ShieldFS can stop the ransomware infections and revert the damage

27.07.2017

ShieldFS-Ransomware-Scanner

 

Italian cybersecurity experts have developed a Windows drop-in driver and a customized file system that can detect signs of ransomware infection, stop any malicious actions and even restore the previous state of all encrypted files.

The new project, called ShieldFS, is the work of seven researchers from the Politecnico di Milano University.

ShieldFS functions as a scanner for COW and encryption operations

ShieldFS is a complex mechanism designed to detect Copy-On-Write (COW) operations.

In COW operations, an application an application takes a file, copies it, makes modifications, and then replaces the original file. Most of the today's ransomware families rely on COW operations by taking the original file, encrypting its contents and replacing the original.

ShieldFS is designed not only to detect COW operations but also to search for the use of symmetric crypto primitives, often used in the file encryption process.

When ShieldFS detects an event that meets these criteria, it checks with internal behavioral models that distinguish benign processes from malicious ransomware.

According to the creators of ShieldFS, it is currently equipped with adaptive models for 2,245 legitimate applications, which allow it to work without too many false positives that may result in the blocking of legitimate processes.

ShieldFS uses a self-healing filesystem to recover encrypted files

If ShieldFS detects a ransomware, it alerts the operating system to stop the process and uses a customized file system to reverse the malicious actions of the ransomware.

This is technically possible because ShieldFS is packaged as a drop-in driver that installs a customized virtual file system designed to shadow COW operations and keep copies of original files for a short time, allowing it to restore a certain amount of files.

It can be said that ShieldFS's real-time and self-healing file system functions as an alternative to Shadow Volume copies, which most ransomware families erase after encrypting victim`s files, preventing file restoration via specialized data recovery software.

Experts are still working on the project, but are planning to officially release a functional version of ShieldFS soon.

Would you like to comment on this article?

Share

Latest news

15.12.2017

Hacker removed malware from Netgear site, the company failed to do so for 2 years

An anonymous hacker has removed malware from a Netgear site after the company failed to clean up a malware infection for more than two years.

15.12.2017

Hacker robbed church in Northern Ireland

The hacker told the priest that the church computer should be remotely accessible to fix an internet problem.

15.12.2017

Synaptics to remove keylogger from its drivers

The company has decided to remove the keylogger functionality from its products.

Sign up for our online newsletter!