If Antivirus and Firewalls Are Good Enough, Why are Companies Still Getting Ransomware?

June 8, 2017 | By

Anytime a new ransomware threat is disclosed (take Wannacry as a prime example), businesses want to know how they can better protect themselves against ransomware.

Antivirus and firewalls are great foundational tools to have in place, but they’re not built to stop today’s ransomware attacks. Why?

Ransomware attackers have figured out a way to bypass security technologies that have been around for years (namely, antivirus and firewalls) by using email. That’s because email bypasses firewalls altogether and goes straight to your users. When users click on that email and take the action the attacker wants, such as downloading and executing a file, antivirus has a chance to find the attack. But if the antivirus misses it, the attacker has achieved their goal and can effectively hold your data and machine hostage until a hefty ransom is paid.

Attackers are smart, well resourced, and motivated to take your money or information, and they’re going to do whatever it takes to steal from you.

Let’s dive into each of the areas above to see how you can protect your users.


Email Bypasses Your Firewalls

Firewalls are great at stopping attacks originating from outside your network. It’s the reason attackers don’t just log on to your computer via remote access. However, firewalls are not so good at blocking outbound connections. Because they’re not built to stop outbound traffic, they just let everything through. Attackers have figured this out and developed ways to get inside.

Email is the most common way an attacker can bypass your firewall. Email flows through encrypted tunnels unfettered, allowing attackers to send very convincing looking messages from trusted sources like a bank or Apple to unsuspecting users. Attackers are very good at social engineering, so users click, and the ransomware gets in.


Users Click

The click is the final step necessary to get ransomware running on a victim’s machine. This could take the form of an Office document with macros, a PDF with an exploit, or a PowerShell script that looks *just* like a delivery notification from FedEx or UPS.

As much as we are fans of user education, there will always be some percentage of people in your organization who click. Let’s say you have 200 people at your company. If even ten percent of them click, that’s twenty users who could leave your organization vulnerable to ransomware. Ransomware only requires one person to fall prey to the attack in order to succeed, so the odds are not in your favor.

So antivirus is your last hope…or is it?


Antivirus Misses Ransomware

When a new ransomware strain is released, it has a unique fingerprint, or signature. An attack signature is a piece of unique evidence that can be used to identify a particular piece of malware, or an entire class of malware, depending on the case. Now, all online attacks have signatures, so this part isn’t new. The issue with ransomware is that it’s all too easy for attackers to change these signatures so that antivirus can’t detect the infrastructure it’s coming from and stop it.

This is called “signature lag.” Antivirus programs leverage massive databases of known attacks and their signatures. If ransomware hits your business and is using a brand-new signature that’s not yet in the antivirus database, it won’t be able to detect, quarantine, and remove the threat from your network. For example, it takes about two days for an antivirus product to spot the malicious Angler payload.

Here’s a depiction of how lagging antivirus can be at detecting malware:

antivirus misses malware

Source: Cisco Midyear Security Report 2015

So while antivirus can protect our computer from well-known attacks that aren’t delivered by email, it won’t do you any good if the ransomware’s signature is too new to be in a database or is delivered in a way antivirus isn’t built to detect.

In order to effectively stop ransomware, you need to go beyond firewalls, education, and signatures and be able to monitor suspicious outbound DNS requests.


Why DNS-Based Security Works

By tracking attackers as they are setting up their campaigns, we can get ahead of the attack. We watch for them to register domains, setup phishing sites, purchase malicious ads, and buy certificates in order to see where they will strike next. This is what the Strongarm team is doing every day.

Strongarm uses this information to automatically monitor DNS leaving your network, and when a bad domain is detected, our DNS resolver returns Strongarm’s blackhole address instead of the attackers. This way, the victim system communicates with Strongarm instead of the attacker, effectively disarming and quarantine the infection for removal.

So while antivirus and firewall are fundamental methods of protection, they should not be your only ones. Automated attacks can’t stand up to automated detection and protection, so to fight back, you need a way to instantly detect and respond to these type of threats. DNS-based security is the best way to accomplish this.


Automated Ransomware, Meet Automated Security

Ransomware is a popular attack and growing for good reason: It’s an easy way to make a quick buck. But you have a strong incentive to fight back, and now there is a way to do that effectively.

While historically there has been a clear gap between the speed at which attackers can move vs. the speed at which defenders can, the tides are quickly changing. In fact, we built Strongarm to do just this. Strongarm’s DNS-based security solution to automatically detects, quarantines, and removes malware strains like ransomware before they can do damage to your network — even if an employee succumbs to clever social engineering (because they will).

Arm your business today with our simple and automated solution to protect yourself from ransomware.


Want to give Strongarm a try?

Start Free Trial
(no credit card required)