poster

Public Access

Poster: Data Recovery from Ransomware Attacks via File System Forensics and Flash Translation Layer Data Extraction

Authors:

Niusen Chen,

Josh Dafoe,

Bo ChenAuthors Info & Claims

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Pages 3335 - 3337

https://doi.org/10.1145/3548606.3563538

Published: 07 November 2022 Publication History

PDF eReader

Abstract

Ransomware is increasingly prevalent in recent years. To defend against ransomware in computing devices using flash memory as external storage, existing designs extract the entire raw flash memory data to restore the external storage to a good state. However, they cannot allow a fine-grained recovery in terms of user files as raw flash memory data do not have the semantics of "files''.

In this work, we design FFRecovery, a new ransomware defense strategy that can support fine-grained data recovery after the attacks. Our key idea is, to recover a file corrupted by the ransomware, we can 1) restore its file system metadata via file system forensics, and 2) extract its file data via raw data extraction from the flash translation layer, and 3) assemble the corresponding file system metadata and the file data. A simple prototype of FFRecovery has been developed and some preliminary results are provided.

References

[1]

ext4 data structures and algorithms. https://docs.kernel.org/filesystems/ext4/ globals.html.

Google Scholar

[2]

Lpc-h3131. https://www.olimex.com/Products/ARM/NXP/LPC-H3131/.

Google Scholar

[3]

Ssd market share. https://www.t4.ai/industry/ssd-market-share.

Google Scholar

[4]

Sung Ha Baek, Youngdon Jung, Aziz Mohaisen, Sungjin Lee, and DaeHun Nyang. Ssd-insider: Internal defense of solid-state drive against ransomware with perfect data recovery. In 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS), pages 875--884. IEEE, 2018.

Crossref

Google Scholar

[5]

Niusen Chen and Bo Chen. Defending against os-level malware in mobile devices via real-time malware detection and storage restoration. Journal of Cybersecurity and Privacy, 2(2):311--328, 2022.

Crossref

Google Scholar

[6]

Google Code. Opennfm. https://code.google.com/p/opennfm/.

Google Scholar

[7]

Le Guan, Shijie Jia, Bo Chen, Fengwei Zhang, Bo Luo, Jingqiang Lin, Peng Liu, Xinyu Xing, and Luning Xia. Supporting transparent snapshot for bare-metal malware analysis on mobile devices. In Proceedings of the 33rd Annual Computer Security Applications Conference, pages 339--349, 2017.

Digital Library

Google Scholar

[8]

Jian Huang, Jun Xu, Xinyu Xing, Peng Liu, and Moinuddin K Qureshi. Flashguard: Leveraging intrinsic flash properties to defend against encryption ransomware. In Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pages 2231--2244. ACM, 2017.

Digital Library

Google Scholar

[9]

Donghyun Min, Donggyu Park, Jinwoo Ahn, Ryan Walker, Junghee Lee, Sungyong Park, and Youngjae Kim. Amoeba: an autonomous backup and recovery ssd for ransomware attack defense. IEEE Computer Architecture Letters, 17(2):245--248, 2018.

Digital Library

Google Scholar

[10]

Peiying Wang, Shijie Jia, Bo Chen, Luning Xia, and Peng Liu. Mimosaftl: adding secure and practical ransomware defense strategy to flash translation layer. In Proceedings of the Ninth ACM Conference on Data and Application Security and Privacy, pages 327--338, 2019.

Digital Library

Google Scholar

[11]

Xiaohao Wang, Yifan Yuan, You Zhou, Chance C Coats, and Jian Huang. Project almanac: A time-traveling solid-state drive. In Proceedings of the Fourteenth EuroSys Conference 2019, pages 1--16, 2019.

Google Scholar

[12]

Wen Xie, Niusen Chen, and Bo Chen. Enabling accurate data recovery for mobile devices against malware attacks. In 18th EAI International Conference on Security and Privacy in Communication Networks, 2022.

Google Scholar

Cited By

View all

Rother CChen B(2024)Reversing File Access Control Using Disk Forensics on Low-Level Flash MemoryJournal of Cybersecurity and Privacy10.3390/jcp40400384:4(805-822)Online publication date: 1-Oct-2024
https://doi.org/10.3390/jcp4040038
McIntosh TSusnjak TLiu TXu DWatters PLiu DHao YNg AHalgamuge M(2024)Ransomware Reloaded: Re-examining Its Trend, Research and Mitigation in the Era of Data ExfiltrationACM Computing Surveys10.1145/369134057:1(1-40)Online publication date: 7-Oct-2024
https://dl.acm.org/doi/10.1145/3691340
Dafoe JSingh HChen NChen B(2024)Enabling Real-Time Restoration of Compromised ECU Firmware in Connected and Autonomous VehiclesSecurity and Privacy in Cyber-Physical Systems and Smart Vehicles10.1007/978-3-031-51630-6_2(15-33)Online publication date: 5-Feb-2024
https://doi.org/10.1007/978-3-031-51630-6_2

Recommendations

Poster: MUSTARD - Adaptive Behavioral Analysis for Ransomware Detection
CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

Behavioural analysis based on filesystem operations is one of the most promising approaches for the detection of ransomware. Nonetheless, tracking all the operations on all the files for all the processes can introduce a significant overhead on the ...
A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions
In recent years, ransomware has been one of the most notorious malware targeting end-users, governments, and business organizations. It has become a very profitable business for cybercriminals with revenues of millions of dollars, and a very serious ...
FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware
CCS '17: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security

Encryption ransomware is a malicious software that stealthily encrypts user files and demands a ransom to provide access to these files. Several prior studies have developed systems to detect ransomware by monitoring the activities that typically occur ...

Comments

Information & Contributors

Information

Published In

CCS '22: Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security

November 2022

3598 pages

ISBN:9781450394505

DOI:10.1145/3548606

General Chairs:
Heng Yin
University of California, Riverside
,
Angelos Stavrou
Virginia Tech
,
Program Chairs:
Cas Cremers
CISPA Helmholtz Center for Information Security
,
Elaine Shi
Carnegie Mellon University

Permission to make digital or hard copies of part or all of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for third-party components of this work must be honored. For all other uses, contact the Owner/Author.

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Check for updates

Author Tags

Qualifiers

Poster

Funding Sources

National Science Foundation

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7 - 11, 2022

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
422
Total Downloads

Downloads (Last 12 months)182
Downloads (Last 6 weeks)25

Reflects downloads up to 03 Mar 2025

Other Metrics

View Author Metrics

Citations

Cited By

View all

Rother CChen B(2024)Reversing File Access Control Using Disk Forensics on Low-Level Flash MemoryJournal of Cybersecurity and Privacy10.3390/jcp40400384:4(805-822)Online publication date: 1-Oct-2024
https://doi.org/10.3390/jcp4040038
McIntosh TSusnjak TLiu TXu DWatters PLiu DHao YNg AHalgamuge M(2024)Ransomware Reloaded: Re-examining Its Trend, Research and Mitigation in the Era of Data ExfiltrationACM Computing Surveys10.1145/369134057:1(1-40)Online publication date: 7-Oct-2024
https://dl.acm.org/doi/10.1145/3691340
Dafoe JSingh HChen NChen B(2024)Enabling Real-Time Restoration of Compromised ECU Firmware in Connected and Autonomous VehiclesSecurity and Privacy in Cyber-Physical Systems and Smart Vehicles10.1007/978-3-031-51630-6_2(15-33)Online publication date: 5-Feb-2024
https://doi.org/10.1007/978-3-031-51630-6_2

View Options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Cited By

Recommendations

Poster: MUSTARD - Adaptive Behavioral Analysis for Ransomware Detection

A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions

FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware

Comments

Published In

Sponsors

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Upcoming Conference

Other Metrics

Article Metrics

Other Metrics

Cited By

PDF

eReader

Login options

Full Access

Abstract

References

Cited By

Recommendations

Poster: MUSTARD - Adaptive Behavioral Analysis for Ransomware Detection

A Survey on Ransomware: Evolution, Taxonomy, and Defense Solutions

FlashGuard: Leveraging Intrinsic Flash Properties to Defend Against Encryption Ransomware

Comments

Information

Published In

Sponsors

Publisher

Publication History

Check for updates

Author Tags

Qualifiers

Funding Sources

Conference

Acceptance Rates

Upcoming Conference

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

PDF

eReader

Login options

Full Access

Share

Share this Publication link

Share on social media

Affiliations