What the article argues is that because XMPP encrypts communications by default, it makes it harder for antivirus software to detect; but antivirus software is so notoriously crap and misses so much stuff (while at the same time making such a big deal out of false alarms) that claiming that they would fail to detect it "because of XMPP" is laughable.
I believe you're referring to this section of the article:
While posing as a legal or governmental authority to intimidate the victim into paying up is not new, the use of Extensible Messaging and Presence Protocol (XMPP), the instant messaging protocol used by Jabber and previously by GTalk, is a shift in tactics to evade detection by anti-malware tools. XMPP communication makes it more difficult for security and anti-malware tools to catch the ransomware before it can communicate with its command and control network because it conceals the communication in a form that looks like normal instant message communications.
Most previous ransomware packages have communicated with a website over HTTPS to obtain encryption keys; those websites can generally be identified by their URLs, IP addresses, or the signature of their Web requests and then blocked. An application making a secure HTTP request to a suspicious destination would be a good sign that something bad was afoot. But the XMPP communications channel used by the new Simplocker variant uses an external Android library to communicate with the command and control network through a legitimate messaging relay server. And these messages can be encrypted using Transport Layer Security (TLS). The messages were pulled from the command and control network by the operators of the scheme via Tor.
They aren't blaming encryption itself. What they are saying is that in the past most ransomware that required a C&C connection to function used to connect directly to their C&C servers. Because of that, if the C&C servers could be identified they could be blocked by a variety of means. They mention URLs but that only works if you're using an SSL interceptor. More likely you could block access to these C&C servers by DNS blackholes or by blocking their IP addresses. That way, regardless of what sort of encryption the bot used or how it scrambled its control messages you could make it impossible for it to call home.
The routeable nature of XMPP adds a new layer of obfuscation to the mix. Now, malware could connect to a legitimate XMPP server that has no relationship to the malware writer but send it an XMPP message that the XMPP server
would relay to the malware's C&C server. Unless you can decrypt the actual C&C channel and block it by content, the only way to prevent the malware from calling home would be to block access to
every open XMPP relay server in the world which is impractical. That's why the article states that Checkpoint created filtering documents for XMPP
relay server operators to use - because they are in a position to filter the XMPP messages they receive, unencrypted (the servers obviously see the raw unencrypted versions of all messages they receive because they have to see them to understand how to deliver them).
Antimalware is supposed to first and foremost look at what's running on your computer, not rely on snooping through all your network traffic to catch the malware communicating with a mothership; by the time ransomware is contacting their XMPP server, it has locked you out of your data and the damage is already done.
Unfortunately, that's not really technically feasible for a number of reasons. Which is to say, antimalware software does look at the running state of the programs running on your computer, but traffic analysis of the network traffic of those processes is a significant and important part of that analysis.
Also, many (not all) forms of ransomware rely on an initial call-home to initialize their encryption with an encryption key generated by the C&C system (so it can give that key back to you if you pay the ransom) and not by the bot (so reverse engineering can't reverse the process of making the keys, which would allow people to theoretically break the encryption). If you can block access to the C&C network, you can prevent the malware from encrypting your files indefinitely and cripple its ability to damage your system.
