A new game-changing technology for Ransomware protection

WithSecure’s Elements Endpoint Protection for Servers product has a new ransomware protection capability: Server Share Protection. This monitors potentially malicious activities in real time using technology named Activity Monitor.

As the session unfolds and the threat is confirmed, it blocks the last operation and then rolls back all the changes that have been tracked, restoring the environment to the state it was in before it was attacked. DeepGuard (The Host-based Intrusion Prevention System – HIPS – engine used by WithSecure endpoint protection products) works by blocking suspicious activities immediately. In some rare situations, this can lead to false positives and frustrating delays for the user. For example, something like a standard update to an application might be blocked because it hasn’t been seen before and is attempting to download and execute more code from a remote server, and therefore it looked suspicious. This is understandably frustrating for the user, but the alternative is to block later in the process and risk letting real malicious code execute.

The new Server Share Protection addresses this issue really well, particularly for ransomware attacks. Because the software can undo any changes after the monitoring starts, there is no need to block suspicious activity in the first instance. There are significantly fewer false positives and less disruption for the user.

Why is it best for ransomware?
This protection is targeted specifically at ransomware because ransomware typically encrypts files, rather than stealing them. If ransomware starts to execute on your computer, the system will automatically begin monitoring the session. This means that it will track all the activity in real time. If the malicious code launches a process, which launches another process, and spreads into different areas of the system, every step of that session is monitored and temporary backups of the relevant files are created regularly.

If any of your files do get encrypted, you can easily roll back the changes made during the session and restore normal access. This doesn’t work as well with malware designed to steal information, because although the software could still undo changes, it can’t bring back any information that has been copied and removed during the same session from the environment. Many endpoint protection solutions use the Shadow Copy functionality provided by Microsoft Windows. We have noticed that in many cases ransomware or other malware will actively try to disable this functionality, rendering the Shadow Copy backups unusable. WithSecure’s proprietary approach is novel, as it only backs up what is needed, and only for the period when it is needed.

Why did you come up with this development?
Broderick Aquilino, a Lead Researcher at WithSecure, explained how this new technology was imagined and developed:

“We were trying to copy the sandbox approach that we use in the back end, but use it for endpoints. A sandbox works by isolating untested code and allowing it to execute, which means you can understand what suspicious code will do without putting the environment at risk. However, this takes time, and so is not very suitable for endpoints because the delay will be very noticeable to users. A user will execute a file and then will have to wait a few minutes to get the result. “So in this case we tried to create a sandbox, but on the endpoint. To address the poor user experience, we decided to actually let it execute on the system, allowing it to encrypt files and everything. Then we came up with this rollback capability so that we see files getting encrypted, then do the rollback automatically (without any interaction from the user) and delete the executed file.”

What does it look like for the user?
Server Share Protection works automatically in the background. The administrator just needs to toggle on the feature within the Elements Endpoint Protection solution, and it will automatically discover all shared folders on your Windows Server (although the Elements Portal administrator may choose to exclude some shared folders from the list so that they won’t be tracked). After that it will work completely silently; it doesn’t send any notifications except if it detects ransomware trying to encrypt your files.

The default option on the product is the report mode. In this mode, if the software detects ransomware encryption the administrator will get a notification but the rollback capability is not automatically engaged. You might choose this option if you are concerned about false positives and you don’t want to accidentally rollback legitimate changes made on the computer. The other option is the normal mode, where the rollback feature engages automatically. In this mode, the administrator will get a notification saying that ransomware tried to encrypt some files, and it will provide a list of files and folders. Then a few seconds later, there will be a follow up notification saying that all the files have been automatically restored to their previous state.

What future developments are planned?

A future version of the ransomware protection capability will also include a ‘selective undo’ feature for highly unlikely cases where any rollbacks triggered by suspected malicious activity can be undone by an administrator. In this way, “good” files modified during the current user session can be kept with only the infected files being reverted.