ShieldFS Promises to Stop Ransomware Dead in Its Tracks

LAS VEGAS — A group of Italian researchers has made a program that stops and reverses ransomware encryption, with a claimed success rate of 100 percent.

Called ShieldFS, the program is a Windows kernel add-on that monitors activity in the Windows filesystem, looking for telltale signs of the ransomware encryption process. As soon as it detects anything suspicious, ShieldFS makes shadow copies of affected files so that any files that are encrypted can be recovered after the ransomware is stopped.

The researchers began developing ShieldFS late in 2015, but it works on new ransomware as well as older strains. In a demonstration at the Black Hat security conference here this week, ShieldFS stopped the WannaCry ransomware, which first came to light in May 2017, and recovered all the files that the ransomware had managed to encrypt.

Unfortunately, ShieldFS is not yet available to the general public. The researchers are patenting part of their process, and hope to release their methods soon.

MORE: What to Do If You're Hit by Ransomware

ShieldFS operates on the principle that most encrypting ransomware behaves the same way. Team leaders Andrea Continella and Federico Maggi, both of the Politecnico di Milano, explained that "the way ransomware interacts with the filesystem is significantly different than benign applications." (Maggi has finished his studies and taken a job with Trend Micro.)

Before ransomware starts encrypting, the researchers explained, it has to index a computer's entire file system. That's not so unusual — backup software and antivirus software does that too. But ransomware also has to write a lot of files and rename them, both of which are fairly unusual behaviors. 

Most tellingly of all, ransomware interacts with many different types of files in exactly the same way. That's very strange because most filetypes interact with only a few specific applications, and most applications interact with only certain types of files.

For example, .doc files usually interact only with Microsoft Word and other word processors, which can create, read, alter and delete .doc files. Image files interact with Adobe Photoshop and other image editors in a similar way.

But Photoshop can't do much with a .doc file, and Word can only read some types of image files. Meanwhile, web browsers can read many types of files, including .txt, .jpg, .gif and .mp3 files, but it can't create or alter them.

Ransomware throws out those rules and tries to do exactly the same thing to dozens of different kinds of files. When ShieldFS sees a piece of software doing that, as well as indexing the file system and rapidly renaming files, ShieldFS can be pretty sure the mystery software is encrypting ransomware.  Because ShieldFS is a Windows kernel add-on, it can stop the offending process itself.

A video posted by the researchers on YouTube shows ShieldFS in action.

But, as Maggi and Continella pointed out, detection is not enough. Even if the encryption process is stopped after only a few seconds, scores of files will still have been encrypted. So as soon as ShieldFS detects a suspicious process, it instantly goes into a protection mode that creates a shadow copy of any file that is being altered.

Because of this protection mode, Continella and Maggi said, ShieldFS has an unblemished 100 percent recovery rate against every strain of encrypting ransomware they've tested, including CryptoWall, TeslaCrypt, Critroni, TorrentLocker, Locky, ZeroLocker and WannaCry.

Notably absent from that list, however, is Cerber, one of the most pernicious encrypting ransomware families currently active. That may be because Cerber famously encrypts not only a file, but the filename as well, tremendously complicating the recovery process.

Nor will ShieldFS work against other kinds of ransomware, such as the older screen-locking variety that simply locks up the user interface without altering files, or the Petya/NotPetya ransomware which hit Europe hard last month. NotPetya encrypts files, but only as a backup process in case there's a failure of its main process — encrypting the computer's Master Boot Record, which is not accessible by the operating system.

Maggi and Continella admit that ransomware which uses multiple processes instead of a single process to encrypt files would be harder to stop.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.