Technically, this is possible because ShieldFS is packaged as a drop-in driver installed on a virtual system file, designed 'shadowed' on COW operation, to keep a copy of the original file in Short time and allow to restore a certain amount of files.
It can be said that ShieldFS's real-time self-healing system file is like a replacement for Shadow Volume copying, which most variations of ransomware guarantee to be deleted before encrypting the user's file, avoid recovering by specialized data recovery software.
Here's a video of how ShieldFS works. Researchers are still working on this project, saying they intend to officially release in the near future. This is the full report on ShieldFS at Black Hat.https://www.blackhat.com/docs/us-17/wednesday/us-17-Continella-ShieldFS-The-Last-Word-In-Ransomware-Resilient-Filesystems.pdf