ShieldFS: Over the last few months, back to back waves attacks ransomware have hit the internet globally, shutting down businesses and critical infrastructure from hospitals to telecommunications.
So the research of Andrea Continella and his team is quite timely: A tool that automatically detects ransomware, almost instantly, and restores your system from backups before the fraudsters lock it up completely.
The tool is called ShieldFS, and is not designed as a broad antivirus platform. Instead, it scans only for ransomware attacks.
The new project reportedly focuses only on detecting the unique cryptographic behaviors of ransomware, which allows ShieldFS to detect not only known types of malicioussoftware, but also any new ransomware attacks.
The team, from Politecnico di Milano, Italy, will present ShieldFS at the Security Conference Black Hat which will take place in Las Vegas on Wednesday.
"We have developed a set of indicators that can be used to clarify very effectively whether a process is ransomware or some benign process," says Stefano Zanero, researcher better safetywho worked on the project.
Focusing on the detection of encryption itself, rather than a simple cataloging of specific types of ransomware, ShieldFS can prevent known and unknown ransomware.
The researchers tested common types of ransomware, such as CryptoLocker and TeslaCrypt, that infect a system in the typical way - they scan the disk and encrypt each file. In Black Hat, the team prepares to present ShieldFS tool defense against WannaCry, the ransomware that hit thousands of computers in May.
When the tool detects a suspicious new program, it enters an observation phase to determine whether this program is ransomware or not.
During this period, which researchers call "shadowing" or "shadowing," ShieldFS begins to keep a diary of everything the intervention program does and each file it accesses.
If the application concludes that the program is malicious, it will prevent encryption of files and will automatically restore all files that infected the ransomware from extensive backups. If ShieldFS detects false (false), it will not cause collateral damage.