LAUSR

Encryption has become an indispensable technology for preserving confidentiality. Unfortunately, cybercriminals have re-purposed this technology to deny users access to their data. This trend has sparked an onslaught of ransomware attacks, that resulted in several victims being extorted to pay ransoms in return for restoring their maliciously encrypted data. In response to these challenges, we propose a novel runtime solution that seamlessly defends against cryptographic ransomware. A key observation made by this work is that maliciously encrypted data is initially buffered in the OS's page cache before it is flushed to the underlying storage device. Based on this observation, we develop a solution that efficiently manages data synchronization between the memory and storage subsystems to prevent maliciously encrypted data from being permanently committed to the underlying storage. We extensively validate the robustness of this approach against more than one thousand ransomware samples and show that our design reliably restores all encrypted files. Furthermore, our solution is resilient to ransomware that employ techniques including master boot record infection and multi-threaded attacks. Finally, an evaluation of our proof-of-concept implementation shows minimal performance impact while running a mix of compute and I/O bound applications.