Forward-looking: A team of researchers have devised a new method for protecting SSDs from ransomware attacks. It can detect ransomware, finish it in its tracks, and fifty-fifty recover stolen data in a affair of seconds. The cost should only exist a minor increase in the SSD'southward latency.

The Register spoke with the researchers, who come up from Inha University, the Daegu Gyeongbuk Institute of Scientific discipline & Engineering (DGIST), the University of Central Florida (UCF), and the Cyber Security Section at Ewha Womans University (EWU). The organization, called SSD-Insider, is supposedly about 100 percent authentic and has been tested on real-globe ransomware.

SSD-Insider works by recognizing sure patters in SSD activity that are known to signal ransomware. "To recognize ransomware activity past viewing merely the distribution of IO request headers, we have paid attention to a ransomware's very unique behavior, overwriting," reads the team'southward inquiry paper proposing SSD-Insider. It specifically points out the beliefs of ransomware like WannaCry, Mole, and CryptoShield.

"When ransomware action is detected by SSD-Insider++, input/output to the storage is suspended," Inha researcher DaeHun Nyang told The Register. "During the suspension, users tin remove the ransomware process."

click to expand

After the ransomware is stopped, SSD-Insider tin can recover lost files due to the unique properties of SSDs. "SSDs always keep old versions of data that were overwritten by new information until they are permanently erased past [Garbage Collector]," the paper mentions. "SSD-Insider takes advantage of the built-in backup adequacy of SSDs. SSD-Insider keeps runway of old versions of information within SSDs and never removes them until the ransomware detection algorithm confirms that the new versions are not afflicted by ransomwares."

What's truly unique about SSD-Insider is that it works at the firmware level. The squad designed SSD-Insider this style to help users who don't continue anti-ransomware software installed on their systems.

The paper besides mentions the weaknesses of traditional software methods, similar the ability of some ransomware to work against anti-virus software. SSD-Insider is also designed to accept less CPU overhead than anti-ransomware software. The paper's abstruse says SSD-Insider'southward software overhead is only around 147 to 254 nanoseconds.

click to expand

In testing with WannaCry and other ransomware, SSD-Insider never missed any ransomware activity, and rarely detected false positives. In all tested scenarios, the False Rejection Rate (FRR) was zero percent. The Imitation Acceptance Charge per unit (FAR) was nearly zero. "We report that the worst groundwork noise in terms of FRR came from IO-intensive and CPU-intensive jobs" the researchers write. "In terms of FAR, the worst scenario came by and large from heavy overwriting type, such as DataWiping and Database applications."

An antivirus researcher told The Register a method like SSD-Insider isn't foolproof. "The function leverages a delay in deletion which means that ransomware developers would and could still bypass this feature with the knowledge of how this antidote operates," said ESET U.k.'south Jake Moore. In any case, users should still keep their data backed up.