Italian cybersecurity experts have developed a Windows drop-in driver and a customized file system that can detect signs of ransomware infection, stop any malicious actions and even restore the previous state of all encrypted files.
The new project, called ShieldFS, is the work of seven researchers from the Politecnico di Milano University.
ShieldFS functions as a scanner for COW and encryption operations
ShieldFS is a complex mechanism designed to detect Copy-On-Write (COW) operations.
In COW operations, an application an application takes a file, copies it, makes modifications, and then replaces the original file. Most of the today's ransomware families rely on COW operations by taking the original file, encrypting its contents and replacing the original.
ShieldFS is designed not only to detect COW operations but also to search for the use of symmetric crypto primitives, often used in the file encryption process.
When ShieldFS detects an event that meets these criteria, it checks with internal behavioral models that distinguish benign processes from malicious ransomware.
According to the creators of ShieldFS, it is currently equipped with adaptive models for 2,245 legitimate applications, which allow it to work without too many false positives that may result in the blocking of legitimate processes.
ShieldFS uses a self-healing filesystem to recover encrypted files
If ShieldFS detects a ransomware, it alerts the operating system to stop the process and uses a customized file system to reverse the malicious actions of the ransomware.
This is technically possible because ShieldFS is packaged as a drop-in driver that installs a customized virtual file system designed to shadow COW operations and keep copies of original files for a short time, allowing it to restore a certain amount of files.
It can be said that ShieldFS's real-time and self-healing file system functions as an alternative to Shadow Volume copies, which most ransomware families erase after encrypting victim`s files, preventing file restoration via specialized data recovery software.
Experts are still working on the project, but are planning to officially release a functional version of ShieldFS soon.