WithSecure’s new tech is an ‘undo’ button for ransomware

WithSecure’s Activity Monitor technology rolls back changes to data caused by malware.

  • 1 year ago Posted in

Ransomware attacks have plagued organizations for the past several years, inflicting considerable financial losses. To help organizations manage ransomware and other threats, WithSecure™ (formerly known as F-Secure Business) has developed a new technology that can essentially undo the damage malware can cause.  

 

The technology, called Activity Monitor, was developed to make the capabilities of a sandbox more accessible. Sandboxes are isolated test environments that run unknown code to see how it impacts a system or data. Since sandboxes run code in isolation, they can execute unknown code safely to verify whether it’s safe or harmful. 

 

Instead of running code in an isolated environment, Activity Monitor creates selective backups of the system and data, and then allows the code to run on a system while monitoring the session. If Activity Monitor detects changes that could be harmful, it blocks the processes and uses the backups to restore the session to the state it was in before it ran the malicious code.  

 

According to WithSecure Lead Researcher Broderick Aquilino, sandboxes provide a safe, reliable way to test malware, but with limitations that Activity Monitor was designed to overcome.  

 

“The analysis provided by a sandbox shows a very comprehensive picture of malware’s behavior but consumes a lot of resources, which limits their use,” said Aquilino. “With Activity Monitor, we overcame these limitations by recreating the capabilities that sandboxes provide rather than how they work. Now we can create protection mechanisms that can bring these capabilities to more organizations.” 

 

The technology provides a new tool to combat ransomware infections, which some sources suggest costed organizations throughout the globe as much 18 billion euros by 2021.* Most ransomware encrypts the victim's data, and then provides decryption keys in exchange for a ransom. Activity Monitor is built to detect these types of changes, and upon detecting the encryption processes, halts them and restores data to its unencrypted state.  

 

While rolling back ransomware infections is an obvious example of its value, WithSecure Intelligence Vice President Paolo Palumbo expects the technology to provide many additional benefits to organizations. 

 

“This approach makes very powerful detection capabilities more efficient so it can be used in new ways. Efficiency is very important for security to ensure our solutions give organizations practical, effective protection without preventing them from doing their jobs or accomplishing their business goals. And as we develop new applications and features using this technology, we expect it to enable better, more efficient defense mechanisms for our clients,” he said.  


Ransom attacks in the cloud are a perennially popular topic of discussion in the cloud security...
Talent and training partner, mthree, which supports major global tech, banking, and business...
Cloud-native organisations to gain full understanding over every identity in the cloud, secured...
MSSPs identify regulatory compliance as additional factor as organisations seek to shift...
Orange Business (Norway), a global leader in digital services, has selected ARMO’s advanced...
Gigamon and Exclusive Networks have expanded their existing distribution partnership, broadening...
Trustwave and Cybereason have announced a definitive merger agreement offering a comprehensive and...
FortiDLP’s unified approach to data protection enables enterprise organizations to anticipate and...