Improved Ransomware Detection and Prevention for SSDs

SSD-Insider was created to protect users and organizations from ransomware.

A research team has developed a new method to protect SSDs from ransomware attacks. This method can detect ransomware, block it before it causes harm, and even recover stolen data in a short time.

The Register interviewed researchers from Inha University Daegu Gyeongbuk Institute of Science and Technology, Florida Central University, and the Cybersecurity Department at Ewha Womans University. The system, called SSD-Insider, was tested on real-world ransomware.

SSD-Insider works by detecting certain patterns in SSD activity that point to ransomware. In the article about this project, “To recognize ransomware activity, we paid attention to the unique behaviors and writes of a ransomware.” a statement is made. At this point, attention was drawn to the movements of ransomware such as WannaCry, Mole and CryptoShield.

Inha researcher DaeHun Nyang said, “When ransomware activity is detected by SSD-Insider++, storage I/O is suspended. During the suspension, users can remove the ransomware process.” says.

After the ransomware is stopped, lost files can be recovered due to the features of SSDs. At this point, it is stated that the Garbage Collector feature always keeps old data until it is permanently deleted. SSD-Insider tracks old versions of data inside SSDs and never removes them until the ransomware detection algorithm confirms that new versions are not affected by ransomware.

The developed software missed no malware and rarely made false detections in tests with WannaCry and other ransomware. The False Reject Rate (FRR) was 0% in all tested scenarios.

An antivirus researcher told The Register that a method like SSD-Insider is not foolproof. ESET UK’s Jake Moore said, “The function takes advantage of a delay in deletion. Ransomware developers may know how this method works and can circumvent it.” made a statement. Therefore, it is very important to have data backed up in any case.