An international team of researchers has developed an SSD security solution that acts at the controller firmware level, meaning the feature is baked right into the storage device to detect out-of-the-ordinary activity that signals a ransomware infection and its attempt to encrypt your data. According to the researchers, the method degrades performance slightly, to the tune of a 17% latency performance decrease and a maximum of 8% lower throughput. The solution is said to be easily integrated into the SSD manufacturing chain, and aims to become an integral barrier on commercial SSD solutions to the ransomware problem - made all the more graver due to most users not deploying ransomware-focused (or at the very least, ransomware-aware) security solutions. This research differs from other SSD-bound security solutions in that it is completely hardware-based and can purportedly repair the damage done by ransomware attacks.
"I came up with the idea of firmware level detection because I know that many [users] don't install anti-ransomware software," DaeHun Nyang, Ph.D., at EWU told The Register of the origin of the team's research project. "So I thought that it would be good if we can protect people not having anti-ransomware installed on their computers by providing them with an anti-ransomware-intrinsic SSD."
The firmware solution, tentatively named SSD-Insider++, takes advantage of the inherent writing and deletion mechanisms in NAND flash. The firmware has been shown to detect and stop ransomware incursions with 100% efficacy whilst reverting any encryption that's actually achieved within 10 seconds of the process' start. "We have evaluated SSD-Insider++ using real-world and in-house ransomware programs, including WannaCry and Mole, while various background applications are running," the research team wrote. "Our implementation of SSD-Insider++ has 100 percent detection accuracy with almost 0 percent FRR/FAR [False Rejection Rate and False Acceptance Rate] in most cases with shorter than 10 seconds of detection latency."
The firmware uses the SSD controller to constantly monitor SSD activity, with red flags being raised if any sort of encryption workload is being carried out that isn't user-triggered. Should that happen, the controller stops all write requests to the SSD, effectively suspending the encryption process, notifying the user via its companion software app to allow for immediate action (such as running an antivirus sweep to remove the cause of the ransomware encryption attempt). The software layer in the companion app isn't a part of the solution itself, which is entirely hardware-based. Still, it allows the user to interact with the firmware solution and immediately recovery any data that was encrypted before the process was stopped in its tracks.
While this particular firmware solution is deployable in the current crop of SSD drives, further improvements to ransomware protection technologies may require manufacturers to improve controller performance "To implement some advanced features like entropy-based detection, however, extra hardware resources - e.g., higher performance Arm CPU or hardware accelerators - would be needed," Sungjin Lee, Ph.D. and a member of the research team, said.
However, SSDs are currently in the process of integrating more powerful (and more varied) hardware accelerators such as FPGAs, NPUs, and encryption processing engines, so the researchers expect that more complex protection mechanisms will walk alongside the developing SSD ecosystem. The firmware solution is also theoretically deployable on Shingled Magnetic Recording (SMR) HDDs (where the performance impact is more severe than in an SSD). However, it hasn't been tested in that environment.
The Register asked for commentary on the proposed SSD-Insider++ solution against the ransomware scourge, with ESET UK security expert Jake Moore saying that "Unfortunately, this new feature may not be foolproof. The function leverages a delay in deletion which means that ransomware developers would and could still bypass this feature with the knowledge of how this antidote operates." But of course, that is true of any security solution: bad players will always attempt to subvert them, forcing a permanent game of catch between security and intrusion.
