Black Hat: Building a Ransomware Resilient File System with ShieldFS

LAS VEGAS — The scourge that is ransomware has dominated security headlines over the last year, with large outbreaks like WannaCry and NotPetya shutting down critical infrastructure in affected organizations.

Time and again, when ransomware outbreaks occur, operating system and security vendors alike remind users and organizations of the importance of having backups. But what if there was a way that a backup could automatically be triggered whenever a possible ransomware attack were detected? That’s the promise of the ShieldFS project that was presented at the Black Hat USA security conference here today by a team of researchers from Politecnico di Milano in Italy.

According to the researchers who developed ShieldFS, it’s a simple a drop-in driver that makes the Windows native filesystem immune to ransomware attacks, even when detection fails.

“We are saying that ShieldFS is ransomware-resilient because even if ransomware successfully manages to infect a system and even if the files were not previously not backed up, ShieldFS recognizes that something is unusual in the way files are behaving and it automatically make a copy,” Federico Maggi Senior Threat Researcher at Trend Micro, told eSecurityPlanet in an interview ahead of the talk.

To prove their point, the researchers tested a strain of WannaCry against a ShieldFS protected system and found that it was effective in making sure that data was not lost. Rather than using Windows shadow copy functionality, ShieldFS acts as a copy-on-write function. As such, whenever a new write action is requested on a file, ShieldFS make a copy.

“So at the end of the day, even if the ransomware encrypts your file, we’ll have a protected file that wasn’t encrypted,” Maggi said.

From a detection perspective, ShieldFS makes use of a machine learning artificial intelligence capability to help make a determination of what is and what isn’t normal operations for a file.

“We look at both the short and long term aspects of a given system process and then we can tell what is abnormal behavior,” Maggie said. “We also check the system memory to see if there any traces of crypto material that could be used by ransomware.”

The machine learning analysis does not rely on an external cloud service, but rather is an on-premises solution. ShieldFS include a driver that sits between the original filesystem and the application.

“So whenever an application is doing something with the filesystem, we have visibility on those operations,” Maggi said.

Work on ShieldFS is still ongoing by Maggi and his peers to further enhance and mature the system.

Sean Michael Kerner is a senior editor at eSecurityPlanet and InternetNews.com. Follow him on Twitter @TechJournalist.