WithSecure proposes ‘undo’ button for ransomware

Cyber security supplier WithSecure is piloting a newly developed technology that supposedly makes a sandbox test environment more accessible, and claims it has effectively found an “undo button” for ransomware.

The Helsinki-based firm, which has already incorporated the feature into its Elements Endpoint Protection for Servers product, says the technology, dubbed Activity Monitor, can quickly and easily undo the damage malware can cause.

In a cyber security context, sandboxes are test environments in which analysts and researchers can execute unknown code to see how it impacts systems or data, and whether or not it is harmful. Because they are isolated from other systems on the network, this can be done quite safely.

However, according to WithSecure lead researcher Broderick Aquilino, traditional sandbox environments, despite their utility, carry with them some limitations. “The analysis provided by a sandbox shows a very comprehensive picture of malware’s behaviour but consumes a lot of resources, which limits their use,” he said. “With Activity Monitor, we overcame these limitations by recreating the capabilities that sandboxes provide rather than how they work. Now we can create protection mechanisms that can bring these capabilities to more organisations.”

Rather than executing suspicious code in an isolated environment, Activity Monitor instead creates selective backups of systems and data first, and then allows the code to run on it while monitoring the session.

If, at this point, it detects changes that could be harmful, it blocks the processes, before using its backups to revert the session to the state it was in prior to the code being executed.

By this method, said WithSecure, it can offer a tool that effectively stops ransomware infections before they execute and encrypt any data. If accurate, this could save organisations billions of pounds.

Aquilino added: “We were trying to copy the sandbox approach that we use in the backend, but use it for endpoints. A sandbox works by isolating untested code and allowing it to execute, which means you can understand what suspicious code will do without putting the environment at risk. However, this takes time, and so is not very suitable for endpoints because the delay will be very noticeable to users. A user will execute a file and then will have to wait a few minutes to get the result.  

“In this case, we tried to create a sandbox, but on the endpoint,” he said. “To address the poor user experience, we decided to actually let it execute on the system, allowing it to encrypt files and everything. Then we came up with this rollback capability so that we see files getting encrypted, then do the rollback automatically, without any interaction from the user, and delete the executed file.”

For an end-user deploying the service, Activity Monitor will come as a toggle-on feature in the Elements offering. When activated, it will automatically discover all shared folders on the user’s Windows Server – admins may choose to exclude selected folders if they wish – and then go to work silently in the background. Effectively, said WithSecure, you will not notice it unless a ransomware locker attempts to encrypt your files.

Activity Monitor has two modes, report and normal. In report mode, when ransomware executes the admin will be notified but the roll-back capability will not engage automatically, a protection in pace to stop legitimate changes to systems being accidentally rolled back. If normal mode is switched on, Activity Monitor will automatically roll back the encryption process, and the admin will see two notifications, first that a ransomware has attempted to execute, then shortly after another saying the system has been successfully restored to its previous state.

However, Activity Monitor may also have potential beyond stopping ransomware in its tracks, said WithSecure Intelligence vice-president Paolo Palumbo. “This approach makes very powerful detection capabilities more efficient so they can be used in new ways,” he said.

“Efficiency is very important for security to ensure our solutions give organisations practical, effective protection without preventing them from doing their jobs or accomplishing their business goals. And as we develop new applications and features using this technology, we expect it to enable better, more efficient defence mechanisms for our clients.”

The research that produced Activity Monitor was supported by the TRUST aWARE project, which is on a mission to “provide a holistic and effective digital security and privacy framework comprising a set of novel and integrated tools and services”, with funding funnelled through the European Union’s (EU’s) Horizon 2020 research and innovation programme.