ShieldFS: In recent months, successive waves of ransomware attacks have hit the internet globally, stopping businesses and critical infrastructure from hospitals to telecommunications.
So the research of Andrea Continella and his team is quite timely: A tool that automatically detects ransomware, almost instantly, and restores your system from backups before the fraudsters lock it up completely.
The tool is called ShieldFS, and is not designed as a broad antivirus platform. Instead, it scans only for ransomware attacks.
The new project is reported to focus only on detecting the unique cryptographic behaviors of ransomware, which allows ShieldFS to detect not only known types of malicious software but also any new attacks that act in a ransomware way.
The team, from Politecnico di Milano, Italy, will present ShieldFS at the Security Conference Black Hat which will take place in Las Vegas on Wednesday.
"We have developed a set of indicators that can be used to clarify very effectively whether a process is ransomware or a benign process," said Stefano Zanero, a security researcher who worked on the project.
Focusing on the detection of encryption itself, rather than a simple cataloging of specific types of ransomware, ShieldFS can prevent known and unknown ransomware.
The researchers tested common types of ransomware, such as CryptoLocker and TeslaCrypt, that attack a system in the standard way – scanning the disk and encrypting each archive. At Black Hat, the team is preparing to present the ShieldFS tool's defense against WannaCry, the ransomware that hit thousands of computers in May.
When the tool detects any suspicious news program, enters an observation phase to determine whether this program is ransomware or not.
Κατά τη διάρκεια αυτής της περιόδου, την οποία οι ερευνητές ονομάζουν “σκίαση” ή “shadowing,” το ShieldFS αρχίζει να διατηρεί ένα calendar for everything the intrusive program does and for every file it accesses.
if she application καταλήξει στο συμπέρασμα ότι το πρόγραμμα είναι κακόβουλο, θα εμποδίσει την κρυπτογράφηση των αρχείων και θα επαναφέρει αυτόματα όλα τα αρχεία που έχει μολύνει το ransomware από εκτεταμένα αντίγραφα ασφαλείας. Σε περίπτωση που το ShieldFS εντοπίσει κάτι λάθος (false positive) according to the researchers, will not cause collateral losses.