ShieldFS can stop the ransomware infections and revert the damage




Italian cybersecurity experts have developed a Windows drop-in driver and a customized file system that can detect signs of ransomware infection, stop any malicious actions and even restore the previous state of all encrypted files.

The new project, called ShieldFS, is the work of seven researchers from the Politecnico di Milano University.

ShieldFS functions as a scanner for COW and encryption operations

ShieldFS is a complex mechanism designed to detect Copy-On-Write (COW) operations.

In COW operations, an application an application takes a file, copies it, makes modifications, and then replaces the original file. Most of the today's ransomware families rely on COW operations by taking the original file, encrypting its contents and replacing the original.

ShieldFS is designed not only to detect COW operations but also to search for the use of symmetric crypto primitives, often used in the file encryption process.

When ShieldFS detects an event that meets these criteria, it checks with internal behavioral models that distinguish benign processes from malicious ransomware.

According to the creators of ShieldFS, it is currently equipped with adaptive models for 2,245 legitimate applications, which allow it to work without too many false positives that may result in the blocking of legitimate processes.

ShieldFS uses a self-healing filesystem to recover encrypted files

If ShieldFS detects a ransomware, it alerts the operating system to stop the process and uses a customized file system to reverse the malicious actions of the ransomware.

This is technically possible because ShieldFS is packaged as a drop-in driver that installs a customized virtual file system designed to shadow COW operations and keep copies of original files for a short time, allowing it to restore a certain amount of files.

It can be said that ShieldFS's real-time and self-healing file system functions as an alternative to Shadow Volume copies, which most ransomware families erase after encrypting victim`s files, preventing file restoration via specialized data recovery software.

Experts are still working on the project, but are planning to officially release a functional version of ShieldFS soon.

Would you like to comment on this article?




New banking malware FakeBank can intercept messages to steal data and money

FakeBank malware can steal sensitive information from the device including phone numbers, balance on a linked bank card and location data.


New Cryptomix ransomware variant released

Hackers have released a new version of Cryptomix that adds the .SERVER extension to encrypted files.


Meltdown and Specter vulnerabilities affect Intel, ARM, AMD processors

Almost all PCs, laptops, tablets and smartphones are in danger, regardless of manufacturer or operating system.

Sign up for our online newsletter!