To help organizations manage ransomware and other threats, WithSecure has developed a new technology that can essentially undo the damage malware can cause.
The technology, called Activity Monitor, was developed to make the capabilities of a sandbox more accessible. Sandboxes are isolated test environments that run unknown code to see how it impacts a system or data. Since sandboxes run code in isolation, they can execute unknown code safely to verify whether it’s safe or harmful.
Instead of running code in an isolated environment, Activity Monitor creates selective backups of the system and data, and then allows the code to run on a system while monitoring the session. If Activity Monitor detects changes that could be harmful, it blocks the processes and uses the backups to restore the session to the state it was in before it ran the malicious code.
According to WithSecure Lead Researcher Broderick Aquilino, sandboxes provide a safe, reliable way to test malware, but with limitations that Activity Monitor was designed to overcome.
“The analysis provided by a sandbox shows a very comprehensive picture of malware’s behavior but consumes a lot of resources, which limits their use,” said Aquilino. “With Activity Monitor, we overcame these limitations by recreating the capabilities that sandboxes provide rather than how they work. Now we can create protection mechanisms that can bring these capabilities to more organizations.”
The technology provides a new tool to combat ransomware infections. Most ransomware encrypts the victim's data, and then provides decryption keys in exchange for a ransom. Activity Monitor is built to detect these types of changes, and upon detecting the encryption processes, halts them and restores data to its unencrypted state.
While rolling back ransomware infections is an obvious example of its value, WithSecure Intelligence Vice President Paolo Palumbo expects the technology to provide many additional benefits to organizations.
“This approach makes very powerful detection capabilities more efficient so it can be used in new ways. Efficiency is very important for security to ensure our solutions give organizations practical, effective protection without preventing them from doing their jobs or accomplishing their business goals. And as we develop new applications and features using this technology, we expect it to enable better, more efficient defense mechanisms for our clients,” he said.
The technology’s first implementation into a solution, Server Share Protection, is now available as part of WithSecure Element’s Endpoint Protection for Servers.