Italian researchers have developed a Windows drop-in driver and custom filesystem that are capable of detecting the telltale signs of a ransomware infection, stop any malicious actions and even revert any encrypted files to their previous state.
Called ShieldFS, this new project is the work of seven researchers from the Politecnico di Milano University and was detailed yesterday at the Black Hat USA 2017 security conference.
ShieldFS works as a scanner for COW and encryption operations
According to two research papers [1, 2] published this year, ShieldFS is a complex mechanism designed to detect Copy-On-Write (COW) operations.
COW operations happen when an application takes a file, copies it, makes modifications, and then replaces the original file. Most of today’s ransomware families rely on COW operations by taking an initial file, encrypting its content, and replacing the original.
ShieldFS is designed not only to detect COW operations but also look for the use of symmetric crypto primitives, often used in the file encryption process.
Once ShieldFS detects an event that fits these criteria, it checks with internal behavioral models that distinguish benign processes from malicious ransomware.
According to researchers, ShieldFS is currently equipped with adaptive models for 2,245 legitimate applications, which allow it to work without too many false positives that may result in the blocking of legitimate processes.
ShieldFS uses a self-healing filesystem to recover encrypted files
If ransomware is detected, ShieldFS signals the operating system to stop its process and uses a custom filesystem to revert any of the ransomware’s malicious actions.
At the technical level, this is possible because ShieldFS is packaged as a drop-in driver that installs a custom virtual filesystem that’s designed to shadow COW operations and keep copies of original files for a short time, allowing it to restore a certain amount of files.
You could say that ShieldFS’ real-time and self-healing filesystem works as an alternative to Shadow Volume copies, which most ransomware families make sure to delete after they encrypt the user’s files, preventing some file restoration via specialized data recovery software.