SSD-Insider: Internal defense of solid-state drive against ransomware with perfect data recovery

Sungha Baek, Youngdon Jung, Aziz Mohaisen, Sungjin Lee, Daehun Nyang

Research output: Chapter in Book/Report/Conference proceedingConference contributionpeer-review

45 Scopus citations


Ransomware is a malware that encrypts victim's data, where the decryption key is released after a ransom is paid by the data owner to the attacker. Many ransomware attacks were reported recently, making anti-ransomware a crucial need in security operation, and an issue for the security community to tackle. In this paper, we propose a new approach to defending against ransomware inside NAND flash-based SSDs. To realize the idea of defense-inside-SSDs, both a lightweight detection technique and a perfect recovery algorithm to be used as a part of SSDs firmware should be developed. To this end, we propose a new set of lightweight behavioral features on ran-somware's overwriting pattern, which are invariant across various ransomwares. Our features rely on observing the block I/O request headers only, and not the payload. For perfect and instant recovery, we also propose using the delayed deletion feature of SSDs, which is intrinsic to NAND flash. To demonstrate their feasibility, we implement our algorithms atop an open-channel SSD as a working prototype called SSD-Insider. In experiments using eight real-world and two in-house ransomwares with various background applications running, SSD-Insider achieved a detection accuracy 0% FRR/FAR in most scenarios, and only 5% FAR when heavy overwriting resembling ransomware's data wiping occurs. SSD-Insider detects ransomware activity within 10s, and recovers instantly an infected SSD within 1s with 0% data loss. The additional software overheads incurred by the SSD-Insider is just 147 ns and 254 ns for 4-KB reads and writes, respectively, which is negligible considering NAND chip latency (50-1000 μs).

Original languageEnglish
Title of host publicationProceedings - 2018 IEEE 38th International Conference on Distributed Computing Systems, ICDCS 2018
PublisherInstitute of Electrical and Electronics Engineers Inc.
Number of pages10
ISBN (Electronic)9781538668719
StatePublished - 19 Jul 2018
Event38th IEEE International Conference on Distributed Computing Systems, ICDCS 2018 - Vienna, Austria
Duration: 2 Jul 20185 Jul 2018

Publication series

NameProceedings - International Conference on Distributed Computing Systems


Conference38th IEEE International Conference on Distributed Computing Systems, ICDCS 2018

Bibliographical note

Funding Information:
Acknowledgement. This research was supported by Global Research Lab. (GRL) Program of the National Research Foundation (NRF) funded by Ministry of Science, ICT (Information and Communication Technologies)and Future Planning(NRF-2016K1A1A2912757). This work was supported in part by the Basic Science Research Program through the National Research Foundation of Korea funded by the Ministry of Education under Grant NRF-2016R1C1B2011415, and in part by NRF grants NRF-2016K1A1A2912757, NRF-2017R1E1A1A01077410, and NSF grant CNS-1809000. Dae-Hun Nyang and Sungjin Lee are the corresponding authors.

Publisher Copyright:
© 2018 IEEE.


  • Detection
  • Firmware
  • Ransomware
  • Recovery
  • SSD


Dive into the research topics of 'SSD-Insider: Internal defense of solid-state drive against ransomware with perfect data recovery'. Together they form a unique fingerprint.

Cite this