There is a new software in the works and it is designed to detect ransomware and help you recover your files.
Researchers from Italy’s Politecnico di Milano unveiled at Black Hat last week as an add-on Windows driver and filesystem that detects ransomware and recovers files.
This new technology named ShieldFS was unveiled during the hacker conference by Andrea Continella and Federico Maggi. They claim that the tool was tested against more than a dozen ransomware variants and strains, including WannaCry. As per their testing, they were able to successfully detect the malware with 97 percent accuracy with zero file loss.
ShieldFS was designed to learn and to model the file system activity of the computer over a period of time. It then compares it against the potentially malicious behavior if such a code is run that exhibits the traits of a ransomware. Once an attack is detected by the software, they immediately block the malware from running any further and a protection layer similar to a copy-on-write gets into action which allows the original files to be stored and preserve in the event data recovery is needed.
“It monitors and then performs copy-on-write on the first write; files are modified just the first time,” Continella said. “When the ShieldFS detector collects information to detect if something is malware or not, it can transparently and automatically recover and restore the original copies. If it’s benign, the clean, old copies are presented.”
Copy-on-write, or COW, is a programming technique where pointers to resources are provided and that resource is shared until it is modified, rather than created over and over.
The ShieldFS software by Continella and Maggi has been in the development for 18 months. Ransomware variants like WannaCry, TeslaCrypt, CryptoWall, CryptoLocker and others has been tested and was proven to be succcessfully blocked as well as many others.
“The protection is embedded in the filesystem,” Maggi said. “When ShieldFS detects something suspicious, it takes additional protection to save files.”
There is video that shows the proof-of-concept on youtube.
Here is the link if you are interested to watch it. Although there is no audio.
https://www.youtube.com/watch?v=0UlgdnQQaLM
According to them, here is what they did to jumpstart their research.
The research, they said, began with the profiling of a month’s worth of low-level filesystem behavior on 11 clean machines used by volunteers. The researchers collected 1.7 billion I/O Request Packets from 2,245 applications running on those computers. Those machines were then set up to look like a realistic environment complete with file types targeted by the malware, an emulated directory tree, browser extensions and more.
“We tried to make realistic-looking machines,” Maggi said, “and provide all the triggers ransomware needs.”
It is a must that the ShieldFS software is running on the test machines. From there, it begins looking for the distinct and remarkable ways ransomware interacts with the low-level file system and starts to compare the subtle differences between benign file systems and ransomware. It compares and discerns the malicious process in the operating system along with detecting the usage of crypto-primitives for encrypting of files.
It is amazing to know that their test systems have been put to a rigorous test. They infected it collectively with 383 samples from various ransomware groups namely: Cryptowall, Crowti, Critroni, CryptoDefense and TeslaCrypt.
The researchers said that because ShieldFS essentially makes a filesystem ransomware-aware, they liken it to a self-healing system.
So basically, once ShieldFS is installed on a computer, when it sees a write operation, it will save the files first before they begin to allow the write operation to continue.
The researchers said that ShieldFS could be a good complement to backups, which are considered the top strategic countermeasure to ransomware, in addition to timely patching.
“We argue that, although older files can be asynchronously backed up with on-premise systems (because they have less strict time constraints), recent files may be of immense value for a user (e.g., time-sensitive content); even the loss of a small update to an important file may end up in the decision to pay the ransom, because the existing backup is simply too old,” the researchers said in a paper published earlier.
