Monday, September 13th 2021

SSD-Insider++ Promises Ransomware-free SSDs

Over the past couple of years there has been a huge increase in ransomware attacks, and now scientists claim to have a solution that could help protect SSDs from getting encrypted by ransomware. The SSD-Insider++, as the solution has been named, claims to be able to detect ransomware activity and reverse the encryption on the fly.

SSD-Insider++ was developed by a group of engineers from South Korea's Inha University, Daegu Institute of Science and Technology, and the Cyber Security Department at Ewha Womans University (EWU), as well as a researcher from the University of Central Florida in the US. It's a firmware level based protection that looks for patterns of ransomware activity on the drive and stops it before any damage has been done.
This is done by suspending the I/O to the SSD, and this will apparently give the user a chance to remove the ransomware on the system, before it has a chance to encrypt the data. The creators of SSD-Insider++ also claim that any damage that might have occurred before the ransomware was detected, can be reversed in a matter of seconds, simply by using data held in the NAND flash before the data has been trimmed.

Furthermore, there are claims of being able to detect 100 percent of ransomwares in the wild and reversing any damage caused within 10 seconds of the encryption starting, thanks to a firmware level implementation. SSD-Insider++ does come with an increase in SSD latency of somewhere between 12.8 and 17.3 percent in the test scenarios, as well a worst case drop in throughput of about eight percent. By implementing it on a firmware level, workaround ought to be harder, but maybe not impossible.

Outside of the performance hit on current SSD controllers, the creators of SSD-Insider++ seem to think that we're going to need faster Arm cores and/or additional computing resources such as an NPU or a faster encryption/decryption engine in future SSD controllers to add advanced features such as entropy-based detection.

As to whether we'll see this technology implemented by any of the SSD controller manufacturers is most likely just a matter of time, at least on the enterprise side of things. Several Korean SSD controller manufacturers have already been contacted, but so far there hasn't been any real interest.
Source: The Register
Add your own comment

11 Comments on SSD-Insider++ Promises Ransomware-free SSDs

#1
zlobby
Hmm, and what if someone tries to enable BitLocker or tries to encrypt files in RAR?
Posted on Reply
#2
Lnxepique
zlobbyHmm, and what if someone tries to enable BitLocker or tries to encrypt files in RAR?
Ransomware generally has unique patterns in the way it operates, atleast the majority of those currently in "cirulation".

Bitlocker for instance will encrypt everything, while Ransomware would ideally go for smaller files, like documents/pictures/etc. first, and overwrite these in place with the same but encrypted data.

Encrpyting files in 7-Zip or RAR archives is nowhere near the throughput of ransomware - ransomware usually needs to be fast to be effective, meaning it will encrypt tons of files at different locations on the drive. Knowing this fact however, we will see Ransomware that acts differently once drives with this technology should roll out.

However, applying this protection to the masses of unprotected drives out there would still have a net benefit, not every Ransomware is and will be refined to bypass it. Combine it with software and the security increases tremendously.
Posted on Reply
#3
Vya Domus
LnxepiqueEncrpyting files in 7-Zip or RAR archives is nowhere near the throughput of ransomware - ransomware usually needs to be fast to be effective, meaning it will encrypt tons of files at different locations on the drive. Knowing this fact however, we will see Ransomware that acts differently once drives with this technology should roll out.
As far as I know ransomwares simply scramble the data since it's never actually meant to be decrypted anyway.
Posted on Reply
#4
zlobby
Vya DomusAs far as I know ransomwares simply scramble the data since it's never actually meant to be decrypted anyway.
Uhm, how does the attacker actually gain from this? Most ransomware are providing you with a decryption key once you pay.
LnxepiqueRansomware generally has unique patterns in the way it operates, atleast the majority of those currently in "cirulation".

Bitlocker for instance will encrypt everything, while Ransomware would ideally go for smaller files, like documents/pictures/etc. first, and overwrite these in place with the same but encrypted data.

Encrpyting files in 7-Zip or RAR archives is nowhere near the throughput of ransomware - ransomware usually needs to be fast to be effective, meaning it will encrypt tons of files at different locations on the drive. Knowing this fact however, we will see Ransomware that acts differently once drives with this technology should roll out.

However, applying this protection to the masses of unprotected drives out there would still have a net benefit, not every Ransomware is and will be refined to bypass it. Combine it with software and the security increases tremendously.
Good idea but it will easily be defeated with a small software patch in malware's code, while it still will be a huge effort to keep up when it comes to SSD firmware.

Plus, I prefer some digital hygiene over increased complexity, price and power consumption of the SSD. Plus, I'd hate to update my SSD's 'antivirus' every month just to be able to thwart a possible ransomware attack.
Posted on Reply
#5
ThrashZone
Hi,
Looks like along with ddr5, latency is hosed lol
Posted on Reply
#6
Vya Domus
zlobbyUhm, how does the attacker actually gain from this? Most ransomware are providing you with a decryption key once you pay.
They lie, why would they care ? You can look this up, once you pay you never hear from them again. They're not gonna send you anything, that why they minimize exposure to the absolute minimum.
Posted on Reply
#7
zlobby
Vya DomusThey lie, why would they care ? You can look this up, once you pay you never hear from them again. They're not gonna send you anything, that why they minimize exposure to the absolute minimum.
Exactly the opposite from what I heard. I guess it's polarized?
Posted on Reply
#8
Tardian
Nature abhors a vacuum?
Posted on Reply
#9
zlobby
TardianNature abhors a vacuum?
Well, generalizing was never good in first place.
Posted on Reply
#10
Fry178
lol. probably outdated code/fw by the time consumer buys/installs it.
and to me sounds "very smart".
like "Hey, front door cant be locked anymore.."
..installs security cam...
Posted on Reply
#11
chrcoluk
Good idea, but will need to be constantly updated probably, ransomware authors will work round it if it is widespread enough "and" effective.
Posted on Reply
Add your own comment