that any kind of malicious stuff must be distributed somehow.

Our categorization engine employs static analysis, behavioral analysis, third party industry feeds, and human supervised and validated machine learning methodologies to figure out which sites are used to distribute ransomware and other bad stuff. This includes not just known dodgy web sites. ALL web pages – including news portals, vendor sites and other well reputed pages – are regularly analyzed and listed in case of "bad behavior". So instead of using the same old tricks that every desktop scanner can pull off, CensorNet’s Unified Security Service adds real value by stopping attacks before they even reach the network. And the future is about integrating proper machine learning and behavior based threat analytics that cover not just web-borne threats, but take care of all vectors like web, email and apps.

So, while you might not be prepared to let go of AV just yet – and that’s understandable, considering you’ve been married to it for so long – it is important that you start to think of protecting your organization from ransomware using a different approach. They say the first sign of insanity is talking to yourself. Excuse me? Did you just say something?

Topics: Cloud Application Control, Email security, Ransomware, Unified Security Service, Secure Web Gateway