Document Type
Article
Publication Date
12-17-2024
Department
Department of Computer Science
Abstract
Ransomware attacks are increasingly prevalent in recent years. Crypto-ransomware corrupts files on an infected device and demands a ransom to recover them. In computing devices using flash memory storage (e.g., SSD, MicroSD, etc.), existing designs recover the compromised data by extracting the entire raw flash memory image, restoring the entire external storage to a good prior state. This is feasible through taking advantage of the out-of-place updates feature implemented in the flash translation layer (FTL). However, due to the lack of “file” semantics in the FTL, such a solution does not allow a fine-grained data recovery in terms of files. Considering the file-centric nature of ransomware attacks, recovering the entire disk is mostly unnecessary. In particular, the user may just wish a speedy recovery of certain critical files after a ransomware attack. In this work, we have designed FFRecovery, a new ransomware defense strategy that can support fine-grained per file data recovery after the ransomware attack. Our key idea is that, to restore a file corrupted by the ransomware, we (1) restore its file system metadata via file system forensics, and (2) extract its file data via raw data extraction from the FTL, and (3) assemble the corresponding file system metadata and the file data. Another essential aspect of FFRecovery is that we add a garbage collection delay and freeze mechanism into the FTL so that no raw data will be lost prior to the recovery and, additionally, the raw data needed for the recovery can be always located. A prototype of FFRecovery has been developed and our experiments using real-world ransomware samples demonstrate the effectiveness of FFRecovery. We also demonstrate that FFRecovery has negligible storage cost and performance impact.
Publication Title
Cybersecurity
Recommended Citation
Dafoe, J.,
Chen, N.,
Chen, B.,
&
Wang, Z.
(2024).
Enabling per-file data recovery from ransomware attacks via file system forensics and flash translation layer data extraction.
Cybersecurity,
7(1).
http://doi.org/10.1186/s42400-024-00287-9
Retrieved from: https://digitalcommons.mtu.edu/michigantech-p2/1274
Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 International License.
Version
Publisher's PDF
Publisher's Statement
© The Author(s) 2024. Publisher’s version of record: https://doi.org/10.1186/s42400-024-00287-9