Anti-Ransomware SSDs?

[NinJake]

Summary

An idea has stemmed from a team of researchers to help minimize ransomware attacks. How so? SSD firmware.

 

Quotes

Quote

As soon as it detects malicious activity, the mechanism disables input/output to the storage device, giving users the opportunity to remove the offending process that initiated the encryption.

 

My thoughts

While most of us techies may not go above and beyond to ensure our devices are patched and/or safe from ransomware attacks, I feel that todays "average" pc user might not even know what a ransomware attack is. Instead of having to create firewall rules and/or install "next-gen" antivirus, how could these researchers figure out a way to circumvent potential attacks for the average user? SSDs. Sure, there's still a bunch of people that have HDDs or companies that sell pre-builts with HDDs instead of SSDs.... this is a good step to help keep your data safe. With a supposed 100% success rate, I feel that this will definitely have a ton of support from small to medium sized businesses. And your "average" pc user might not even realize what's working on in the background, yet potentially keeping their data safe. You're welcome grandma.

 

We'll have to wait and see how this unfolds.

 

 

Sources

https://www.techradar.com/news/your-ssd-may-soon-be-able-to-detect-ransomware-attacks

[BondiBlue]

This actually sounds pretty interesting, though I could see it posing a problem in some applications. I'll have to keep an eye on this. 

[Middcore]

Boy at first blush this seems a lot like Neil DeGrasse Tyson's galaxy-brained "why don't they just make unhackable systems?" idea. If it was that easy to "detect malicious activity" then the problem would already be solved.

[porina]

Quote

the mechanism only increases latency between 12.8%-17.3% with a throughput drop that maxed out at 8%.

How much performance hit would you like with that?

 

Implementation sounds reasonable, since when you write, it doesn't actually overwrite the data but stores it in a new location. The old data is only unmapped, but it could be remapped as long as it hasn't actually been TRIM'd yet. You could undo that. The big danger is, if the data on the SSD is not what the system thinks is on it, you could end up with inconsistent states. 

 

I'm thinking this might be a good idea if you can selectively apply it. For example, you might have a designated user data area to be protected, but it would be low value to protect software or other replaceable files.

 

Other factors to be considered it not just how well it can pick up known attack patterns, but I'd want them to prove it is resistant to false positives too. For example, what if you actually do want to encrypt certain data? How do you tell that apart from malware doing same? Imagine you thought you encrypted something, but the SSD silently undid that in the background.

[Dedayog]

Isn't this basically TPM for the SSD?  Or am I mistaken?

[OhioYJ]

31 minutes ago, BondiBlue said:

 though I could see it posing a problem in some applications. I'll have to keep an eye on this. 

 

Absolutely. I remember tripping ransomware protection on a company computer once because I was trying to legitimately delete a large folder.  It stopped the file deletion and wouldn't let me go any further (I had already copied the data I needed to another drive). I ended up having to boot into Linux to fix the issue. 

 

An SSD with this kind of "feature" is a hard pass for me if it can't be disabled. I see what they are going for, but no. I'd rather just risk having to format my machine then have to deal with my PC telling me I can't do something. 

[StDragon]

24 minutes ago, Dedayog said:

Isn't this basically TPM for the SSD?  Or am I mistaken?

It's more of VSS (Volume Shadow Copy Service), but at the hardware level instead of the OS.

[mr moose]

Or just keep a regular back up offline.  I've been a bit lazy of late, but usually I periodically take an image of all the PC's in my house and store them in a closet.  At the very least I always have a back up of all the important files in cold storage.

[whm1974]

Most Ransomware Issues are caused between the Chair and Keyboard. Don't Pirate and be careful of what and where you DL.

[Quackers101]

when anti ransomware becomes ransomware

[Zodiark1593]

A Write-Once, Read-Many device would be a pretty hard target for ransomware to destroy. 
 

A SSD or HDD controller could be made with a write-protect feature that disregards delete commands, and includes a physical switch that toggled, wipes the entire drive. Not super convenient, but good for archival. Backups are a must too, but layers of protection is nice to have. 
 

This leaves the other problem of preventing ransoware from exfiltrating private data instead. 

[Quackers101]

5 minutes ago, Zodiark1593 said:

A SSD or HDD controller could be made with a write-protect feature that disregards delete commands, and includes a physical switch that toggled, wipes the entire drive. Not super convenient, but good for archival. Backups are a must too, but layers of protection is nice to have.

having clear paths and a controller that can choose those paths to open, when selecting a number etc. and if open for write new or "update".

[mr moose]

Just now, The Unknown Voice said:

Until the closet catches fire, then what happens?

 

I grew up in a time when a house fire was the loss of nearly everything.  If my house catches fire I have bigger problems than the loss of my pictures and a few programs.

 

Suffice to say, my point was not to be absolute in perfection, but simply to avoid malware and the more common data loss issues.

[da na]

Fascinating. I could see this being good, but I could also see it blocking crap it doesn't need to and if it was hardware level/firmware of the controller... well good luck disabling that

[Sauron]

Sounds good but... I'm not sure it can reliably identify attacks vs false positives. Is ransomware encryption that different from regular, user requested encryption? I could see this working a lot better if it simply required you enter a password in order to be allowed to run encryption.

 

Otherwise the simplest solution remains a cloud backup.

[jagdtigger]

8 hours ago, whm1974 said:

Most Ransomware Issues are caused between the Chair and Keyboard. Don't Pirate and be careful of what and where you DL.

Thats pretty outdated advice, nowadays you could get infected even on a trusted site even without downloading anything.....

[Akolyte]

I can see this becoming a cool technology that ultimately becomes too difficult to deal with due to all of the problems that come up as a result of this special firmware.

 

We need to remember that the biggest risk of modern day ransomware to businesses is the information exfiltration (e.g. customer records, etc) causing significant reputational damages in addition to the other damages of having your files encrypted.

 

Cost-effective backup options that allow you to use WORM (Write-Once, Read-Many) are out there for businesses that are looking for a disaster recovery solution.

 

In the end ransomware attacks will always be a possibility, since there will always be vulnerabilities.  But in the modern day of the internet - many companies have poor systems architecture (there is always the crusty server in the back), and so the best option in my opinion is for customers and vendors alike to start improving on their architectural security.

 

I know this is a long one - just my 2 cents.  This is a cool technology, but my hunch many businesses probably won't see it important enough to justify the cost.

[Quackers101]

1 hour ago, jagdtigger said:

Thats pretty outdated advice, nowadays you could get infected even on a trusted site even without downloading anything.....

Click on Me.exe

(this element is corrupt and contains malware)

[mr moose]

2 hours ago, jagdtigger said:

Thats pretty outdated advice, nowadays you could get infected even on a trusted site even without downloading anything.....

Odd times when we agree.  But we do here.  Tech has become complex enough that even the well experienced tech heads can get caught out.

[whm1974]

4 hours ago, jagdtigger said:

Thats pretty outdated advice, nowadays you could get infected even on a trusted site even without downloading anything.....

I wouldn't say that it is completely outdated. It still works for most Malware most of the time.

[mr moose]

38 minutes ago, whm1974 said:

I wouldn't say that it is completely outdated. It still works for most Malware most of the time.

remember when ccleaner ( a highly recommended sys tool from a large antivirus company) was compromised with malware causing millions of people to download a backdoor?

 

https://www.wired.com/story/inside-the-unnerving-supply-chain-attack-that-corrupted-ccleaner/

 

I also believe there was malware distributed through Linux repositories, but I haven't got a link and couldn't be bothered looking.  But that one was a bit nasty because the recommended way to get secure software installed was compromised (falaks or something if I remember).

 

It's no longer good enough to just be cautious and use common sense. 

[BetteBalterZen]

I hope this will become a thing that actually works and will be implemented across all SSD's so that in the future it's a normal security feature. 

We have already seen what ransomware can do to hospitals and so on. It's terrifying. 

[whm1974]

2 hours ago, mr moose said:

remember when ccleaner ( a highly recommended sys tool from a large antivirus company) was compromised with malware causing millions of people to download a backdoor?

 

https://www.wired.com/story/inside-the-unnerving-supply-chain-attack-that-corrupted-ccleaner/

 

I also believe there was malware distributed through Linux repositories, but I haven't got a link and couldn't be bothered looking.  But that one was a bit nasty because the recommended way to get secure software installed was compromised (falaks or something if I remember).

 

It's no longer good enough to just be cautious and use common sense. 

I went Windows free for awhile so no I don't remember this. However I recall the News about Linux Mint being Compromised. I'll have to read up on the details, but it was one person who gain The Chain of Trust by submitting good code.

 

[CTR640]

22 hours ago, James Evens said:

Can't wait for the McAfee SSD.

McAfee SSD Regular: 200$

McAfee SSD Ultra: 0,5kg of coke

McAfee SSD Super Safe: 1.25kg of coke

McAfeee SSD Ultra Instinct: 5kg of pure coke

[Doobeedoo]

That's quite neat.