Italian researchers from Politecnico di Milano unveiled a new tool in the fight against cybercrime at Black Hat 2017. ShieldFS, a Windows add-on and custom filesystem, can detect and stop a ransomware infection while preserving files in their unencrypted state.
Andrea Continella and Federico Maggi presented their new tool after 18 months of extensive research. The computer scientists bombarded computers with a variety of ransomware strains, including WannaCry, TeslaCrypt, CryptoWall, CryptoLocker, and others.
In 97 percent of scenarios, ShieldFS detected the malware and saved the files.
An add-on with a high success rate combined with traditional antivirus software could greatly reduce the number of ransomware incidents. Of course, ransomware developers will look for ways to work around the tool if its use becomes widespread. Similarly, the makers of ShieldFS will have to continually update their add-on to detect ransomware activity accurately.
The researchers “taught” their new filesystem how ransomware works by infecting computers with 383 samples from five major ransomware families. Once ShieldFS learned the behaviors of ransomware, it could detect and block the malware while preserving the original unencrypted files.
“It monitors and then performs copy-on-write on the first write; files are modified just the first time,” Continella said. “When the ShieldFS detector collects information to detect if something is malware or not, it can transparently and automatically recover and restore the original copies. If it’s benign, the clean, old copies are presented.”
The researchers say that ShieldFS complements routine backups, which are still the best countermeasure against ransomware.
Computer users and businesses would welcome a 97-percent effective tool against ransomware. But there’s still no replacement for backing up your files and secluding them from your machine to ensure their viability. As always, updating software is crucial to preventing exploit attacks.
There is no official release date for ShieldFS. However, the heavy interest it has attracted shows that there is a market for ransomware protection beyond traditional antivirus software. Whether the add-on can protect against ransomware in the wild remains to be seen.
If security software can take a bite out of ransomware’s profitability, hackers may abandon it for more lucrative work. This could reduce the number of attacks, which would be a welcome change of pace. Until that time, computer users should continue taking precautions against attacks.