ShieldFS: The Last Word in Ransomware Resilient Filesystems Andrea - - PowerPoint PPT Presentation

shieldfs the last word in ransomware resilient filesystems
SMART_READER_LITE
LIVE PREVIEW

ShieldFS: The Last Word in Ransomware Resilient Filesystems Andrea - - PowerPoint PPT Presentation

Nov 16, 2023 162 likes •980 views

ShieldFS: The Last Word in Ransomware Resilient Filesystems Andrea Continella , Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, Stefano Zanero, Federico Maggi * US patent pending 2016-17 the "years of

slide-1
SLIDE 1

ShieldFS: The Last Word in Ransomware Resilient Filesystems

Andrea Continella, Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, Stefano Zanero, Federico Maggi

* US patent pending

slide-2
SLIDE 2

2016-17 the "years of extortion"

slide-3
SLIDE 3

Do you WannaCry?

slide-4
SLIDE 4

Do you WannaCry?

slide-5
SLIDE 5

ShieldFS detected WannaCry after it encrypted >=200 files Files lost: zero, all were recovered automatically

ShieldFS vs WannaCry

slide-6
SLIDE 6

It’s not just WannaCry...

➢ Detected: 1436/1483, 96.9% ➢ Files lost: always 0%

slide-7
SLIDE 7

Why

ShieldFS is different?

slide-8
SLIDE 8

The way ransomware interacts with the filesystem is significantly different than benign applications

ShieldFS: Key Takeaways

slide-9
SLIDE 9

The way ransomware interacts with the filesystem is significantly different than benign applications DETECTION. Monitor filesystem activity Usage of crypto primitives

ShieldFS: Key Takeaways

slide-10
SLIDE 10

The way ransomware interacts with the filesystem is significantly different than benign applications DETECTION. Monitor filesystem activity Usage of crypto primitives

  • PROTECTION. Mere detection is insufficient

➢ Stopping a suspicious process may be too late ➢ We need to protect users’ data, reverting the effects of ransomware attacks.

ShieldFS: Key Takeaways

slide-11
SLIDE 11

What

does ShieldFS observe?

slide-12
SLIDE 12

➢ Windows Kernel module to monitor and log the file system activity ○ Windows Minifilter Driver ○ Log IRPs (I/O Request Packets)

FS Activity Monitor

User mode

Process Hardware Storage Driver File System Filter Manager I/O Manager

Kernel mode User mode

slide-13
SLIDE 13

Filter Manager API

CONST FLT_OPERATION_REGISTRATION Callbacks[] = { { IRP_MJ_CREATE, 0, PreCreateOperationCallback, PostCreateOperationCallback }, { IRP_MJ_CLOSE, 0, PreCloseOperationCallback, PostCloseOperationCallback }, { IRP_MJ_READ, 0, PreReadOperationCallback, PostReadOperationCallback }, { IRP_MJ_WRITE, 0, PreWriteOperationCallback, PostWriteOperationCallback }, } FltRegisterFilter(DriverObject, &FilterRegistration, &Filter);

slide-14
SLIDE 14

IRP Log Example

slide-15
SLIDE 15

Where

do we start from?

slide-16
SLIDE 16

➢ IRP logger on 11 clean machines ➢ FS activity under "typical" usage ○ ~1 month worth of data

Background/Clean FS Activity

Storage Driver File System IRPLogger I/O Manager

Kernel mode User mode

Benign

IRPs IRPs IRPs IRPs

Disk drive

slide-17
SLIDE 17

Collected FS Activity

slide-18
SLIDE 18

Collected FS Activity

slide-19
SLIDE 19

Analysis Environment

VirtualBox Cuckoo Sandbox Windows 7 VM File System IRPLogger I/O Manager

Kernel mode User mode

Ransomware

383 samples of 5 distinct families

Disk drive

slide-20
SLIDE 20
  • Trigger ransomware activity
  • Avoid anti-sandbox tricks

Environment Preparation

slide-21
SLIDE 21

Ransomware vs Benign apps

Storage Driver File System IRPLogger I/O Manager

Kernel mode User mode

Benign Ransomware ? ? ? Disk drive

slide-22
SLIDE 22

ShieldFS

Self-healing Ransomware-aware Filesystem

slide-23
SLIDE 23

Ransomware vs Benign apps

slide-24
SLIDE 24

Ransomware vs Benign apps

MANY PROGRAMS exhibit LOW VALUE MANY PROGRAMS exhibit HIGH VALUE FEW PROGRAMS exhibit LOW VALUE FEW PROGRAMS exhibit HIGH VALUE

slide-25
SLIDE 25

Ransomware vs Benign apps

(1) #Folder-listing

Benign Ransomware

slide-26
SLIDE 26

Ransomware vs Benign apps

(2) #Files-Read

Benign Ransomware

slide-27
SLIDE 27

Ransomware vs Benign apps

(3) #Files-Written

Benign Ransomware

slide-28
SLIDE 28

Ransomware vs Benign apps

(4) #Files-Renamed

Benign Ransomware

slide-29
SLIDE 29

Ransomware vs Benign apps

(5) File type coverage

Benign Ransomware

slide-30
SLIDE 30

Ransomware vs Benign apps

(6) Write-Entropy

Benign Ransomware

slide-31
SLIDE 31

Ransomware vs Benign apps

slide-32
SLIDE 32

Machine Learning

Learned classification model

slide-33
SLIDE 33

ShieldFS

Self-healing Ransomware-aware Filesystem

slide-34
SLIDE 34

ShieldFS: Healing Approach

slide-35
SLIDE 35

ShieldFS: Healing Approach

slide-36
SLIDE 36

THIS SLIDE IS TO PROVE THAT WE CAN CREATE COMPLEX ANIMATION FLOWS

slide-37
SLIDE 37

THIS SLIDE IS TO PROVE THAT WE CAN CREATE COMPLEX ANIMATION FLOWS

slide-38
SLIDE 38

Detection Models

Disk drive

K

Process #1 Process #n Process-centric Models System-centric Model

slide-39
SLIDE 39

Multi-tier Incremental Models

log (% accessed files) Model 1 Model 1 Model 1 Model 1 Model 1 Model 2 Model 2 Model 3 Model 3 Model 1 Model 2 Global Model tiers Long-term horizon Short-term horizon

K

slide-40
SLIDE 40

Multi-tier Incremental Models

log (% accessed files) Model 1 Model 1 Model 1 Model 1 Model 1 Model 2 Model 2 Model 3 Model 3 Model 1 Model 2 Global Model tiers Long-term horizon Short-term horizon

tick #0

#0 #1 #2 #3

slide-41
SLIDE 41

Multi-tier Incremental Models

log (% accessed files) Model 1 Model 1 Model 1 Model 1 Model 1 Model 2 Model 2 Model 3 Model 3 Model 1 Model 2 Global Model tiers Long-term horizon Short-term horizon

tick #1

#0 #1 #2 #3

slide-42
SLIDE 42

Multi-tier Incremental Models

log (% accessed files) Model 1 Model 1 Model 1 Model 1 Model 1 Model 2 Model 2 Model 3 Model 3 Model 1 Model 2 Global Model tiers Long-term horizon Short-term horizon

tick #2

#0 #1 #2 #3

slide-43
SLIDE 43

Multi-tier Incremental Models

log (% accessed files) Model 1 Model 1 Model 1 Model 1 Model 1 Model 2 Model 2 Model 3 Model 3 Model 1 Model 2 Global Model tiers Long-term horizon Short-term horizon

tick #3

#0 #1 #2 #3

slide-44
SLIDE 44

Multi-tier Incremental Models

log (% accessed files) Model 1 Model 1 Model 1 Model 1 Model 1 Model 2 Model 2 Model 3 Model 3 Model 1 Model 2 Global Model tiers Long-term horizon Short-term horizon

tick #4

#0 #1 #2 #3

slide-45
SLIDE 45

Multi-tier Incremental Models

log (% accessed files) Model 1 Model 1 Model 1 Model 1 Model 1 Model 2 Model 2 Model 3 Model 3 Model 1 Model 2 Global Model tiers Long-term horizon Short-term horizon

tick #5

#0 #1 #2 #3

slide-46
SLIDE 46

Multi-tier Incremental Models

log (% accessed files) Model 1 Model 1 Model 1 Model 1 Model 1 Model 2 Model 2 Model 3 Model 3 Model 1 Model 2 Global Model tiers Long-term horizon #0 #1 #2 #3

Malicious

Short-term horizon

slide-47
SLIDE 47

Multi-tier Incremental Models

log (% accessed files) Model 1 Model 1 Model 1 Model 1 Model 1 Model 2 Model 2 Model 3 Model 3 Model 1 Model 2 Global Model tiers Long-term horizon #0 #1 #2 #3

Benign

Short-term horizon

slide-48
SLIDE 48

Multi-tier Incremental Models

log (% accessed files) Model 1 Model 1 Model 1 Model 1 Model 1 Model 2 Model 2 Model 3 Model 3 Model 1 Model 2 Global Model tiers Long-term horizon #0 #1 #2 #3

Suspicious

Short-term horizon

? ? ?

slide-49
SLIDE 49

I’m Confused..

Suspicious

Process #1 Process #n Process-centric Models System-centric Model

slide-50
SLIDE 50

I’m Confused..

Suspicious

Process #1 Process #n Process-centric Models System-centric Model

LOOK FOR TRACES OF CRYPTO FUNCTIONS

slide-51
SLIDE 51

Block Ciphers: Key Schedule

slide-52
SLIDE 52

77 3f 9d 50 2a 91 d5 86 a0 89 42 b2 f3 de b8 d3 32 f2 16 b0 88 e3 7e b4 1d 2d f4 b2 fa 6f 51 64 bd ce c7 e5 16 1b e1 dc 8f db 81 e5 50 8b c0 1a 7b 93 8f f4 64 c9 bf f3 a5 f8 25 be f5 9a 48 c8

Traces of Crypto Primitives

Round 1 Round 2 Round 3 Round N Encryption Rounds Key schedules

slide-53
SLIDE 53

77 3f 9d 50 2a 91 d5 86 a0 89 42 b2 f3 de b8 d3 32 f2 16 b0 88 e3 7e b4 1d 2d f4 b2 fa 6f 51 64 bd ce c7 e5 16 1b e1 dc 8f db 81 e5 50 8b c0 1a 7b 93 8f f4 64 c9 bf f3 a5 f8 25 be f5 9a 48 c8

Traces of Crypto Primitives

Round 1 Round 2 Round 3 Round N Encryption Rounds

False Positives for AES: 2-1344

Key schedules

slide-54
SLIDE 54

ShieldFS: Architecture

Process 1 address space Process 2 address space

. . . Process 1 Process 2 ...

I/O Manager (minifilter driver interface)

  • pen("file.txt")

read(fp1) ... User space Kernel space Virtual memory

slide-55
SLIDE 55

ShieldFS: Architecture

Process 1 address space Process 2 address space

. . . Process 1 Process 2 ...

I/O Manager (minifilter driver interface)

Process centric model 1 ... Process centric model 2

  • pen("file.txt")

read(fp1) ...

System centric model

I/O Request Packets (IRPs)

" process 1 is suspicious" User space Kernel space Virtual memory Feature values

Detector

slide-56
SLIDE 56

ShieldFS: Architecture

Process 1 address space Process 2 address space

. . . Process 1 Process 2 ...

I/O Manager (minifilter driver interface)

Process centric model 1 ... Process centric model 2

  • pen("file.txt")

read(fp1) ...

System centric model

CryptoFinder I/O Request Packets (IRPs)

" process 1 is suspicious" User space Kernel space Virtual memory " search for crypto key schedule" Feature values

Detector

slide-57
SLIDE 57

ShieldFS: Architecture

Process 1 address space Process 2 address space

. . . Disk drive Process 1 Process 2 ...

I/O Manager (minifilter driver interface)

Process centric model 1 ... Process centric model 2 " process 2 is benign", " process 1 is malicious: kill it and restore files"

  • pen("file.txt")

read(fp1) ...

System centric model

CryptoFinder I/O Request Packets (IRPs)

" process 1 is suspicious" User space Kernel space Virtual memory

Shadow drive

“delete process 2 file copies” “restore process 1 files copies” " search for crypto key schedule"

Shielder

Feature values

Detector

slide-58
SLIDE 58

ShieldFS: Architecture

Process 1 address space Process 2 address space

. . . Disk drive Process 1 Process 2 ...

I/O Manager (minifilter driver interface)

Process centric model 1 ... Process centric model 2 " process 2 is benign", " process 1 is malicious: kill it and restore files"

  • pen("file.txt")

read(fp1) ...

System centric model

CryptoFinder I/O Request Packets (IRPs)

" process 1 is suspicious" User space Kernel space Virtual memory

Shadow drive

“delete process 2 file copies” “restore process 1 files copies” " search for crypto key schedule"

Shielder

Feature values

Detector

slide-59
SLIDE 59

File Recovery Workflow

Unknown Start

slide-60
SLIDE 60

File Recovery Workflow

Monitor & COW on first write Unknown Start

slide-61
SLIDE 61

File Recovery Workflow

Monitor & COW on first write Unknown ShieldFS Detector Start

slide-62
SLIDE 62

File Recovery Workflow

Monitor & COW on first write Unknown ShieldFS Detector Malicious Restore original copies Start

slide-63
SLIDE 63

File Recovery Workflow

Monitor & COW on first write Unknown ShieldFS Detector Malicious Restore original copies Benign Clean old copies Start

slide-64
SLIDE 64

File Recovery Workflow

Monitor & COW on first write Unknown ShieldFS Detector Malicious Restore original copies Benign Clean old copies Start

slide-65
SLIDE 65

Storage Overhead

slide-66
SLIDE 66

Storage Overhead

slide-67
SLIDE 67

Storage Overhead

slide-68
SLIDE 68

More Numbers?

slide-69
SLIDE 69

➢ 1483 unseen samples (from VT + Trend) ○ Locky, TeslaCrypt, CryptoLocker, Critroni, TorrentLocker, CryptoWall, Troldesh, CryptoDefense, PayCrypt, DirtyDecrypt, ZeroLocker, Cerber, WannaCry ➢ Files protected: always 100% ○ Even in case of missed detection ➢ Detection rate: 1436/1483, 96.9%

Detection & Recovery Capabilities

slide-70
SLIDE 70

➢ 1483 unseen samples (from VT + Trend) ○ Locky, TeslaCrypt, CryptoLocker, Critroni, TorrentLocker, CryptoWall, Troldesh, CryptoDefense, PayCrypt, DirtyDecrypt, ZeroLocker, Cerber, WannaCry ➢ Files protected: always 100% ○ Even in case of missed detection ➢ Detection rate: 1436/1483, 96.9%

Detection & Recovery Capabilities

slide-71
SLIDE 71

False Positive Evaluation

FPR with One-machine-off Cross Validation

slide-72
SLIDE 72

False Positive Evaluation

FPR with One-machine-off Cross Validation

slide-73
SLIDE 73

Overhead: Micro-benchmark

slide-74
SLIDE 74

Overhead: Micro-benchmark

slide-75
SLIDE 75

...however...

slide-76
SLIDE 76

User-Perceived Overhead

Average estimated overhead = 0.26×

User mode

Process Hardware Storage Driver File System Filter Manager I/O Manager

Kernel mode User mode

slide-77
SLIDE 77

User-Perceived Overhead

Average estimated overhead = 0.26×

User mode

Process Hardware Storage Driver File System Filter Manager I/O Manager

Kernel mode User mode

slide-78
SLIDE 78

Demo Time!

WannaCry Sample: ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

slide-79
SLIDE 79

Ransomware significantly differs from benign software from the filesystem’s viewpoint

  • DETECTION. Generic ML models to identify ransomware

○ Filesystem activity ○ Use of symmetric crypto primitives

  • PROTECTION. Pure detection is not enough

○ Self-healing virtual FS ○ Transparently revert the effects of ransomware

Conclusions

slide-80
SLIDE 80

Andrea Continella

andrea.continella@polimi.it @_conand

Federico Maggi

federico_maggi@trendmicro.com @phretor

Questions?

http://shieldfs.necst.it

* This work is subject to a US patent (pending) no. 27019

slide-81
SLIDE 81

ShieldFS: The Last Word in Ransomware Resilient Filesystems

Andrea Continella, Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, Stefano Zanero, Federico Maggi