Canadian Underwriter

“Antivirus on steroids:” One way to protect your clients from ransomware

March 16, 2022   by David Gambrill

A hacker spying your data file

Print this page Share

To help clients detect their cyber exposures, insurers are recommending ‘powerful’ preventative measures such as endpoint detection responses (EDR) — dubbed ‘antivirus on steroids.’

Used in combination with multi-factor authentication, EDR is deemed superior to traditional anti-virus software because the malware cybercriminals use nowadays is more sophisticated at evading traditional detection measures.

“Usually, the first thing an attacker needs to do is to establish a foothold within the network, so once that backdoor is established, they can come in and then escalate their attack and do a whole bunch of other things,” Shelley Ma, head of cyber investigations for cyber insurer Coalition, explained in a webinar Tuesday. “Some of the initial mount pieces of malware they use to attach that foothold are types of malware that we call ‘polymorphic.’

“What that means is that the malware code itself can change automatically, and the malware can continuously pull down new iterations of itself.”

Ma noted traditional antivirus products – she used the examples of Windows Defender or Bitdefender — rely on signature-based detection. In other words, the antivirus product must already know the DNA — or the ‘signature’ — of the malware in order to detect and stop it. But the DNA or signature of polymorphic malware changes constantly, so traditional antivirus products have a harder time detecting, identifying and stopping polymorphic malware.

This is where EDR comes in.

“Endpoint detection and response utilities rely upon machine learning and artificial intelligence to map out anomalous behavior,” Ma explains in Unprecedented Times: What’s Changed in Cyber. “So rather than relying upon static detection and signature detection, they use heuristics based on behavioral patterns. The first thing it does is establish a baseline of what it considered to be normal user behavior; anything that deviates from that normal behavior will get detected and blocked and stopped….

“So [EDR utilities] have a much higher frequency in stopping banking Trojans, polymorphic malware, and ransomware [attacks] then traditional antivirus products.”

Moreover, EDR solutions give IT anti-cybercrime teams insights into the threat status of the network. “We can actually see what’s going on every single endpoint, versus just being alerted when a malware is detected. So, it’s much, much more powerful. I usually like to describe it as antivirus on steroids.”

These and other preventive measures will help prevent cybercriminals from being able to quickly monetize malware attacks. Criminals’ chief leverage when trying to extract ransoms is that the business will shut down or lose money without access to encrypted files. But if that information is available elsewhere (including being backed up and stored in different locations), the threat of a business shut down is reduced or eliminated, and the ransoms aren’t paid.

Ma said the largest ransomware attack she ever worked on was $10 million, although she knows of people who have worked on cases involving $40-million ransom demands. The average ransom in 2021 was $1.8 million, Coalition reports.

It’s a far cry from 2017, when the largest ransom Ma worked on was $50,000.

“Now it’s very rare for us to see ransom demands in the five figures,” she said. “When we do encounter a $50,000 ransom, we actually high-five each other because we lucked out, it’s so low. Of course, paying the ransom is always the very last option to consider.”

In the early days of cyber insurance, people were not as prepared, and so ransom payments were more frequent. But now that cyber security and malware detection’s improved, ransom payments are less  frequent.

“[The payout frequency] used to be a lot a lot higher — it used to be that 80% of ransomware cases led to a ransom payout,” says Ma. “But now it’s a lot less, maybe 30%.”

This is in part because during the cyber insurance hard market, insurers have required clients to take on more of the risk and exposure themselves. And in doing so, clients have adopted more preventative measures, including EDR and multi-factor authentication.

In selling cyber insurance, brokers and insurers can help their clients prepare by taking the view of a cybercriminal in exposing their clients’ business risks, says Ma.

“The best way to describe what we [at Coalition] look for is the exact same things a threat actor does when they’re looking for victims,” says Ma. “We actually integrate that into our underwriting through external perimeter scans. From the design phase, Coalition has integrated technology as the driving indicator of an insurance risk profile. That’s exactly the way we see a company’s threatened position as we conduct some of these scans.”


Feature photo courtesy of