Politecnico di Torino - Corso Duca degli Abruzzi, 24 - 10129 Torino, ITALY

+39 011 090 6100 info@tech-share.it

ShieldFS: A RANSOMWARE AWARE FILESYSTEM

Cyber securityFilesystem monitoringInformatica Tsd En

Introduction

The goal of the invention is to protect user’s valuable files from crypto-extortion attacks, known as ransomware. These attacks are enjoying immense popularity, resulting in millions of Dollars of revenues for the cyber criminals. Attacks are carried out through a virus, i.e. a piece of software running on a computer without the victim noticing. Virus quickly encrypts the target files on the system, preventing access to their content. The victims which succumb to the extortion scheme (about 40–50%) will receive a decryption key upon payment.

Technical features

In Shieldfs environment the operating system continuously monitors the filesystem activity (e.g., read or write operations) originating from any running program. In parallel, any file-modifying operation is performed on a separate, shadow copy of the original file, preserving the original file intact. As soon as a process is deemed “benign,” such shadow copy is deleted, directing the future operations to the original file, transparently. Whenever a process is deemed “malicious,” the operating system kills it and replaces the original files, transparently. The patented novelty is how to decide whether a process is “benign” or “malicious.” To this end, we propose that each process is monitored from two viewpoints: filesystem and memory. This approach has been tested on 305 samples of 11 ransomware families with 100% files protected, even in case of missed detection, and detection rate 97.70%.

Possible Applications

  • In the short term, the invention can be implemented in an endpoint-protection software (e.g., antivirus);
  • In the long term, the invention could be embedded in the operating system’s internals, so as to ensure transparent protection from malicious processes that modify, delete or encrypt user’s valuable files.

Advantages

  • Overcomes the limitations of pure detection approaches;
  • It is the first measurement on the filesystem activity of a large set of benign applications in real working conditions;
  • Other solutions look at the filesystem layer to spot the typical ransomware activity, but they do not combine it with a recovery capability;
  • It works with “code-injection”.