Defend Against Ransomware with Storage Innovations

Although secure storage systems have been developed for decades, encryption ransomware imposes new challenges and has become one of the biggest cybersecurity threats. It stealthily encrypts user data and demands ransoms to restore their data. Recent studies report that ransomware attacks could happen every 11 seconds. These ransomware outbreaks and global damage show that the current design of storage systems falls short of defending against encryption ransomware.

To defend against ransomware attacks, existing software-based approaches include intrusion detection and data backup. Unfortunately, software-based solutions suffer from three major limitations. First, since software-based solutions are not hardware isolated from malicious processes, they can be compromised by ransomware. Particularly, attackers could obtain OS kernel privilege and terminate software-based backup systems. Moreover, even if ransomware detection succeeds, some files have been encrypted and victims still have to pay to get their data back. Third, ransomware can overwrite data backups with encrypted versions. Fourth, software-based solutions usually lack the capability of trusted post-attack analysis, which impedes the progress of recovering from an attack.

The systems security community has been focused on demystifying ransomware attacks and detecting their footprints. Several defense mechanisms have been proposed and developed. Recently, researchers also leverage machine learning techniques to perform ransomware analysis and classification. Although these mechanisms offer effective detection of encryption ransomware, they do not provide sufficient and proper cure for the damage that has been caused. As such, ransomware still locks up a few files. Given that encrypted files might be vitally important for business operations, the victims may still have to pay a hefty ransom request in order to minimize the damage. In this project, we not only look at ransomware detection, but also concentrate on a solution to offset the damage to user data.

The computer systems community has developed data backup and recovery systems that allow users to restore their data to the copies prior to the encryption. They also developed log-structured file systems and journaling file systems for maintaining data updates in persistent logs. Beyond these, cloud based storage systems have been developed. As a defense mechanism against ransomware attacks, however, none of them is sufficient and proper. Since ransomware can run with the kernel privilege, the backup systems proposed can be easily disabled or circumvented. In this project, we design and develop hardware-isolated data recovery mechanism, making it naturally resistant to ransomware attacks launched at both user and kernel levels.

The storage systems community has investigated the optimization techniques for HDD and flash-based storage devices, and their adoption in file systems and upper-level applications such as transactional database and key-value stores. However, a majority of these researches focused on the storage performance, rather than the security aspect. In this project, we propose to develop secure flash-based storage systems with hardware-assisted approach. The hardware architecture community has been most focused on developing new and emerging memory and storage technologies. However, most of them focused on how to increase the storage capacity and performance, few of them seriously consider the security in their design.

To defend against ransomware attacks, we exploited the intrinsic flash properties to detect ransomware attacks and restore victim data (FlashGuard-CCS'17 and TimeSSD-EuroSys'19). We also realizd that, as SSDs are widely used, ransomware will evolve and update its attack models. Therefore, we must anticipate and prevent new ransomware attacks (RSSD-ASPLOS'22). In addition, most defenses do not support forensic analysis, which will miss opportunities to learn new attack models.

Here is a list of our recent publications: