ShieldFS Can Detect Ransomware, Recover Files

At Black Hat last week, an add-on Windows driver and filesystem called ShieldFS was unveiled that detects ransomware and recovers files.

LAS VEGAS—Researchers from Italy’s Politecnico di Milano unveiled at Black Hat last week an add-on Windows driver and filesystem that detects ransomware and recovers files.

ShieldFS was officially unveiled during the hacker conference by researchers Andrea Continella and Federico Maggi, who said the tool was tested against more than a dozen ransomware strains—including WannaCry—and successfully detected the malware in 97 percent of occasions with zero file loss.

Once ShieldFS learns and models filesystem activity over a period of time, it can then compare that against potentially malicious behavior exhibited by ransomware. If an attack is detected, the malware is blocked and a protection layer similar to copy-on-write kicks in allowing the original files stored on a hard drive to be preserved and recovered if necessary.

“It monitors and then performs copy-on-write on the first write; files are modified just the first time,” Continella said. “When the ShieldFS detector collects information to detect if something is malware or not, it can transparently and automatically recover and restore the original copies. If it’s benign, the clean, old copies are presented.”

Copy-on-write, or COW, is a programming technique where pointers to resources are provided and that resource is shared until it is modified, rather than created over and over.

Continella and Maggi said they’ve been working on ShieldFS for 18 months, and that it also successfully detects WannaCry, in addition other ransomware stalwarts such as TeslaCrypt, CryptoWall, CryptoLocker and many others.

“The protection is embedded in the filesystem,” Maggi said. “When ShieldFS detects something suspicious, it takes additional protection to save files.”

The research, they said, began with the profiling of a month’s worth of low-level filesystem behavior on 11 clean machines used by volunteers. The researchers collected 1.7 billion I/O Request Packets from 2,245 applications running on those computers. Those machines were then set up to look like a realistic environment complete with filetypes targeted by the malware, an emulated directory tree, browser extensions and more.

“We tried to make realistic-looking machines,” Maggi said, “and provide all the triggers ransomware needs.”

With ShieldFS running on the test machines, it began looking for the remarkable way ransomware interacts with the low-level file system and compares the differences to how benign systems interact with the filesystem, discerning benign from malicious processes in the operating system along with detecting the usage of crypto primitives for encrypting of files.

The machines were then infected collectively with 383 samples from five ransomware families: Cryptowall, Crowti, Critroni, CryptoDefense and TeslaCrypt.

The researchers said that because ShieldFS essentially makes a filesystem ransomware-aware, they liken it to a self-healing system.

“When ShieldFS is installed, when it sees a write operation, it will save the file before letting the write operation through,” Maggi said.

The researchers said that ShieldFS could be a good complement to backups, which are considered the top strategic countermeasure to ransomware, in addition to timely patching.

“We argue that, although older files can be asynchronously backed up with on-premise systems (because they have less strict time constraints), recent files may be of immense value for a user (e.g., time-sensitive content); even the loss of a small update to an important file may end up in the decision to pay the ransom, because the existing backup is simply too old,” the researchers said in a paper published earlier.

Suggested articles