"Boffins Unveil SSD-Insider++, Promise Ransomware Detection and Recovery Right in Your Storage"
An international team of researchers says they can make Solid-State Drives (SSDs) that ransomware attacks cannot affect by detecting infections and reverting unexpected encryption in seconds, with a small increase in latency. DaeHun Nyang, PhD, at Ewha Womans University (EWU), came up with the idea of firmware level detection because many users do not install anti-ransomware software. The idea is to protect those who do not have anti-ransomware installed on their computers by providing anti-ransomware-intrinsic SSDs. The concept behind SSD-Insider++ is to look for patterns of drive activity that correspond with ransomware attacks and then stop the attack in its tracks. It does this directly on the storage device itself by running on the controller hardware. When SSD-Insider++ detects ransomware activity, it suspends input/output to the storage. Users can then remove the ransomware process during the suspension. SSD-Insider++ relies on intelligent analysis to detect unwanted patterns and then locks the drive, warning the user through a companion application that they have been infected with ransomware. According to the creators of SSD-Insider++, it can also reverse any damage to data resulting from a ransomware attack within seconds. Instead of creating copies of data, SSD-Insider++ leverages an SSD's operational characteristics that keep old versions of data to hide the out-of-place update nature of NAND flash, thus enabling the backup of original files without extra copies and the instant rollback of infected files if needed. Testing on in-the-wild and lab-grade malware samples showed that the system can detect 100 percent of tested ransomware and reverse damage within 10 seconds of the start of encryption. It performed at a minor cost of 12.8 percent to 17.3 percent increase in latency, with a worst-case throughput drop measured at about 8 percent. This technology exists purely in firmware, meaning it could be added to existing SSDs without the need for any hardware modifications. However, extra hardware resources would be required to implement some advanced features such as entropy-based detection. This article continues to discuss the concept, capabilities, evaluation, and potential expansion of SSD-Insider++.