A new project called “ShieldFS” can stop Ransomware attacks

Share if you likedShare on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn3

Italian security researchers at NECSTLab have developed a new project called “ShieldFS”, which is Windows drop-in driver and custom filesystem that is able to detect and recognize the signs of a ransomware attack, stop any malicious activities and can also return any encrypted files to the original state.

According to NECST:
“ShieldFS is an innovative solution to fight ransomware attacks. It automatically creates detection models that distinguish ransomware from benign processes at runtime on the base of the filesystem activity. “

It is a complicated mechanism created to detect Copy-On-Write (COW) processes. COW processes occur when an application uses a file, copies it, makes changes, and then replaces the original file. Most ransomware families depend on “COW” processes by using an initial file, encrypting its content, and replacing the original.

The project is also created to look for the use of symmetric crypto primitives, usually used in the file encryption process. Once ShieldFS identifies an event that meets these rules, it checks with internal behavioral models that distinguish benign processes from malicious ransomware.

“ShieldFS looks for indicators of the use of cryptographic primitives. In particular, ShieldFS scans the memory of any process considered as potentially malicious, searching for traces of the typical block cipher key schedules.”

Share if you likedShare on Facebook0Share on Google+0Tweet about this on TwitterShare on LinkedIn3
The following two tabs change content below.

Eslam Medhat

is a professional pen-tester with over 9 years of IT experience bringing a strong background in programming languages and application security, ranging from network and system administration to exploit research and development. He reported various vulnerabilities for high profile companies and vendors and was successfully acknowledged by them.

Latest posts by Eslam Medhat (see all)

Eslam Medhat

is a professional pen-tester with over 9 years of IT experience bringing a strong background in programming languages and application security, ranging from network and system administration to exploit research and development. He reported various vulnerabilities for high profile companies and vendors and was successfully acknowledged by them.

Leave a Reply