Researchers unveil ransomware detection and recovery method for SSDs

Daniel Sims

Posts: 1,320   +43
Staff
Forward-looking: A team of researchers have devised a new method for protecting SSDs from ransomware attacks. It can detect ransomware, stop it in its tracks, and even recover stolen data in a matter of seconds. The cost should only be a minor increase in the SSD's latency.

The Register spoke with the researchers, who come from Inha University, the Daegu Gyeongbuk Institute of Science & Technology (DGIST), the University of Central Florida (UCF), and the Cyber Security Department at Ewha Womans University (EWU). The system, called SSD-Insider, is supposedly almost 100 percent accurate and has been tested on real-world ransomware.

SSD-Insider works by recognizing certain patters in SSD activity that are known to indicate ransomware. "To recognize ransomware activity by viewing only the distribution of IO request headers, we have paid attention to a ransomware’s very unique behavior, overwriting," reads the team's research paper proposing SSD-Insider. It specifically points out the behavior of ransomware like WannaCry, Mole, and CryptoShield.

"When ransomware activity is detected by SSD-Insider++, input/output to the storage is suspended," Inha researcher DaeHun Nyang told The Register. "During the suspension, users can remove the ransomware process."

After the ransomware is stopped, SSD-Insider can recover lost files due to the unique properties of SSDs. "SSDs always keep old versions of data that were overwritten by new data until they are permanently erased by [Garbage Collector]," the paper mentions. "SSD-Insider takes advantage of the built-in backup capability of SSDs. SSD-Insider keeps track of old versions of data inside SSDs and never removes them until the ransomware detection algorithm confirms that the new versions are not affected by ransomwares."

What's truly unique about SSD-Insider is that it works at the firmware level. The team designed SSD-Insider this way to help users who don't keep anti-ransomware software installed on their systems.

The paper also mentions the weaknesses of traditional software methods, like the ability of some ransomware to work against anti-virus software. SSD-Insider is also designed to have less CPU overhead than anti-ransomware software. The paper's abstract says SSD-Insider's software overhead is only around 147 to 254 nanoseconds.

In testing with WannaCry and other ransomware, SSD-Insider never missed any ransomware activity, and rarely detected false positives. In all tested scenarios, the False Rejection Rate (FRR) was zero percent. The False Acceptance Rate (FAR) was nearly zero. "We report that the worst background noise in terms of FRR came from IO-intensive and CPU-intensive jobs" the researchers write. "In terms of FAR, the worst scenario came mostly from heavy overwriting type, such as DataWiping and Database applications."

An antivirus researcher told The Register a method like SSD-Insider isn't foolproof. "The function leverages a delay in deletion which means that ransomware developers would and could still bypass this feature with the knowledge of how this antidote operates," said ESET UK's Jake Moore. In any case, users should still keep their data backed up.

Permalink to story.

 
" An antivirus researcher told The Register a method like SSD-Insider isn't foolproof. "
----------------------------------------------------------------------------------------------------------------

Mine is foolproof and has prevented all ransomware since 2014 (including wannacry)

AND, I'm still using it to run Windows XP online without a single ransomware or malware problem for more than 7 years straight

Let me know when your system is available and 100% effective and .....well.....I still won't care

I'm already there, doing what you claim you "might" be able to do sometime in the distant future
 
" An antivirus researcher told The Register a method like SSD-Insider isn't foolproof. "
----------------------------------------------------------------------------------------------------------------

Mine is foolproof and has prevented all ransomware since 2014 (including wannacry)

AND, I'm still using it to run Windows XP online without a single ransomware or malware problem for more than 7 years straight

Let me know when your system is available and 100% effective and .....well.....I still won't care

I'm already there, doing what you claim you "might" be able to do sometime in the distant future


I'm sure some user here have even more foolproof systems - off line backups , off site backups.
PI holes or whatever they are . Rarely run in admin - control scripts in broswers , don't click on things etc , use Linux /MS Dos etc etc .
Most of us are not low hanging fruit .- However we all know that if we were targeted by State agents your fancy XP or whatever will not help you - you like me are boring as hell . Plus maybe the hack your ISP , your modem/router .
I can accept your main point fairly invulnerable to ransomware . I imagine targeting legacy XP systems is going for known products used by specific companies - eg legacy purchase/inventory system - The top hackers probably even know which companies are using it- as they have hacked the maker
 
Back