In the last few months, waves of ransomware attacks have pummeled the world, disrupting not just businesses but also vital services like hospital care, energy infrastructure, and telecoms. Which means the research Andrea Continella and his team have pursued recently couldn't be better timed: A tool that detects ransomware automatically, almost instantly, and restores your system from backups before hackers can fully lock it down.
Called ShieldFS, the team's innovation isn't a broad antivirus platform, but that's by design. Instead, it's a targeted feature that scans only for ransomware attacks. By keeping the scope narrow, the project could focus on identifying the unique cryptographic behaviors of ransomware, which enables ShieldFS to detect not only known types, but also any new attacks that act in a ransomware-like manner. The group, based out of the Politecnico di Milano in Italy, will present ShieldFS at the Black Hat security conference in Las Vegas on Wednesday.
"The contribution of the research is a set of indicators we have developed that can be used to tell very efficiently if a process is ransomware or if it’s a benign process," says Stefano Zanero, a systems security researcher who worked on the project. By focusing on detecting the encryption itself, rather than simply cataloging specific ransomware types to look for, ShieldFS can preempt previously unseen versions, a valuable trait when even well-known ransomware schemes can turn much more aggressive, seemingly overnight.
The researchers worked with common ransomware types, like CryptoLocker and TeslaCrypt, that attack a system in the typical way—crawling through the directory, and encrypting each file one at a time. And at Black Hat, the group will demonstrate ShieldFS defense against a WannaCry infection, the type of ransomware that spiked in May, causing major disruption.
When ShieldFS detects a suspicious new program, it enters an observation phase to determine whether that program is ransomware. During this time, which the researchers call "shadowing," ShieldFS starts keeping a log of everything the intrusive program does, and every file it accesses. If ShieldFS concludes that the program is malicious, it will block the code from running, and automatically restore everything the ransomware touched using mirrored files from extensive backups. Should ShieldFS have a false positive, the researchers note, the program won't cause collateral damage; it just undoes some processes you attempted to initiate. You can authorize whatever the tool found suspicious and start again.
Through building ShieldFS, the researchers found that traditional ransomware has unique behavioral and cryptographic tells compared to other programs running on a system. "It will always happen that the malware will open a file, replace it precisely in the same position with completely different content, and this content will pass through memory with a fingerprint and certain characteristics that are unavoidable," Zanero says. "No normal program shows these characteristics, so we can very safely identify that program as ransomware."
ShieldFS's biggest limitation is that it only protects against "traditional" ransomware, the kind that crawls a computer's directory and encrypts each file one by one. It doesn't detect variations that focus on locking people out of their systems, an approach where all your files would be intact and accessible if you could just get to them. In that case victims pay a ransom to regain access, not to receive a literal decryption key. For example, ShieldFS wouldn't currently protect against the Petya family of ransomware, a version of which ravaged Ukraine and some other countries at the end of June. The vast majority of ransomware attacks are of the traditional sort that ShieldFS can snipe, but variants have been behind some high-profile outbreaks. Zanero says it would be possible to develop and add detection methods for these other types of ransomware as well.
The tool is also theoretically at risk of introducing the same security concerns inherent to other types of antivirus. The program needs extensive privileges in order to scan all the data and activity on a system, and hackers can abuse that trusted status to do gain data access on a system, or distribute malicious code. The researchers say that they intentionally created ShieldFS to require the minimum amount of system access possible. Only the detection component needs this deep level of trust—the computation and analysis can run like a normal program that has limited system influence.
The researchers say that while ShieldFS can effectively scan for malware at this point, it's still only a research product and not ready for real world implementation. The groups plans to release the code, though, so others can draw inspiration from it for related projects or work on refining it. Eventually, creating ransomware that can evade ShieldFS, or scanners like it, may prove more trouble than it's worth.
Defenses like software patching can minimize a system's risk of being infected with ransomware, and keeping routine backups is a simple general-purpose solution when you do get infected. But the recent rash of high-profile, global ransomware epidemics has shown that these precautions alone aren't enough to eliminate ransomware damage in all cases. That's where a tool like ShieldFS fits in. "We thought," says Zanero, "how can we help make things more resilient instead?"
