Promising: A team of researchers has developed a new method to protect SSDs from ransomware attacks. It can detect ransomware, stop it, and even recover stolen data in seconds. The cost should only be a slight increase in SSD latency.
Registry spoke with researchers from Inha University, the Daegu Kyungbuk Institute of Science and Technology (DGIST), the University of Central Florida (UCF) and the Cybersecurity Faculty of Ewha Women’s University (EWU). The system, dubbed SSD-Insider, is supposedly nearly 100% accurate and has been tested with real ransomware.
SSD-Insider recognizes certain patterns in SSD activity that are known to indicate ransomware. “In order to recognize ransomware activity by looking only at the distribution of I / O request headers, we noticed a very unique ransomware behavior – overwriting.” is reading team research paper proposing SSD-Insider. It specifically points out the behavior of ransomware such as WannaCry, Mole, and CryptoShield.
“When SSD-Insider ++ detects ransomware activity, storage I / O is paused,” researcher Inha Daehun Niang told The Register. “While suspended, users can uninstall the ransomware.”
After stopping the ransomware, SSD-Insider can recover lost files thanks to the unique properties of SSD. “SSDs always store old versions of data that have been overwritten with new data until they are permanently deleted. [Garbage Collector], – mentioned in the document. – SSD-Insider uses the built-in SSD backup capabilities. SSD-Insider keeps track of old versions of data on solid state drives and never deletes them until the ransomware detection algorithm confirms that the new versions are not affected by ransomware. ”
What’s really unique about SSD-Insider is that it works at the firmware level. The team designed SSD-Insider to help users who don’t install anti-ransomware software on their systems.
The document also mentions the weaknesses of traditional software methods, such as the ability of some ransomware to work against antivirus software. SSD-Insider also has less CPU usage than anti-ransomware software. The article annotation states that the SSD-Insider software overhead is only 147 to 254 nanoseconds.
When tested with WannaCry and other ransomware, SSD-Insider never missed ransomware activity and rarely detected false positives. In all scenarios tested, the false rejection rate (FRR) was zero percent. The false acceptance rate (FAR) was nearly zero. “We report that the worst background noise in terms of FRR came from I / O and CPU intensive tasks,” the researchers write. “For FAR, the worst-case scenario came mainly from heavy rewrite types such as DataWiping and Database applications.”
An antivirus researcher told The Register that a method like SSD-Insider is not reliable. “This feature takes advantage of uninstall delay, which means that ransomware developers can and can bypass this feature knowing how this antidote works,” said Jake Moore of ESET UK. In any case, users should keep their data in a backup.