ShieldFS can stop and reverse the effects of extortion code

Ransomware (ransomware) is showing signs of explosion worldwide, paying is no longer the most effective option.
Lukitus Guide to preventing extortion malicious code

Named ShieldFS, the new project is the product of 7 researchers from Politecnico di Milano University and is provided with details at the Black Hat USA 2017 security conference.

ShieldFS acts as a COW scanner and encryption operation

According to research reports released this year, ShieldFS has a complex mechanism, designed to detect COW (Copy-On-Write) activities.

COW operation takes place when the application obtains the file, copies, modifies and replaces the original file. Most ransomware variants today rely on the COW mechanism by taking the first file, encrypting its content and replacing it with the original file.

ShieldFS not only detects COW activity but also seeks to use symmetric encryption patterns, commonly used in file encryption.

Once the activity is detected in this form, ShieldFS will check the internal behavior pattern, differentiate normal processes from the infected ransomware.

According to the researchers, ShieldFS is currently equipped with models adapted to 2245 legitimate applications, allowing it to work without causing too many errors that lead to legal blocking.

ShieldFS is used as a file system to recover encrypted files

If ransomware is detected, ShieldFS will tell the operating system to stop the process and use the customized system file to reverse the ransomware behavior.

ShieldFS can stop and reverse the effects of extortion code Picture 1
ShieldFS project is expected to help fight extortion

Technically, this is possible because ShieldFS is packaged as a drop-in driver installed on a virtual system file, designed 'shadowed' on COW operation, to keep a copy of the original file in Short time and allow to restore a certain amount of files.

It can be said that ShieldFS's real-time self-healing system file is like a replacement for Shadow Volume copying, which most variations of ransomware guarantee to be deleted before encrypting the user's file, avoid recovering by specialized data recovery software.

Here's a video of how ShieldFS works. Researchers are still working on this project, saying they intend to officially release in the near future. This is the full report on ShieldFS at Black Hat.https://www.blackhat.com/docs/us-17/wednesday/us-17-Continella-ShieldFS-The-Last-Word-In-Ransomware-Resilient-Filesystems.pdf

Kareem Winters

Update 24 May 2019

You should read it

May be interested

How to handle the emergency WannaCry malicious code from the National Information Security Department
the information security department has issued guidelines for emergency handling of wannacry extortion codes for users as well as organizations and businesses to avoid damage caused by this malicious code. vietnam is currently on the list of 20 countries attacked by this malicious code.
Instructions for creating reverse text
write letters in reverse, overturning words easily if you know the following tips. let's see how to write this reverse text, you can copy it on facebook so your friends will get tired of reading it.
GandCrab blackmail extinguished after earning $ 2.5 billion worldwide
after nearly a year and a half of 'storming', the people behind gandcrab ransomware claimed that the malware stopped working and at the same time urged their malicious 'branches' to stop distributing this extortion code. .
Shade ransomware, the nightmare of 5 years ago is showing signs of returning
shade ransomware - extortion code recorded by kaspersky labs disappeared from the internet five years ago, 2014, showing signs of returning again.
Download the reverse video creation application, Reverse Movie FX is free on the AppStore
reverse movie fx is an application that supports reverse video creation, allowing users to get back-to-back, reverse-play, reverse-action videos, which look like an interesting magic trick.
How to perform Reverse DNS Lookup
what is reverse dns? dns is often used to resolve domain names into ip addresses. this action is performed every time you visit a website on the internet.
GIBON extortion code spread through spam
a new ransomware called gibon, once again malspam (malware spread via email) attaches a malicious file and contains the download macro, installs the malicious code to blackmail the victim's computer.
New generation extortion trojan detection
the new generation of extortion trojans is much more dangerous because of the use of an anonymous tor network and a stronger encryption method.
10 best reverse image search apps for iPhone and Android
search engines make it easy to find information or buy products, but what if you want to identify the images you have? in these cases, reverse image search will come in handy.
What will happen if you stop smoking now?
if you stop smoking, how will your body change? what is the harmful effect of tobacco? why are we so hard to quit smoking? let's read the article about the change of the body when stopping smoking under the line you will partly have answers to these questions.