ShieldFS A Self-healing, Ransomware-aware Filesystem


ShieldFS is an innovative solution to fight ransomware attacks. It automatically creates detection models that distinguish ransomware from benign processes at runtime on the base of the filesystem activity. ShieldFS adapts these models to the filesystem usage habits observed on the protected system. ShieldFS applies the detection approach in a real-time, self-healing virtual filesystem that shadows the write operations and reverts the effects of ransomware attacks safeguarding the integrity of users' data. Thus, if a file is modified by one or more malicious processes, the filesystem presents the original, mirrored copy to the user space applications. This shadowing mechanism is dynamically activated and deactivated depending on the outcome of the aforementioned detection logic. Additionally, ShieldFS looks for indicators of the use of cryptographic primitives. In particular, ShieldFS scans the memory of any process considered as potentially malicious, searching for traces of the typical block cipher key schedules.


ShieldFS is a research project developed at NECSTLab, DEIB - Politecnico di Milano.


ShieldFS: A Self-healing, Ransomware-aware Filesystem
Andrea Continella, Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, Stefano Zanero, Federico Maggi.
In Proceedings of the Annual Computer Security Applications Conference (ACSAC), Los Angeles, CA, December, 2016.
[PDF] [BibTex] [Slides]


ShieldFS: The Last Word In Ransomware Resilient Filesystems
Andrea Continella, Alessandro Guagnelli, Giovanni Zingaro, Giulio De Pasquale, Alessandro Barenghi, Stefano Zanero, Federico Maggi.
Black Hat USA 2017, Las Vegas, NV, July, 2017.

Via Ponzio, 34/5
20133 Milano, Italy

The NECST Lab (Novel, Emerging Computing System Technologies Laboratory) comprises a number of different research lines on advanced topics in computing systems, ranging from architectural characteristics, to hardware- software codesign methodologies, to security and dependability issues of complex system architectures (scaling from mobile devices to large virtualized datacenters).

Furthermore, the laboratory pursues its historical tradition of research in the definition of methodologies and techniques regarding testability, auto-diagnosis and fault tolerance both for hardware architectures and hardware-software systems.

Further information about the NECSTLab can be found on the NECSTLab official website or Facebook page.

ShieldFS Team

Dataset Release

In order to understand how ransomware compares to benign software from the filesystem's viewpoint, we analyzed in depth how benign software typically interacts with the filesystem on real-world computers. We performed the first large-scale data collection of I/O request packets (IRPs) from real- world, ransomware-free machines, to profile the low-level filesystem activity in normal conditions. We collected and anonymized data from 11 machines used by volunteers for their typical day-to-day tasks (i.e., personal, office, and development).

In the spirit of open science we are happy to release our dataset to the community. If you are interested in getting access to our data, send us an email.

Press Coverage

Press covering our work:

Contact us!