SHIELDFS: THE LAST WORD IN RANSOMWARE RESILIENT FILE SYSTEMS presented at blackhat 2017

by Stefano Zanero, Federico Maggi, Alessandro Barenghi, Andrea Continella, Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale,

Summary : Preventive and reactive security measures can only partially mitigate the damage caused by modern ransomware attacks. The remarkable amount of illicit profit and the cybercriminals' increasing interest in ransomware schemes demonstrate that current defense solutions are failing, and a large number of users are actually paying the ransoms. In fact, pure-detection approaches (e.g., based on analysis sandboxes or pipelines) are not sufficient, because, when luck allows a sample to be isolated and analyzed, it is already too late for several users! Moreover, modern ransomware implements several techniques to prevent detection by common AV. Similarly, for performance reasons, backups leave a small-but-important window of recent files unprotected.
We believe that a forward-looking solution is to equip modern operating systems with generic, practical self-healing capabilities against this serious threat.
In this talk, we will present ShieldFS, a drop-in driver that makes the Windows native filesystem immune to ransomware attacks, even when detection fails ShieldFS dynamically toggles a protection layer that acts as a copy-on-write mechanism whenever its detection component reveals suspicious activity. For this, ShieldFS monitors the filesystem's internals to update a set of adaptive models that profile the system activity over time. This detection is based on a study of the filesystem activity of over 2,245 applications, and takes into account the entropy of write operations, frequency of read, write, and folder-listing operations, fraction of files renamed, and the file-type usage statistics. Additionally, ShieldFS monitors the memory pages of each "potentially malicious" process, searching for traces of the typical block cipher key schedules.
We will show how ShieldFS can shadow the write operations. Whenever one or more processes violate our detection component, their operations are deemed malicious and the side effects on the filesystem are transparently rolled back.
Last, we will demo how effective ShieldFS is against samples from state of the art ransomware families, showing that it is able to detect the malicious activity at runtime and transparently recover all the original files.