shieldfs the last word in ransomware resilient filesystems
play

ShieldFS: The Last Word in Ransomware Resilient Filesystems Andrea - PowerPoint PPT Presentation

Nov 16, 2023 •162 likes •976 views

ShieldFS: The Last Word in Ransomware Resilient Filesystems Andrea Continella , Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, Stefano Zanero, Federico Maggi * US patent pending 2016-17 the "years of

  1. ShieldFS: The Last Word in Ransomware Resilient Filesystems Andrea Continella , Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, Stefano Zanero, Federico Maggi * US patent pending

  2. 2016-17 the "years of extortion"

  3. Do you WannaCry?

  4. Do you WannaCry?

  5. ShieldFS vs WannaCry ShieldFS detected WannaCry after it encrypted >=200 files Files lost: zero , all were recovered automatically

  6. It’s not just WannaCry... ➢ Detected: 1436/1483, 96.9% ➢ Files lost: always 0%

  7. Why ShieldFS is different?

  8. ShieldFS: Key Takeaways The way ransomware interacts with the filesystem is significantly different than benign applications

  9. ShieldFS: Key Takeaways The way ransomware interacts with the filesystem is significantly different than benign applications DETECTION. Monitor filesystem activity Usage of crypto primitives

  10. ShieldFS: Key Takeaways The way ransomware interacts with the filesystem is significantly different than benign applications DETECTION. Monitor filesystem activity Usage of crypto primitives PROTECTION. Mere detection is insufficient ➢ Stopping a suspicious process may be too late ➢ We need to protect users’ data , reverting the effects of ransomware attacks.

  11. What does ShieldFS observe?

  12. FS Activity Monitor Process User mode User mode Kernel mode I/O Manager ➢ Windows Kernel module to monitor and log the Filter Manager file system activity ○ Windows Minifilter Driver File System ○ Log IRPs (I/O Request Packets) Storage Driver Hardware

  13. Filter Manager API CONST FLT_OPERATION_REGISTRATION Callbacks[] = { { IRP_MJ_CREATE, 0, PreCreateOperationCallback, PostCreateOperationCallback }, { IRP_MJ_CLOSE, 0, PreCloseOperationCallback, PostCloseOperationCallback }, { IRP_MJ_READ, 0, PreReadOperationCallback, PostReadOperationCallback }, { IRP_MJ_WRITE, 0, PreWriteOperationCallback, PostWriteOperationCallback }, } FltRegisterFilter(DriverObject, &FilterRegistration, &Filter);

  14. IRP Log Example

  15. Where do we start from?

  16. Background/Clean FS Activity Benign User mode ➢ IRP logger on 11 clean machines Kernel mode ➢ FS activity under "typical" usage I/O Manager ○ ~1 month worth of data IRPLogger File System IRPs IRPs Storage Driver IRPs Disk drive IRPs

  17. Collected FS Activity

  18. Collected FS Activity

  19. Analysis Environment Windows 7 VM 383 samples of 5 distinct families Ransomware User mode Kernel mode I/O Manager IRPLogger File System Disk drive VirtualBox Cuckoo Sandbox

  20. Environment Preparation ● Trigger ransomware activity ● Avoid anti-sandbox tricks

  21. Ransomware vs Benign apps ? ? ? Benign Ransomware User mode Kernel mode I/O Manager IRPLogger File System Storage Driver Disk drive

  22. ShieldFS Self-healing Ransomware-aware Filesystem

  23. Ransomware vs Benign apps

  24. Ransomware vs Benign apps MANY PROGRAMS MANY PROGRAMS exhibit exhibit LOW VALUE HIGH VALUE FEW PROGRAMS FEW PROGRAMS exhibit exhibit LOW VALUE HIGH VALUE

  25. Ransomware vs Benign apps Ransomware Benign (1) #Folder-listing

  26. Ransomware vs Benign apps Ransomware Benign (2) #Files-Read

  27. Ransomware vs Benign apps Ransomware Benign (3) #Files-Written

  28. Ransomware vs Benign apps Ransomware Benign (4) #Files-Renamed

  29. Ransomware vs Benign apps Ransomware Benign (5) File type coverage

  30. Ransomware vs Benign apps Ransomware Benign (6) Write-Entropy

  31. Ransomware vs Benign apps

  32. Machine Learning Learned classification model

  33. ShieldFS Self-healing Ransomware-aware Filesystem

  34. ShieldFS: Healing Approach

  35. ShieldFS: Healing Approach

  36. THIS SLIDE IS TO PROVE THAT WE CAN CREATE COMPLEX ANIMATION FLOWS

  37. THIS SLIDE IS TO PROVE THAT WE CAN CREATE COMPLEX ANIMATION FLOWS

  38. Detection Models Process #1 Process #n Process-centric Models K System-centric Model Disk drive

  39. Multi-tier Incremental Models K Long-term horizon Global Model Model 3 Model 3 tiers Model 2 Model 2 Model 2 Short-term horizon Model 1 Model 1 Model 1 Model 1 Model 1 Model 1 log (% accessed files)

  40. Multi-tier Incremental Models tick #0 Long-term horizon Global Model Model 3 Model 3 tiers Model 2 Model 2 Model 2 Short-term horizon Model 1 Model 1 Model 1 Model 1 Model 1 Model 1 #0 #1 #2 #3 log (% accessed files)

  41. Multi-tier Incremental Models tick #1 Long-term horizon Global Model Model 3 Model 3 tiers Model 2 Model 2 Model 2 Short-term horizon Model 1 Model 1 Model 1 Model 1 Model 1 Model 1 #0 #1 #2 #3 log (% accessed files)

  42. Multi-tier Incremental Models tick #2 Long-term horizon Global Model Model 3 Model 3 tiers Model 2 Model 2 Model 2 Short-term horizon Model 1 Model 1 Model 1 Model 1 Model 1 Model 1 #0 #1 #2 #3 log (% accessed files)

  43. Multi-tier Incremental Models tick #3 Long-term horizon Global Model Model 3 Model 3 tiers Model 2 Model 2 Model 2 Short-term horizon Model 1 Model 1 Model 1 Model 1 Model 1 Model 1 #0 #1 #2 #3 log (% accessed files)

  44. Multi-tier Incremental Models tick #4 Long-term horizon Global Model Model 3 Model 3 tiers Model 2 Model 2 Model 2 Short-term horizon Model 1 Model 1 Model 1 Model 1 Model 1 Model 1 #0 #1 #2 #3 log (% accessed files)

  45. Multi-tier Incremental Models tick #5 Long-term horizon Global Model Model 3 Model 3 tiers Model 2 Model 2 Model 2 Short-term horizon Model 1 Model 1 Model 1 Model 1 Model 1 Model 1 #0 #1 #2 #3 log (% accessed files)

  46. Multi-tier Incremental Models Malicious Long-term horizon Global Model Model 3 Model 3 tiers Model 2 Model 2 Model 2 Short-term horizon Model 1 Model 1 Model 1 Model 1 Model 1 Model 1 #0 #1 #2 #3 log (% accessed files)

  47. Multi-tier Incremental Models Benign Long-term horizon Global Model Model 3 Model 3 tiers Model 2 Model 2 Model 2 Short-term horizon Model 1 Model 1 Model 1 Model 1 Model 1 Model 1 #0 #1 #2 #3 log (% accessed files)

  48. Multi-tier Incremental Models ? ? ? Suspicious Long-term horizon Global Model Model 3 Model 3 tiers Model 2 Model 2 Model 2 Short-term horizon Model 1 Model 1 Model 1 Model 1 Model 1 Model 1 #0 #1 #2 #3 log (% accessed files)

  49. I’m Confused.. Suspicious Process #1 Process #n Process-centric Models System-centric Model

  50. I’m Confused.. Suspicious Process #1 Process #n Process-centric Models LOOK FOR TRACES OF CRYPTO FUNCTIONS System-centric Model

  51. Block Ciphers: Key Schedule

  52. Traces of Crypto Primitives Key schedules Encryption Rounds 77 3f 9d 50 2a 91 d5 86 Round 1 a0 89 42 b2 f3 de b8 d3 32 f2 16 b0 88 e3 7e b4 Round 2 1d 2d f4 b2 fa 6f 51 64 bd ce c7 e5 16 1b e1 dc Round 3 8f db 81 e5 50 8b c0 1a 7b 93 8f f4 64 c9 bf f3 Round N a5 f8 25 be f5 9a 48 c8

  53. Traces of Crypto Primitives Key schedules Encryption Rounds 77 3f 9d 50 2a 91 d5 86 Round 1 a0 89 42 b2 f3 de b8 d3 32 f2 16 b0 88 e3 7e b4 Round 2 1d 2d f4 b2 fa 6f 51 64 False Positives for AES: 2 -1344 bd ce c7 e5 16 1b e1 dc Round 3 8f db 81 e5 50 8b c0 1a 7b 93 8f f4 64 c9 bf f3 Round N a5 f8 25 be f5 9a 48 c8

  54. ShieldFS: Architecture Process 1 Process 2 . . . Virtual memory address space address space Process 1 Process 2 ... open("file.txt") read(fp1) ... User space Kernel space I/O Manager (minifilter driver interface)

  55. ShieldFS: Architecture Process 1 Process 2 . . . Virtual memory address space address space Process 1 Process 2 ... open("file.txt") read(fp1) ... User space Kernel space I/O Manager (minifilter driver interface) I/O Request Packets (IRPs) Process centric Process centric ... model 1 model 2 Feature values " process 1 is suspicious" Detector System centric model

  56. ShieldFS: Architecture Process 1 Process 2 . . . Virtual memory address space address space Process 1 Process 2 ... open("file.txt") read(fp1) ... User space " search for crypto key schedule" Kernel space I/O Manager (minifilter driver interface) I/O Request Packets (IRPs) Process centric Process centric ... CryptoFinder model 1 model 2 Feature values " process 1 is suspicious" Detector System centric model

  57. ShieldFS: Architecture Process 1 Process 2 . . . Virtual memory address space address space Process 1 Process 2 ... open("file.txt") read(fp1) ... User space " search for crypto key schedule" Kernel space I/O Manager (minifilter driver interface) I/O Request Packets (IRPs) Process centric Process centric ... CryptoFinder model 1 model 2 Feature values " process 1 is suspicious" Detector System centric model " process 2 is benign", " process 1 is malicious: kill it and restore files" Shielder “delete process 2 file copies” “restore process 1 files copies” Disk drive Shadow drive

Recommend

1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad

Geoff Hale 1 February 4, 2020 Ransomware works Who: Ransomware is a threat vector that is rife for bad actors, both criminal enterprises and nation-states have made use of ransomware. What: Ransomware is a type of malware that encrypts

358 views • 6 slides
Ransomware: DataENcryption made easy The Word Ransom = Ransom Blackmailing

Ransomware: DataENcryption made easy The Word Ransom = Ransom Blackmailing

Ransomware: DataENcryption made easy The Word Ransom = Ransom Blackmailing History 1989 AIDS TROJAN DISK distributed/infected via floppy disk developer was caught and put into jail 2005 first internet attack

748 views • 54 slides
Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more

X by Invincea Responding To Ransomware Ransomware Nightmares X by Invincea Ransomware is getting more sophisticated, and shifting to an enterprise threat Ransomware Nightmares X by Invincea To Pay Or Not To Pay? X by Invincea Your money or

780 views • 23 slides
On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele

On Deception-Based Protection Against Cryptographic Ransomware Ziya Alper Gen, Gabriele Lenzini, and Daniele Sgandurra June 20, 2019 Ransomware Threat 1 Ransomware Threat 1 Deception-Based Anti-Ransomware In the context of ransomware,

507 views • 22 slides
Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN

Redemption: Real-Time Protection Against Ransomware at End-Hosts WRITTEN BY: PRESENTED BY: AMIN KHARRAZ NICHOLAS BURTON ENGIN KIRDA What is Ransomware? What is Ransomware? u Ransomware is malicious software that encrypts user data, and

718 views • 33 slides
This time we'll talk about filesystems. We'll start out by looking at disk partitions, which are

This time we'll talk about filesystems. We'll start out by looking at disk partitions, which are

Linux System Administration SSU: Disks and Filesystems 1 This time we'll talk about filesystems. We'll start out by looking at disk partitions, which are the traditional places to put filesystems. Then we'll take a look at logical

711 views • 58 slides
Introduction Introduction to storage and to storage and filesystems filesystems Introduction

Introduction Introduction to storage and to storage and filesystems filesystems Introduction

Moreno Baricevic Gilberto Daz Axel Kohlmeyer Stefano Cozzini ULA ICTP CNR-IOM DEMOCRITOS Merida, VENEZUELA Trieste, ITALY Trieste, ITALY Introduction Introduction to storage and to storage and filesystems filesystems Introduction

1.19k views • 51 slides
Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new

Ransomware Overview Our analysis leads us to expect increased ransomware activity over 2016 (new attacker entrants, lower cost through kit automation, etc.) Take consumer and enterprise digital assets hostage using high- strength encryption

365 views • 18 slides
Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of

Ransomware Eradication using Biomorphic Perimeterisation Introduction Types of Ransomware Technology Perspective and Attacked Devices Ransomware Economy Security Conditions Biomorphic Perimeterisation How to generate a

860 views • 61 slides
Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that

Update on Ransomware Technology 60 Minutes Video ransomware ( noun) A type of malware that prevents or limits users from accessing their system, either by locking the system's screen or by locking the users files unless a ransom is paid.

517 views • 30 slides
Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy

Troubling Times: Ransomware Across Texas Deputy Chief Information Security Officer Andy Bennett 2019 Cybersecurity Awareness Month Event October 22, 2019 2019 Texas Headlines Ransomware Ransomware Cyber criminals holding your data and

450 views • 23 slides
Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts,

Locky Strike: Smoking the Locky Ransomware Code Floser Bacurio Jr and Rommel Joven Anti-Virus Analysts, FortiGuard Lion Team September 1, 2017 1 Cryptowall 2 This one? 3 Prevalence: Global ransomware Global Ransomware IPS Hits - February

647 views • 49 slides
How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How

How To Not Be A Victim Of Ransomware The thoughtful integration of healthcare and technology How Healthcare IT Differs From General IT Agenda The Growing Threat of Ransomware What You Can Do Today To Protect Your Business How Healthcare IT

440 views • 32 slides
Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca

Tracking Ransomware End-to-end Danny Y. Huang Maxwell Matthaios Aliapoulios, Vector Guo Li Luca Invernizzi, Elie Bursztein, Kylie McRoberts, Jonathan Levin Kirill Levchenko, Alex C. Snoeren, Damon McCoy Ransomware causes financial damages

798 views • 54 slides
UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko

UNVEIL: A Large-Scale, Automated Approach to Detecting Ransomware Paul Weliczko https://arstechnica.com/information-technology/2012/11/mushrooming-growth-of-ransomware- extorts-5-million-a-year/

298 views • 13 slides
to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu

to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu

FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware Jian Huang Jun Xu Xinyu Xing Peng Liu Moinuddin K. Qureshi Encryption Ransomware Is Becoming More Aggressive May 12,

772 views • 75 slides
What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary

What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary

What is Ransomware? Ben Spear Director, EI-ISAC January 31, 2020 Confidential & Proprietary 1 Confidential & Proprietary Ransomware Overview Malware that blocks access to a system, device, or file until a ransom is paid

248 views • 11 slides
Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top

Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top

Vembu BDR Suite Vembu Technologies 100+ Decade + G2 crowd Countries Experience Top Leaders-2019 www.vembu.com How to protect your business from a Ransomware attack? What is Ransomware? Types of Ransomware How it attacks? Stats for year

454 views • 16 slides
Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi

Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi

Tracking desktop ransomware payments end to end Elie Bursztein, Kylie McRoberts, Luca Invernizzi with the help of many people from UCSD, NYU, and Chainalysis Only 37% of users backup their data g.co/research/protect Since 2016 ransomware

746 views • 62 slides
Hard State Revisited: Network Filesystems Hard State Revisited: Network Filesystems Jeff Chase

Hard State Revisited: Network Filesystems Hard State Revisited: Network Filesystems Jeff Chase

Hard State Revisited: Network Filesystems Hard State Revisited: Network Filesystems Jeff Chase CPS 212, Fall 2000 Network File System (NFS) Network File System (NFS) server client syscall layer user programs VFS syscall layer NFS VFS

430 views • 29 slides
Ransomware-as-a-Service: An Evolving Business Model Wednesday, April 29 at 11 AM Eastern

Ransomware-as-a-Service: An Evolving Business Model Wednesday, April 29 at 11 AM Eastern

Ransomware-as-a-Service: An Evolving Business Model Wednesday, April 29 at 11 AM Eastern Ransomware-as-a-Service: An Evolving Business Model Visit www.advisenltd.com at the end of this webinar to download: Copy of these slides Recording

999 views • 23 slides
Block Devices, Filesystems And Block Layer Alignment Christoph Anton Mitterer

Block Devices, Filesystems And Block Layer Alignment Christoph Anton Mitterer

. DCACHE WORKSHOP DEUTSCHES ELEKTRONEN-SYNCHROTRON DESY ZEUTHEN April 19, 2012 Block Devices, Filesystems And Block Layer Alignment Christoph Anton Mitterer christoph.anton.mitterer@lmu.de BLOCK DEVICES, FILESYSTEMS AND BLOCK LAYER

843 views • 45 slides
I/O 2 / Filesystems 1 1 Changelog Changes made in this version not seen in fjrst lecture: 13

I/O 2 / Filesystems 1 1 Changelog Changes made in this version not seen in fjrst lecture: 13

I/O 2 / Filesystems 1 1 Changelog Changes made in this version not seen in fjrst lecture: 13 November: Correct cluster number on FAT directory entry slide. 1 last time page replacement modifjcations for scanning Linux: guess fjle pages used

2.03k views • 95 slides
Resilient Chicago 100 Resilient Cities is a global initiative that seeks to help cities around

Resilient Chicago 100 Resilient Cities is a global initiative that seeks to help cities around

Resilient Chicago 100 Resilient Cities is a global initiative that seeks to help cities around the world become more resilient to the physical, social, and economic challenges that are a growing part of the 21st century. Credit: City of Chicago

882 views • 47 slides

More recommend