Enabling per-file data recovery from ransomware attacks via file system forensics and flash translation layer data extraction

Abstract

AbstractRansomware attacks are increasingly prevalent in recent years. Crypto-ransomware corrupts files on an infected device and demands a ransom to recover them. In computing devices using flash memory storage (e.g., SSD, MicroSD, etc.), existing designs recover the compromised data by extracting the entire raw flash memory image, restoring the entire external storage to a good prior state. This is feasible through taking advantage of the out-of-place updates feature implemented in the flash translation layer (FTL). However, due to the lack of “file” semantics in the FTL, such a solution does not allow a fine-grained data recovery in terms of files. Considering the file-centric nature of ransomware attacks, recovering the entire disk is mostly unnecessary. In particular, the user may just wish a speedy recovery of certain critical files after a ransomware attack. In this work, we have designed $$\textsf{FFRecovery}$$ FFRecovery , a new ransomware defense strategy that can support fine-grained per file data recovery after the ransomware attack. Our key idea is that, to restore a file corrupted by the ransomware, we (1) restore its file system metadata via file system forensics, and (2) extract its file data via raw data extraction from the FTL, and (3) assemble the corresponding file system metadata and the file data. Another essential aspect of $$\textsf{FFRecovery}$$ FFRecovery is that we add a garbage collection delay and freeze mechanism into the FTL so that no raw data will be lost prior to the recovery and, additionally, the raw data needed for the recovery can be always located. A prototype of $$\textsf{FFRecovery}$$ FFRecovery has been developed and our experiments using real-world ransomware samples demonstrate the effectiveness of $$\textsf{FFRecovery}$$ FFRecovery . We also demonstrate that $$\textsf{FFRecovery}$$ FFRecovery has negligible storage cost and performance impact.