Wednesday 15 February 2017

Can AV stop Ransomware?


I've read a few articles recently questioning whether "traditional" anti-virus solutions can stop Ransomware. There have also been articles comparing "traditional" and "next generation" solutions, all with their own agenda, both questioning the others ability to prevent Ransomware.

I feel that it's a simplistic approach to ask whether solution "X" or "Y" will prevent Ransomware, especially without understanding how Ransomware works.

If a majority (93-98%, depending on which survey your read) of Ransomware comes into an environment via email, then the first point of preventing Ransomware, is using an email security solution. Other entry points can be via drive by downloads or malvertising, so a web security solution can also help prevent the delivery of Ransomware.

Once on the computer, the malware will look for a vulnerability whether it's the operating system, browser or third party applications. Patching the computer will protect your computer from known vulnerabilities, whether it's carried out manually or using a patch remediation solution.

Once your computer is exploited, the Ransomware can be installed. This is assuming that the user had local administrative rights onto the computer. Application Control solutions could also prevent the installation of the Ransomware. This is the point where an anti-virus/anti-malware solution would be expected to stop the installation of the Ransomware.

Once the Ransomware is installed, it will typically communicate back to the Command and Control server. This traffic will need to cross a perimeter solution, so could be seen by a NGFW solution, web security solution or via SIEM or logging solutions.

After this, the Ransomware will encrypt the computer's hard drive and demand a ransom. At this point, it's recovering from backups or paying a ransom in the hope a decryption key will be provided.

Can (traditional or next generation) anti-virus or anti-malware solutions stop Ransomware? Potentially, but that's assuming there is no email security solution, no web filtering solution, no patch remediation, no application control, users have local admin rights, no NGFW, no SIEM solution, no next generation firewall, and no back ups are in place.

Let's not get stuck in trying to find a silver bullet, but understand the attack and therefore apply appropriate measures to prevent this from happening to you.