ShieldFS: A RANSOMWARE AWARE FILESYSTEM
The goal of the invention is to protect user’s valuable files from crypto-extortion attacks, known as ransomware. These attacks are enjoying immense popularity, resulting in millions of Dollars of revenues for the cyber criminals. Attacks are carried out through a virus, i.e. a piece of software running on a computer without the victim noticing. Virus quickly encrypts the target files on the system, preventing access to their content. The victims which succumb to the extortion scheme (about 40–50%) will receive a decryption key upon payment.
In Shieldfs environment the operating system continuously monitors the filesystem activity (e.g., read or write operations) originating from any running program. In parallel, any file-modifying operation is performed on a separate, shadow copy of the original file, preserving the original file intact. As soon as a process is deemed “benign,” such shadow copy is deleted, directing the future operations to the original file, transparently. Whenever a process is deemed “malicious,” the operating system kills it and replaces the original files, transparently. The patented novelty is how to decide whether a process is “benign” or “malicious.” To this end, we propose that each process is monitored from two viewpoints: filesystem and memory. This approach has been tested on 305 samples of 11 ransomware families with 100% files protected, even in case of missed detection, and detection rate 97.70%.
- In the short term, the invention can be implemented in an endpoint-protection software (e.g., antivirus);
- In the long term, the invention could be embedded in the operating system’s internals, so as to ensure transparent protection from malicious processes that modify, delete or encrypt user’s valuable files.
- Overcomes the limitations of pure detection approaches;
- It is the first measurement on the filesystem activity of a large set of benign applications in real working conditions;
- Other solutions look at the filesystem layer to spot the typical ransomware activity, but they do not combine it with a recovery capability;
- It works with “code-injection”.