Cyber security supplier WithSecure is piloting a newly developed technology that purportedly makes a sandbox test environment more accessible, and it says it effectively found a “undo button” for ransomware.
The Helsinki-based company, which already includes part of its Elements Endpoint Protection for Servers product, says the technology, called Activity Monitor, can quickly and easily remove the damage that malware can do.
In the context of cyber security, sandboxes are test environments where analysts and researchers can execute unknown code to see how it affects systems or data, and whether or not it is harmful. Because they are isolated from other network systems, they can be secure.
However, according to WithSecure lead researcher Broderick Aquilino, traditional sandbox environments, despite their utility, carry some limitations. “The analysis provided by a sandbox shows a comprehensive picture of malware behavior but consumes a lot of resources, which limits their use,” he said. “With Activity Monitor, we overcome these limitations by re-creating the capabilities provided by sandboxes rather than how they work. Now we can create protection mechanisms that provide these capabilities to many organizations.
Instead of executing suspicious code in an isolated environment, Activity Monitor instead creates selective backups of systems and data first, and then allows the code to run on it while monitoring the session.
If, at this point, it detects changes that could be harmful, it blocks the processes, before using its backups to restore the session to the state it was in before the code was executed.
Through this method, according to WithSecure, it can offer a tool that effectively stops ransomware infections before they execute and encrypt any data. If accurate, it can save organizations billions of pounds.
Aquilino added: “We tried to copy the sandbox approach that we use in the backend, but use it for endpoints. A sandbox works by isolating untested code and allowing it to be executed, which means you can understand what the suspicious code will do without putting the environment at risk. However, this takes time, and is therefore not very suitable for endpoints because the delay is very noticeable to users. A user executes a file and then wait a few minutes to get the result.
“In this case, we tried to create a sandbox, but at the last point,” he said. “To address the bad user experience, we decided to implement this in the system, allowing it to encrypt files and everything. Then we made this rollback capability so we can see the files that have been- encrypt, then do the rollback automatically, without any interaction from the user, and delete the executed file.
For an end-user deploying the service, Activity Monitor comes as a toggle-on feature of the Elements offering. When activated, it automatically discovers all shared folders on the user’s Windows Server – admins can choose to exclude selected folders if they want – and then goes to work quietly in the background. Effectively, as WithSecure, you will not notice it unless a ransomware locker tries to encrypt your files.
Activity Monitor has two modes, report and normal. In report mode, when the ransomware executes the admin will be notified but the roll-back capability is not automatically engaged, a speed protection to stop legitimate changes to the systems being accidentally rolled back. If the normal mode is turned on, the Activity Monitor will automatically restore the encryption process, and the admin will see two notifications, first that a ransomware is trying to execute, then shortly after a saying that the system has been successfully restored to its previous state.
However, Activity Monitor may also have potential beyond stopping ransomware in its tracks, said WithSecure Intelligence vice-president Paolo Palumbo. “This approach makes powerful recognition capabilities more efficient so they can be used in new ways,” he said.
“Effectiveness is very important for security to ensure that our solutions provide practical, effective protection to organizations without preventing them from doing their jobs or achieving their business goals. And while developing As we develop new applications and features using this technology, we expect to make it a better, more efficient defense mechanism for our clients.
The research that created the Activity Monitor was supported by the TRUST aWARE project, whose mission is to “provide a holistic and effective digital security and privacy framework consisting of a set of novel and integrated tools and services”, with funding channeled through the European Union. (EU’s) Horizon 2020 research and innovation programme.