ShieldFS, the ransomware radar created at Politecnico di Milano

A group of researchers from the Italian university has created a tool to identify and block a ransomware attack on a computer

Ransomware attacks are bringing individuals and large companies to their knees. And even government agencies, hospitals and telecommunications companies. No one seems to be able to escape the most feared malware of recent years. Yet an invention from the Politecnico di Milano may change this trend.

The research group at the Italian university, led by Andrea Continella, has created a kind of anti-ransomware radar. It is a tool that automatically detects malware, almost in real time, and restores the system, through previously made backups, before hackers can completely lock the files on the computer. The radar is called ShieldFS and it is not an antivirus platform as it can only detect ransomware attacks. The most amazing aspect is that the tool is capable of recognizing any ransomware, even the ones that have not been discovered yet.

The Anti-Ransomware Radar

By analyzing programs that exploit cryptographic behaviors, ShieldFS can instantly tell if a computer is at risk of attack by a ransomware. This is something that protects users from both totally new attacks and updated versions of already known ransomware. To make this tool, researchers worked with common types of ransomware, such as CryptoLocker and TeslaCrypt. While during Black Hat, the world's computer security conference, the team of researchers tested ShieldFS against the famous WannaCry virus, which has recently shaken public attention on the topic of ransomware.

How ShieldFS works

When ShieldFS detects a new suspicious program it enters an observation phase to determine if it is ransomware.During this time, which researchers call "shadowing", literally stalking, ShieldFS begins keeping a log of everything the intrusive program does and what files it accesses. If the tool concludes that the program is malicious it blocks the code and restores the device. In case of a false positive, i.e. if ShieldFS blocks a non-dangerous program, there is no collateral damage. During the various ransomware analyses, researchers also found that almost all of these malware act the same way. A unique behavior that makes it easier to detect the virus.

Limits of ShieldFS

The main limitation of ShieldFS is that it currently only protects against traditional ransomware. That is, those that try to lock a device's files. Instead, the radar fails to detect new types of malware that block access to the machine for the user who has fallen into the trap. It basically doesn't protect against the so-called Pazy family of ransomware. These are viruses that have brought several companies and public corporations in Ukraine to their knees over the past year. Fortunately, however, the vast majority of attacks happen with "classic" ransomware.