WithSecure’s New Tech is ‘Undo’ Button for Ransomware

Ransomware attacks have plagued organizations for the past several years, inflicting considerable financial losses. To help organizations manage ransomware and other threats, WithSecure (formerly known as F-Secure Business) has developed a technology that essentially can undo the damage malware can cause. Activity Monitor was developed to make the capabilities of a sandbox more accessible. Sandboxes are isolated test environments that run unknown code to see how it impacts a system or data. Since sandboxes run code in isolation, they can execute unknown code safely to verify whether it’s safe or harmful.

Instead of running code in an isolated environment, Activity Monitor creates selective backups of the system and data and then allows the code to run on a system while monitoring the session. If Activity Monitor detects changes that could be harmful, it blocks the processes and uses the backups to restore the session to the state it was in before it ran the malicious code.

According to WithSecure lead researcher Broderick Aquilino, sandboxes provide a safe, reliable way to test malware but with limitations that Activity Monitor was designed to overcome.

“The analysis provided by a sandbox shows a very comprehensive picture of malware’s behavior but consumes a lot of resources, which limits their use,” said Aquilino. “With Activity Monitor, we overcame these limitations by recreating the capabilities that sandboxes provide rather than how they work. Now we can create protection mechanisms that can bring these capabilities to more organizations.”

The technology’s first implementation into a solution, Server Share Protection, is available as part of WithSecure Element’s Endpoint Protection for Servers. More information is available at https://www.withsecure.com/en/expertise/resources/a-new-game-changing-technology-for-ransomware-protection.