ShieldFS: The Last Word in Ransomware Resilient File Systems

Presented at Black Hat USA 2017, July 26, 2017, 2:40 p.m. (50 minutes)

Preventive and reactive security measures can only partially mitigate the damage caused by modern ransomware attacks. The remarkable amount of illicit profit and the cybercriminals' increasing interest in ransomware schemes demonstrate that current defense solutions are failing, and a large number of users are actually paying the ransoms. In fact, pure-detection approaches (e.g., based on analysis sandboxes or pipelines) are not sufficient, because, when luck allows a sample to be isolated and analyzed, it is already too late for several users! Moreover, modern ransomware implements several techniques to prevent detection by common AV. Similarly, for performance reasons, backups leave a small-but-important window of recent files unprotected.

We believe that a forward-looking solution is to equip modern operating systems with generic, practical self-healing capabilities against this serious threat.

In this talk, we will present ShieldFS, a drop-in driver that makes the Windows native filesystem immune to ransomware attacks, even when detection fails ShieldFS dynamically toggles a protection layer that acts as a copy-on-write mechanism whenever its detection component reveals suspicious activity. For this, ShieldFS monitors the filesystem's internals to update a set of adaptive models that profile the system activity over time. This detection is based on a study of the filesystem activity of over 2,245 applications, and takes into account the entropy of write operations, frequency of read, write, and folder-listing operations, fraction of files renamed, and the file-type usage statistics. Additionally, ShieldFS monitors the memory pages of each "potentially malicious" process, searching for traces of the typical block cipher key schedules.

We will show how ShieldFS can shadow the write operations. Whenever one or more processes violate our detection component, their operations are deemed malicious and the side effects on the filesystem are transparently rolled back.

Last, we will demo how effective ShieldFS is against samples from state of the art ransomware families, showing that it is able to detect the malicious activity at runtime and transparently recover all the original files.


  • Alessandro Barenghi - Assistant professor, Politecnico di Milano
    Alessandro Barenghi received his B.Sc. in Computer engineering in 2004 at Politecnico di Milano and subsequently in 2007 he obtained his M.Sc. Degree from the same university working on the realization of a instruction level parallel hardware accelerator for Identity Based Encryption cryptographic primitives. In 2011 he obtained the Ph.D. title from Politecnico di Milano, with the thesis "Developments in Side Channel Attacks to Digital Cryptographic Devices: Differential Power and Fault Analysis". The main area of interest for his researches is computer, embedded and network security. In particular, the activity carried out during his doctoral program focused on applied aspects of cryptography. In addition to his interests in computer security, he is also working in the field of formal languages and compilers: his current interest regards techniques for parallel parsing, employing operator precedence grammars.
  • Stefano Zanero - Associate Professor, Politecnico di Milano
    Stefano Zanero received a PhD in Computer Engineering from Politecnico di Milano, where he is currently an associate professor with the Dipartimento di Elettronica, Informazione e Bioingegneria. His research focuses on malware analysis, cyberphysical security, and cybersecurity in general. Besides teaching "Computer Security" and "Computer Forensics" at Politecnico, he has an extensive speaking and training experience in Italy and abroad. He co-authored over 70 scientific papers and books. He is a Senior Member of the IEEE (for which he sits on the MGA board), the IEEE Computer Society (for which he is a member of the Board of Governors), and a lifetime senior member of the ACM. Stefano co-founded the Italian chapter of ISSA (Information System Security Association). He has been named a Fellow of ISSA and sits in its International Board of Directors. Stefano is also a co-founder and chairman of Secure Network, a leading information security consulting firm based in Milan and in London; a co-founder of 18Months, a cloud-based ticketing solutions provider; and a co-founder of BankSealer, a startup in the FinTech sector that addresses fraud detection through machine learning techniques.
  • Giovanni Zingaro - Master Student, Politecnico di Milano
    Giovanni Zingaro received a M.Sc. in Computer Engineering from Politecnico di Milano, where he graduated cum laude with a thesis on ransomware detection. He has a fiery passion for computer science, especially for security topics. Giovanni is currently working in the Security Business Unit of Blue Reply.
  • Federico Maggi - Senior Threat Researcher, Trend Micro, Inc.
    Federico Maggi is a Senior Threat Researcher with Trend Micro's Forward-Looking Threat Research (FTR) team, an elite team of researchers fighting against cyber criminals and scouting the future of the Internet to predict the future evolutions of cybercrime. His research interests, mainly developed during his MSc and PhD, revolve around various topics under the "cyber security" and "cyber crime" umbrella terms, such as threat analysis and intelligence, malware analysis, mobile security, fraud analysis and detection, web- and social-network security and data visualization. Before joining Trend Micro, Federico was an Assistant Professor at Dipartimento di Elettronica, Informazione e Bioingegneria (DEIB), Politecnico di Milano in Italy. Federico has given several lectures and talks as an invited speaker at international venues and research schools. He also serves in the review or organizing committees of well-known conferences.
  • Andrea Continella - PhD Student, Politecnico di Milano
    Andrea Continella is a PhD student in Computer Science and Engineering at Dipartimento di Elettronica, Informazione e Bioingegneria (DEIB), Politecnico di Milano in Italy, working at the NECST Laboratory. His research activity is mainly focused on computer security and in particular on malware analysis. Andrea has been working on analysis and defense mechanisms against advanced malware, including for example the current generation of trojan horses, or the infamous ransomware families.
  • Alessandro Guagnelli - Master Student, Politecnico di Milano
    Alessandro Guagnelli received a M.Sc. in Computer Engineering from Politecnico di Milano, where he graduated cum laude with a thesis on ransomware detection from the file system point of view, using behavioral techniques only. He applied for the Erasmus project, which allowed him to attend courses from the Cyber Security M.Sc. of Tallinn University Of Technology. He is a security enthusiast, with interest ranging from computer to physical security, including social engineering. As part of the CTF team "Tower of Hanoi", the official team from Politecnico di Milano, he participated in several CTFs, focusing on binary exploitation. He is currently employed as Security Engineer for Secure Network.
  • Giulio De Pasquale - Student, Politecnico di Milano
    Giulio De Pasquale is a computer engineering student at Politecnico di Milano. He focuses his activity on systems security and he plays CTFs with Tower of Hanoi.


Similar Presentations: