KEY-SSD: Access-Control Drive to Protect Files from Ransomware Attacks

Traditional techniques to prevent damage from ransomware attacks are to detect and block attacks by monitoring the known behaviors such as frequent name changes, recurring access to cryptographic libraries and exchange keys with remote servers. Unfortunately, intelligent ransomware can easily bypass these techniques. Another prevention technique is to recover from the backup copy when a file is infected with ransomware. However, the data backup technique requires extra storage space and can be removed with ransomware. In this paper, we propose to implement an access control mechanism on a disk drive, called a KEY-SSD disk drive. KEY-SSD is the data store and the last barrier to data protection. Unauthorized applications will not be able to read file data even if they bypass the file system defense, thus denying the block request without knowing the disk's registered block key and completely eliminating the possibility of the file becoming hostage to ransomware. We have prototyped KEY-SSD and validated the usefulness of KEY-SSD by demonstrating 1) selective block access control, 2) unauthorized data access blocking and 3) negligible performance overhead. Our comprehensive evaluation of KEY-SSD for various workloads show the KEY-SSD performance is hardly degraded due to OS lightweight key transmission and access control drive optimization. We also confirmed that KEY-SSD successfully protects the files in the actual ransomware sample.
Comment: 12 pages, 20 figures