ShieldFS: In recent months, successive waves of ransomware attacks have hit the internet globally, shutting down businesses and vital infrastructure from hospitals to telecommunications.
So the research of Andrea Continella and his team is quite timely: A tool that detects ransomware automatically, almost instantly, and restores your system from backups before the crooks lock it down completely. 
The tool is called ShieldFS, and it is not designed as a broad antivirus platform. Instead, it only scans for ransomware attacks.
The new project reportedly focuses only on identifying the unique cryptographic behaviours of ransomware, which allows ShieldFS to detect not only known types of malware, but also any new attacks that act in a ransomware-like manner.
The team, from Politecnico di Milano, Italy, will present ShieldFS at the security conference Black Hat to be held in Las Vegas on Wednesday.
"We have developed a set of indicators that can be used to very effectively clarify whether a process is ransomware or a benign process," says Stefano Zanero, a security researcher who worked on the project.
By focusing on detecting the encryption itself, rather than simply cataloging specific types of ransomware, ShieldFS can prevent known and unknown ransomware.
The researchers tested common types of ransomware, such as CryptoLocker and TeslaCrypt, which attack a system in the standard way - scanning the disk and encrypting each file. At Black Hat, the team is preparing to demonstrate the ShieldFS tool's defense against WannaCry, the ransomware that hit thousands of computers in May.
When the tool detects a suspicious new program, it enters an observation phase to determine whether this program is ransomware or not.
During this period, which researchers call "shadowing," ShieldFS begins to keep a log of everything the intrusive program does and every file it accesses.
If the application concludes that the program is malicious, it will block the encryption of files and automatically restore all files infected by the ransomware from extensive backups. In case ShieldFS detects something wrong (false positive) according to the researchers, it will not cause collateral damage.
