ShieldFS: In recent months, successive waves of ransomware attacks have hit the internet globally, stopping businesses and critical infrastructure from hospitals to telecommunications.
So the research of Andrea Continella and his team is quite timely: A tool that automatically detects ransomware, almost instantly, and restores your system from backups before the fraudsters lock it up completely.
The tool is called ShieldFS, and is not designed as a broad antivirus platform. Instead, it scans only for ransomware attacks.
The new project is reported to focus only on detecting the unique cryptographic behaviors of ransomware, which allows ShieldFS to detect not only known types of malicious software but also any new attacks that act in a ransomware way.
The team, from Politecnico di Milano, Italy, will present ShieldFS at the Security Conference Black Hat which will take place in Las Vegas on Wednesday.
"We have developed a set of indicators that can be used to clarify very effectively whether a process is ransomware or a benign process," said Stefano Zanero, a security researcher who worked on the project.
Focusing on detecting herself encryptions, rather than simply cataloging specific ransomware types, ShieldFS can prevent known and unknown ransomware.
The researchers tested common types of ransomware, such as CryptoLocker and TeslaCrypt, that attack a system in the standard way – they scan the disk and encrypt each file. At Black Hat, the team is preparing to present the ShieldFS tool's defense against WannaCry, the ransomware that hit thousands of computers in May.
When the tool detects a suspicious new program, it enters an observation phase to determine whether this program is ransomware or not.
During this period, which the researchers call “shadowing,” ShieldFS begins to maintain a calendar for everything the intrusive program does and for every file it accesses.
If the application concludes that the program is malicious, it will prevent the encryption of the files and it will automatically reset all the archives that has infected ransomware from extensive backups. In case ShieldFS detects something wrong (false positive) according to the researchers, it will not cause collateral losses.