[go: up one dir, main page]

WO2024149436A1 - Method and apparatus for recovering file system - Google Patents

Method and apparatus for recovering file system Download PDF

Info

Publication number
WO2024149436A1
WO2024149436A1 PCT/EP2023/050263 EP2023050263W WO2024149436A1 WO 2024149436 A1 WO2024149436 A1 WO 2024149436A1 EP 2023050263 W EP2023050263 W EP 2023050263W WO 2024149436 A1 WO2024149436 A1 WO 2024149436A1
Authority
WO
WIPO (PCT)
Prior art keywords
file
file system
primary
ransomware
activity
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
PCT/EP2023/050263
Other languages
French (fr)
Inventor
Assaf Natanzon
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN202380083320.5A priority Critical patent/CN120322769A/en
Priority to PCT/EP2023/050263 priority patent/WO2024149436A1/en
Publication of WO2024149436A1 publication Critical patent/WO2024149436A1/en
Anticipated expiration legal-status Critical
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/568Computer malware detection or handling, e.g. anti-virus arrangements eliminating virus, restoring damaged files

Definitions

  • the present disclosure relates generally to the field of data security and more specifically, to a method and an apparatus for recovering a file system.
  • Ransomware is a prominent cyber threat to an individual as well as to an organization when it comes to a data security.
  • the ransomware corresponds to a type of malware that installs itself in a computing system and then maps a file that seems important to a user. Thereafter, the ransomware creates an encrypted copy of a target file and deletes an original version of the target file. Finally, the ransomware issues a ransom note that appears either in the target file on the same location or pop-ups on a user’s screen.
  • the ransom note includes an explanation of a process to pay the ransom, such as in cryptocurrency to access the original data of the target file.
  • the user After the payment of the ransom, the user receives a decryption key that enables the user to restore the original data of the target file.
  • the user does not receive the decryption key even after paying the ransom amount and as a result, the data is lost forever. Therefore, such ransomware attack results in significant financial losses in the form of ransom, downtime, and data loss.
  • the present disclosure provides a method and an apparatus for recovering a file system.
  • the present disclosure provides a solution to the existing problem of how to recover the data more efficiently and effectively with an improved processing time that is required to recover the file system completely.
  • An objective of the present disclosure is to provide a solution that overcomes at least partially the problems encountered in the prior art and provides an improved method and an improved apparatus for recovering the file system, such as by using a live file system ransomware recovery leveraging smart file system continuous data protection, CDP.
  • the present disclosure provides a method of recovering a file system.
  • the method comprises detecting an activity of a ransomware software in a primary file system that uses a file system level continuous data protection, CDP, system logging all file operations for backing up the primary file system to a backup storage, blocking the ransomware software activity by declining new inputs and outputs, IOs, associated with the detected ransomware software activity and determining a last clean point in time, PIT, before the ransomware software activity has occurred.
  • the method comprises determining one or more files infected by the ransomware software in the primary file system and obtaining an uninfected version of the file for each of the infected files.
  • the method comprises selecting operations from a log file of the file system level CDP system recorded for the uninfected version of the file after the last clean PIT that is not associated with the detected ransomware software activity and applying the selected operations to the uninfected version of the file for each of the infected files.
  • the method is used for recovering the file system, such as from the ransomware software activity by identifying the potential malware attack and by raising alerts from the detected ransomware attacks.
  • the method provides an efficient recovery of the data with reduced processing time, such as by recovering all the infected files that are affected by the ransomware software activity.
  • the method is used to monitor and trace the paraments of the ransomware software activity.
  • a prior knowledge of the paraments of the ransomware software activity provides an improved and immediate detection of the ransomware software activity.
  • the method is used for leveraging the ability of the file system level CDP system to track the full life cycle of each file, such as from creation to all other changes that are performed on the file.
  • the obtaining of the uninfected version of the file comprises obtaining a version of the file at the last clean PIT from a backup data of the primary file system.
  • the uninfected version of the files for each of the infected files allows the recovery of the infected files efficiently with reduced processing time.
  • the selected operations are applied by a re-player means of the file system level CDP system.
  • the selecting of operations from the log file of the file system level CDP system comprises, determining whether an operation in the log file of the file system level CDP system is associated with the detected ransomware software activity based on an activity pattern of the ransomware software.
  • the selecting of operations from the log file of the file system level CDP system comprises, determining that a file delete operation is associated with the detected ransomware software activity if it is created by the ransomware software. Furthermore, determines that a data write operation is associated with the detected ransomware software activity if it comprises writing an encrypted data. Furthermore, the method comprises determining that a file create operation is associated with the detected ransomware software activity if it comprises creating an encrypted copy of a file.
  • the selection of operations that are associated with the ransomware software activity allows the selective application of the primary file system operations and further allows to ignore all the operations that are associated with the ransomware software activity to eliminate the adverse effect of the ransomware software activity.
  • the primary file system resides on a primary storage, and the method further comprises returning the recovered files from the backup storage to the primary storage.
  • an apparatus for recovering a file system includes a primary file system controller configured for detecting an activity of a ransomware software in a primary file system, wherein the primary file system uses a file system level continuous data protection, CDP, system that logs file operations for backing up the primary file system to a backup storage, blocking the ransomware software activity by declining new inputs and outputs, IOs, associated with the detected ransomware software activity, and determining one or more files infected by the ransomware software in the primary file system.
  • a backup controller is configured for determining the last clean point in time, PIT, before the ransomware software activity has occurred and obtaining an uninfected version of the file for each of the infected files.
  • the apparatus achieves all the advantages and technical effects of the method of the present disclosure.
  • FIG. 1 is a flowchart of a method of recovering a file system, in accordance with an embodiment of the present disclosure
  • FIG. 2 is a block diagram of an apparatus for recovering a file system, in accordance with an embodiment of the present disclosure
  • FIG. 3 is a diagram that depicts an exemplary scenario for recovering a file system, in accordance with an embodiment of the present disclosure.
  • an underlined number is employed to represent an item over which the underlined number is positioned or an item to which the underlined number is adjacent.
  • a non-underlined number relates to an item identified by a line linking the nonunderlined number to the item.
  • the non-underlined number is used to identify a general item at which the arrow is pointing.
  • FIG. 1 is a flowchart of a method of recovering a file system, in accordance with an embodiment of the present disclosure. With reference to FIG. 1, there is shown a flowchart of a method 100 that includes steps 102 to 114.
  • the method 100 of recovering a file system is used for recovering the file system from a ransomware attack, such as by using a live file system ransomware recovery leveraging a smart file system level continuous data protection, CDP, system.
  • a ransomware attack such as by using a live file system ransomware recovery leveraging a smart file system level continuous data protection, CDP, system.
  • the method 100 comprises detecting an activity of a ransomware software in a primary file system that uses a file system level continuous data protection, CDP, system for logging all file operations for backing up the primary file system to a backup storage.
  • a primary file system controller is used for detecting the activity of the ransomware software that corresponds to an execution of a computer executable code that is designed to destroy the data or obstruct a user from accessing the data, such as by installing itself in a computing system and further encrypting a user data that is stored in the primary file system.
  • the primary system uses the file system level CDP system by logging all the file operations, such as a write operation, a delete operation, a link operation, an unlink operation, a copy file range, a rename operation, and the like to back up the primary file system to the backup storage.
  • file operations such as a write operation, a delete operation, a link operation, an unlink operation, a copy file range, a rename operation, and the like to back up the primary file system to the backup storage.
  • the method 100 comprises blocking the ransomware software activity by declining new inputs and outputs, IOs, associated with the detected ransomware software activity.
  • the new IOs which are detected as malware IOs are blocked, such as through an agent at a host that detects a process that is responsible for the creation of the new IOs.
  • the IOs associated with the detected ransomware software activity is a “create” operation and an encrypted copy of the existing file is created after the execution of the “create” operation, then, in that case, the “create” operation is blocked.
  • the blocking of the new IOs prevents the ransomware software activity from causing any further damage to the primary file system.
  • the method 100 comprises determining a last clean point in time, PIT, before the ransomware software activity has occurred.
  • a backup controller or a CDP engine
  • the last clean PIT is used to detect a PIT after which the ransomware software activity is initiated. As a result, the operations that are executed after the determination of the last clean PIT can be ignored to eliminate the adverse effect of the ransomware software activity.
  • the determining of the last clean PIT includes analyzing a backup data of the primary file system in the backup storage including one or more snapshots of the primary file system on the backup storage, changesets and changeset indexes that are related to the one or more snapshots in the log file of the file system level CDP system on the backup storage.
  • the method 100 includes, re-start rolling of the backup data from the last clean PIT before the ransomware software activity started and updating the primary file system controller with the parameters of the detected ransomware software activity so as to block all the operations of the ransomware software activity.
  • the method 100 comprises determining one or more files that are infected by the ransomware software in the primary file system. Moreover, the one or more files that are infected by the ransomware software activity are determined based on the analysis of the backup data of the primary file system in the backup storage that includes one or more files that are deleted by the ransomware software, such as through the new IOs. Furthermore, at step 110, the method 100 comprises obtaining an uninfected version of the file for each of the infected files. The uninfected version of the file for each of the infected files corresponds to a version of the file, which is not affected by the ransomware software activity.
  • the obtaining of the uninfected version of the file comprises obtaining a version of the file at the last clean PIT from a backup data of the primary file system.
  • a backup controller is used to obtain the uninfected version of the file from the determined last clean PIT before the occurrence of the ransomware software activity.
  • the uninfected version of the files for each of the infected files allows the recovery of the infected files, such as through the last clean PIT and with reduced time.
  • the method 100 comprises selecting operations from a log file of the file system level CDP system recorded for the uninfected version of the file after the last clean PIT that is not associated with the detected ransomware software activity. The selection of the operations that are not associated with the detected ransomware software activity is beneficial to recover an updated version of the infected file.
  • the selecting of operations from the log file of the file system level CDP system includes determining whether an operation in the log file of the file system level CDP system is associated with the detected ransomware software activity based on an activity pattern of the ransomware software.
  • the method 100 provides a continuous data protection by detecting the ransomware software activity in the primary file system, such as by updating a ransomware detection means with a data about the detected ransomware software activity.
  • the data about the detected ransomware software activity includes paraments and/or the activity pattern of the detected ransomware software activity. For example, a file with a specific suffix is encrypted and the suffix of the file is further converted to a random suffix.
  • the method 100 further comprises, determining that a file delete operation is associated with the detected ransomware software activity if it is created by the ransomware software.
  • the operation from the log file of the file system level CDP system is the file delete operation that is associated with the detected ransomware software activity, then, in such a case, the file is not deleted and is marked as a suspicious deletion.
  • the method 100 comprises, determining that a data write operation is associated with the detected ransomware software activity if it includes writing an encrypted data.
  • the method 100 comprises, determining that a file create operation is associated with the detected ransomware software activity if it includes creating an encrypted copy of a file.
  • the operation from the log file of the file system level CDP system is the file create operation that is associated with the detected ransomware software activity and includes encryption of data, then, in such a case, the corresponding file create operation is blocked and the data write operations corresponding to that file are further ignored.
  • the method 100 allows the selective application of the primary file system operations and further allows to ignore all the operations that are associated with the ransomware software activity to eliminate the adverse effect of the ransomware software activity.
  • the method 100 comprises applying the selected operations to the uninfected version of the file.
  • the operations that are not associated with the detected ransomware software activity are selected to update the uninfected version of the file for each of the files after the last clean PIT and to obtain a final updated version of the file.
  • the method 100 allows an efficient recovery of the infected files with reduced processing time.
  • the selected operations are applied by a re-player means of the file system level CDP system.
  • online ransomware detection tools are integrated with a file system level CDP re-player that applies the file system level CDP system operation to a replica file system to recover the infected files, such as by replaying the selected operations.
  • replaying the selected operations enables the primary file system to roll back the changes that are performed by the ransomware software activity.
  • the primary file system includes three files, such as a first file (e.g., a “A.txt” file), a second file (e.g., a “B.text” file), and a third file (e.g., a “C.txt” file).
  • a first file e.g., a “A.txt” file
  • a second file e.g., a “B.text” file
  • C.txt e.g., a “C.txt” file
  • a read operation to read the first file i.e., a “read A.txt” operation).
  • a write operation to write the first file i.e., a “write A.Enc” operation.
  • a write operation to write the second file i.e., a “write to B.txt” operation).
  • a delete operation to delete the first file i.e., a “delete A.enc” operation.
  • a write operation to write the third file i.e., a “write to C.txt” operation.
  • a read operation to read the second file i.e., a “read B.txt” operation).
  • a write operation to write the second file i.e., a “write B.enc” operation.
  • a delete operation to delete the second file i.e., a “delete B.txt” operation.
  • a read operation to read the third file i.e., a “read C.txt” operation).
  • a delete operation to delete the third file i.e., “deleted C.txt” operation).
  • the operations with the “. enc” suffix are determined as the operations that are associated with the ransomware software activity.
  • the operations with the “enc.” suffix is ignored and the write operations, such as the operations to write the second file (i.e., the “write B.txt” operation) and the third file (i.e., the “write C.txt” operation) is applied.
  • the infected files, such as the second file and the third file are recovered by eliminating the adverse effect of the ransomware software activity.
  • the primary file system resides on a primary storage. Moreover, the method 100 further comprises returning the recovered files from the backup storage to the primary storage. Therefore, the adverse effects of the ransomware software activity, such as data loss, loss of money in the form of ransom, and the like are eliminated.
  • the backup storage resides in a network-attached storage, NAS, comprising one or more snapshots of the primary file system and the log file of the file system level CDP system.
  • the recovery of the infected files includes manipulating metadata of the infected files within the NAS.
  • the recovery of the infected file is performed by manipulating the metadata of the infected files within the NAS. Moreover, the recovery of the infected files does not require copying of the data from the primary file system, which reduces the processing time that is required for the recovery of the infected files.
  • the method 100 is used for recovering the file system, such as from the ransomware software activity by identifying the potential malware attack and by raising alerts from the detected ransomware attacks.
  • the method 100 provides an efficient recovery of the data with reduced processing time, such as by recovering all the infected files that are affected by the ransomware software activity.
  • the method 100 is used to monitor and trace the paraments of the ransomware software activity.
  • a prior knowledge of the paraments of the ransomware software activity provides an improved and immediate detection of the ransomware software activity in the future.
  • the method 100 is used for leveraging the ability of the file system level CDP system to track the full life cycle of each file, such as from creation to all other changes that are performed on the file.
  • steps 102 to 114 are only illustrative, and other alternatives can also be provided where one or more steps are added, one or more steps are removed, or one or more steps are provided in a different sequence without departing from the scope of the claims herein.
  • FIG. 2 is a block diagram of an apparatus for recovering a file system, in accordance with an embodiment of the present disclosure.
  • an apparatus 202 that includes a primary file system controller 204 and a backup controller 212.
  • the apparatus 202 is configured to execute the method 100 of FIG. 1.
  • the primary file system controller 204 is configured to detect an activity of a ransomware software in a primary file system 206.
  • Examples of the primary file system controller 204 may include but are not limited to, a general-purpose processor, a controller, a microcontroller, a microprocessor, a complex instruction set computing, CISC, processor, an application-specific integrated circuit, ASIC, processor, a reduced instruction set, RISC, processor, a very long instruction word, VLIW, processor, a data processing unit, and other processors or control circuitry.
  • the backup controller 212 is configured for blocking the ransomware software activity.
  • Examples of the backup controller 212 may include but are not limited to, a general-purpose processor, a controller, a microcontroller, a microprocessor, a CISC processor, an ASIC processor, a RISC processor, a VLIW processor, a data processing unit, and other processors or control circuitry.
  • the apparatus 202 to recover a file system from a ransomware attack, such as by using a live file system ransomware recovery leveraging a smart file system level CDP system.
  • the primary file system controller 204 is configured to detect an activity of the ransomware software in the primary file system 206. Moreover, the primary file system 206 uses a file system level CDP system 208 that logs file operations for backing up the primary file system 206 to a backup storage 210.
  • the activity of the ransomware software corresponds to an execution of a computer executable code that is designed to destroy the data or obstruct a user from accessing the data, such as by installing itself in a computing system and further encrypting the user data that is stored in the primary file system 206.
  • the primary file system 206 uses the file system level CDP system 208 (or may also be referred to as a CDP system 208) by logging all the file operations, such as a write operation, a delete operation, a link operation, an unlink operation, a copy file range, a rename operation, and the like to back up the primary file system 206 to the backup storage 210.
  • the file system level CDP system 208 or may also be referred to as a CDP system 208 by logging all the file operations, such as a write operation, a delete operation, a link operation, an unlink operation, a copy file range, a rename operation, and the like to back up the primary file system 206 to the backup storage 210.
  • the primary file system controller 204 is further configured to block the ransomware software activity by declining new IOs associated with the detected ransomware software activity. In other words, the new IOs, which are detected as malware IOs are blocked, such as through an agent at a host that detects a process that is responsible for the creation of the new IOs. Furthermore, the primary file system controller 204 is configured to determine one or more files 222 that are infected by the ransomware software in the primary file system 206.
  • the one or more files that are infected by the ransomware software activity are determined based on the analysis of the backup data 214 of the primary file system 206 in the backup storage 210 that includes the one or more files 222 that are deleted by the ransomware software, such as through the new IOs.
  • the backup controller 212 is configured to determine a clean PIT before the ransomware software activity has occurred.
  • a CDP engine is used to determine the last clean PIT before the occurrence of the ransomware software activity, such as by analyzing the backup data of the primary file system in the backup storage. The last clean PIT is used to detect a PIT after which the ransomware software activity is initiated.
  • the backup controller 212 is configured to determine the last clean PIT by analyzing a backup data 214 of the primary file system 206 in the backup storage 210 that includes one or more snapshots of the primary file system 206 on the backup storage 210, changesets and changeset indexes that are related to the one or more snapshots in the log file 220 of the file system level CDP system 208 on the backup storage 210.
  • the backup controller 212 restarts rolling of the backup data 214 from the last clean PIT before the ransomware software activity started and updates the primary file system controller 204 with the parameters of the detected ransomware software activity so as to block all the operations of the ransomware software activity.
  • the backup controller 212 is configured to obtain an uninfected version of the file for each of the infected files.
  • the uninfected version of the file for each of the infected files corresponds to a version of the file, which is not affected by the ransomware software activity.
  • the backup controller 212 is configured to obtain the uninfected version of the file by obtaining a version of the file at the last clean PIT from a backup data 214 of the primary file system 206.
  • the uninfected version of the files for each of the infected files allows the recovery of the infected files, such as through the last clean PIT more efficiently with reduced processing time.
  • the backup controller 212 is configured to select operations from a log file 220 of the file system level CDP system 208 recorded for the uninfected version of the file after the last clean PIT that is not associated with the detected ransomware software activity.
  • the selection of the operations from the log file 220 is beneficial to recover an updated version of the infected file.
  • the backup controller 212 is configured to determine whether an operation in the log file 220 of the file system level CDP system 208 is associated with the detected ransomware software activity based on an activity pattern of the ransomware software.
  • the apparatus 202 provides the continuous data protection by detecting the ransomware software activity in the primary file system 206, such as by updating a ransomware detection means with a data about the detected ransomware software activity.
  • the data about the detected ransomware software activity includes paraments and/or the activity pattern of the detected ransomware software activity.
  • the backup controller 212 is configured to determine that a file delete operation is associated with the detected ransomware software activity if the file delete operation is created by the ransomware software.
  • the backup controller 212 is configured to determine that a data write operation is associated with the detected ransomware software activity if data write operation includes writing an encrypted data. In an implementation scenario, if the operation from the log file of the file system level CDP system is the data write operation that is associated with the detected ransomware software activity and includes encryption of data, then, in such a case, the corresponding write data operations are ignored and further operations are applied.
  • the backup controller 212 is configured to determine that a file create operation is associated with the detected ransomware software activity if the file create operation includes creating an encrypted copy of a file. In an implementation scenario, if the operation from the log file of the file system level CDP system is the file create operation that is associated with the detected ransomware software activity and includes encryption of data, then, in such a case, the corresponding file create operation is blocked and the data write operations corresponding to that file are further ignored. Thus, the backup controller 212 is configured to selectively apply the primary file system 206 operations and ignore all the operations associated with the ransomware software activity to eliminate the adverse effect of the ransomware software activity.
  • the backup controller 212 is configured for applying the selected operations to the uninfected version of the file.
  • backup controller 212 is configured to selectively apply the primary file system 206 operations to ignore all the operations associated with the ransomware software activity in order to eliminate the adverse effect of the ransomware software activity.
  • the backup controller 212 is configured for applying the selected operations using a re-player means of the file system level CDP system 208. By virtue of replaying the selected operations enables the primary file system 206 to roll back the changes that are performed after the detection of the ransomware software activity.
  • the primary file system 206 resides on a primary storage 216, and the primary file system controller 204 is configured to return the recovered files from the backup storage 210 to the primary storage 216. Therefore, the adverse effects of the ransomware software activity, such as data loss, loss of money in the form of ransom, and the like are eliminated.
  • the backup storage 210 resides in a network-attached storage, NAS, 218 that includes one or more snapshots of the primary file system 206 and the log file 220 of the file system level CDP system 208.
  • the backup controller 212 is configured to apply the selected operations by means of manipulating metadata of the infected files within the NAS 218.
  • the recovery of the infected file is performed by manipulating the metadata of the infected files within the NAS. Moreover, the recovery of the infected files does not require copying of the data from the primary file system, which reduces the processing time that is required for the recovery of the infected files.
  • the apparatus 202 is used to recover the file system, such as from the ransomware software activity by identifying the potential malware attack and by raising alerts from the detected ransomware attacks, and the like.
  • the apparatus 202 provides an efficient recovery of the data with reduced processing time, such as by recovering all the infected files that are affected by the ransomware software activity.
  • the primary file system 206 is used to monitor and trace the paraments of the ransomware software activity.
  • a prior knowledge of the paraments of the ransomware software activity provides an improved and immediate detection of the ransomware software activity.
  • the apparatus 202 is used for leveraging the ability of the file system level CDP system 208 to track the full life cycle of each file, such as from creation to all other changes that are performed on the file.
  • FIG. 3 is a diagram that depicts an exemplary scenario for recovering a file system, in accordance with an embodiment of the present disclosure.
  • FIG. 3 is described in conjunction with elements from FIG. 2.
  • a production host 302 and a NAS system 304.
  • the production host 302 is configured to write to a primary file system 30, which is included in the NAS system 304.
  • the NAS system, 304 includes a built-in file system level CDP system (e.g., FIG. 2), which includes a CDP journal 306.
  • the CDP journal 306 includes all the changes related to the primary file system 308 and also includes one or more snapshots of the primary file system 308, such as for leveraging the one or more snapshots.
  • the CDP journal 306 allows the primary file system 308 to roll back and eliminate the adverse effect of the ransomware software activity.
  • the apparatus 202 of FIG. 2 is configured to determine related infected files from the primary file system 308. For example, if a file Fl that is stored in the primary file system 308 is found infected, then the apparatus 202 (of FIG. 2) is configured to roll back the changes and eliminate the adverse effect of the ransomware software activity.
  • the backup controller 212 is configured to determine an uninfected version of each of the infected files and determine the last clean PIT, such as by analyzing the backup data 214 of the primary file system 308 that is stored in a backup storage 210.
  • the backup storage 210 resides in the NAS system 304 that includes the one or more snapshots of the primary file system 206, such as a first snapshot 308A and a Kth snapshot 308K.
  • the backup controller 212 is configured for determining the last clean PIT by analyzing the one or more snapshots of the primary file system 308, such as by analyzing the first snapshot 308A to the Kth snapshot 308K on the NAS system 304, by analyzing changesets and the changeset indexes related to the one or more snapshots in the log file 220 (of FIG. 2) of the file system level CDP system 208 of FIG. 2 on the backup storage 210 of the NAS system 304.
  • the primary file system 308 allows a continuous snapshotting, such as from the first snapshot 308A to the Kth snapshot 308K that enables the apparatus 202 to restore the uninfected version of each of the infected files from the last clean PIT leveraging the detection of the ransomware software activity by the CDP journal 306.
  • the backup controller 212 (of FIG. 2) of the apparatus 202 is configured to apply the changes, such as by selecting operations that are not associated with the detected ransomware software activity by means of manipulating metadata to the infected files within the NAS system 304 to obtain an updated version of the infected file (i.e., the file Fl).
  • the infected file is recovered with reduced processing time.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Health & Medical Sciences (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

For recovering a file system detected is an activity of a ransomware software in a primary file system that uses a file system level continuous data protection, CDP, system logging all file operations for backing up the primary file system to a backup storage. Furthermore, the ransomware software activity is blocked by declining new inputs and outputs, and determined are a last clean point in time, PIT, before the ransomware software activity and one or more files infected by the ransomware software. For each of these files, an uninfected version is obtained, operations recorded for the uninfected version of the file after the last clean PIT that are not associated with the detected ransomware software activity are selected from a log file of the CDP system, and only the selected operations are applied to the uninfected version of the file for its recovery.

Description

METHOD AND APPARATUS FOR RECOVERING FILE SYSTEM
TECHNICAL FIELD
The present disclosure relates generally to the field of data security and more specifically, to a method and an apparatus for recovering a file system.
BACKGROUND
Ransomware is a prominent cyber threat to an individual as well as to an organization when it comes to a data security. In general, the ransomware corresponds to a type of malware that installs itself in a computing system and then maps a file that seems important to a user. Thereafter, the ransomware creates an encrypted copy of a target file and deletes an original version of the target file. Finally, the ransomware issues a ransom note that appears either in the target file on the same location or pop-ups on a user’s screen. Moreover, the ransom note includes an explanation of a process to pay the ransom, such as in cryptocurrency to access the original data of the target file. After the payment of the ransom, the user receives a decryption key that enables the user to restore the original data of the target file. However, in some cases, the user does not receive the decryption key even after paying the ransom amount and as a result, the data is lost forever. Therefore, such ransomware attack results in significant financial losses in the form of ransom, downtime, and data loss.
Currently, certain attempts have been made to mitigate the risk of ransomware, such as by securing e-mail gateways or web gateways with a targeted attack protection or by using mobile attack protection products or by monitoring servers in order to reduce the risk of ransomware attack at its initialization phase. However, such attempts are inefficient and ineffective in mitigating the risk of ransomware completely. Therefore, when the ransomware attacks the computing system, then, the recovery of the data plays a vital role to overcome the adverse effect of the ransomware. Further, the data, which is affected by the ransomware attack is encrypted and to recover the same, decryption of the data is required, However, while decrypting the data, there are certain scenarios, in which the original data is lost and the recovery of the data becomes impossible, which is not desirable. In addition, such attempts are time-consuming and resource-intensive due to complex operations that are required to recover the original data and are still ineffective to recover the original data completely. As a result, there exists a technical problem of how to recover the data more efficiently and effectively with an improved processing time that is required to recover the file system completely.
Therefore, in light of the foregoing discussion, there exists a need to overcome the aforementioned drawbacks associated with the conventional methods of data security.
SUMMARY
The present disclosure provides a method and an apparatus for recovering a file system. The present disclosure provides a solution to the existing problem of how to recover the data more efficiently and effectively with an improved processing time that is required to recover the file system completely. An objective of the present disclosure is to provide a solution that overcomes at least partially the problems encountered in the prior art and provides an improved method and an improved apparatus for recovering the file system, such as by using a live file system ransomware recovery leveraging smart file system continuous data protection, CDP.
One or more objectives of the present disclosure are achieved by the solutions provided in the enclosed independent claims. Advantageous implementations of the present disclosure are further defined in the dependent claims.
In one aspect, the present disclosure provides a method of recovering a file system. The method comprises detecting an activity of a ransomware software in a primary file system that uses a file system level continuous data protection, CDP, system logging all file operations for backing up the primary file system to a backup storage, blocking the ransomware software activity by declining new inputs and outputs, IOs, associated with the detected ransomware software activity and determining a last clean point in time, PIT, before the ransomware software activity has occurred. Furthermore, the method comprises determining one or more files infected by the ransomware software in the primary file system and obtaining an uninfected version of the file for each of the infected files. Furthermore, the method comprises selecting operations from a log file of the file system level CDP system recorded for the uninfected version of the file after the last clean PIT that is not associated with the detected ransomware software activity and applying the selected operations to the uninfected version of the file for each of the infected files. The method is used for recovering the file system, such as from the ransomware software activity by identifying the potential malware attack and by raising alerts from the detected ransomware attacks. The method provides an efficient recovery of the data with reduced processing time, such as by recovering all the infected files that are affected by the ransomware software activity. Furthermore, the method is used to monitor and trace the paraments of the ransomware software activity. Thus, a prior knowledge of the paraments of the ransomware software activity provides an improved and immediate detection of the ransomware software activity. In addition, the method is used for leveraging the ability of the file system level CDP system to track the full life cycle of each file, such as from creation to all other changes that are performed on the file.
In an implementation form, the obtaining of the uninfected version of the file comprises obtaining a version of the file at the last clean PIT from a backup data of the primary file system.
In such an implementation, the uninfected version of the files for each of the infected files allows the recovery of the infected files efficiently with reduced processing time.
In a further implementation form, the selected operations are applied by a re-player means of the file system level CDP system.
By virtue of replaying the selected operations enables the primary file system to roll back the changes that are performed by the ransomware software activity.
In a further implementation form, the selecting of operations from the log file of the file system level CDP system comprises, determining whether an operation in the log file of the file system level CDP system is associated with the detected ransomware software activity based on an activity pattern of the ransomware software.
In a further implementation form, the selecting of operations from the log file of the file system level CDP system comprises, determining that a file delete operation is associated with the detected ransomware software activity if it is created by the ransomware software. Furthermore, determines that a data write operation is associated with the detected ransomware software activity if it comprises writing an encrypted data. Furthermore, the method comprises determining that a file create operation is associated with the detected ransomware software activity if it comprises creating an encrypted copy of a file.
The selection of operations that are associated with the ransomware software activity allows the selective application of the primary file system operations and further allows to ignore all the operations that are associated with the ransomware software activity to eliminate the adverse effect of the ransomware software activity.
In a further implementation form, the primary file system resides on a primary storage, and the method further comprises returning the recovered files from the backup storage to the primary storage.
By virtue of returning the recovered files from the backup storage to the primary storage allows the elimination of the adverse effects of the ransomware software activity, such as data loss, loss of money in the form of ransom, and the like.
In another aspect, an apparatus for recovering a file system. The apparatus includes a primary file system controller configured for detecting an activity of a ransomware software in a primary file system, wherein the primary file system uses a file system level continuous data protection, CDP, system that logs file operations for backing up the primary file system to a backup storage, blocking the ransomware software activity by declining new inputs and outputs, IOs, associated with the detected ransomware software activity, and determining one or more files infected by the ransomware software in the primary file system. Furthermore, a backup controller is configured for determining the last clean point in time, PIT, before the ransomware software activity has occurred and obtaining an uninfected version of the file for each of the infected files. Furthermore, selecting operations from a log file of the file system level CDP system recorded for the uninfected version of the file after the last clean PIT that is not associated with the detected ransomware software activity for each of the infected files, and thereafter, applying the selected operations to the uninfected version of the file.
The apparatus achieves all the advantages and technical effects of the method of the present disclosure.
It is to be appreciated that all the aforementioned implementation forms can be combined. It has to be noted that all devices, elements, circuitry, units and means described in the present application could be implemented in the software or hardware elements or any kind of combination thereof. All steps which are performed by the various entities described in the present application as well as the functionalities described to be performed by the various entities are intended to mean that the respective entity is adapted to or configured to perform the respective steps and functionalities. Even if, in the following description of specific embodiments, a specific functionality or step to be performed by external entities is not reflected in the description of a specific detailed element of that entity which performs that specific step or functionality, it should be clear for a skilled person that these methods and functionalities can be implemented in respective software or hardware elements, or any kind of combination thereof. It will be appreciated that features of the present disclosure are susceptible to being combined in various combinations without departing from the scope of the present disclosure as defined by the appended claims.
Additional aspects, advantages, features and objects of the present disclosure would be made apparent from the drawings and the detailed description of the illustrative implementations construed in conjunction with the appended claims that follow.
BRIEF DESCRIPTION OF THE DRAWINGS
The summary above, as well as the following detailed description of illustrative embodiments, is better understood when read in conjunction with the appended drawings. For the purpose of illustrating the present disclosure, exemplary constructions of the disclosure are shown in the drawings. However, the present disclosure is not limited to specific methods and instrumentalities disclosed herein. Moreover, those in the art will understand that the drawings are not to scale. Wherever possible, like elements have been indicated by identical numbers.
Embodiments of the present disclosure will now be described, by way of example only, with reference to the following diagrams wherein:
FIG. 1 is a flowchart of a method of recovering a file system, in accordance with an embodiment of the present disclosure;
FIG. 2 is a block diagram of an apparatus for recovering a file system, in accordance with an embodiment of the present disclosure; and FIG. 3 is a diagram that depicts an exemplary scenario for recovering a file system, in accordance with an embodiment of the present disclosure.
In the accompanying drawings, an underlined number is employed to represent an item over which the underlined number is positioned or an item to which the underlined number is adjacent. A non-underlined number relates to an item identified by a line linking the nonunderlined number to the item. When a number is non-underlined and accompanied by an associated arrow, the non-underlined number is used to identify a general item at which the arrow is pointing.
DETAILED DESCRIPTION OF EMBODIMENTS
The following detailed description illustrates embodiments of the present disclosure and ways in which they can be implemented. Although some modes of carrying out the present disclosure have been disclosed, those skilled in the art would recognize that other embodiments for carrying out or practicing the present disclosure are also possible.
FIG. 1 is a flowchart of a method of recovering a file system, in accordance with an embodiment of the present disclosure. With reference to FIG. 1, there is shown a flowchart of a method 100 that includes steps 102 to 114.
There is provided the method 100 of recovering a file system. The method 100 is used for recovering the file system from a ransomware attack, such as by using a live file system ransomware recovery leveraging a smart file system level continuous data protection, CDP, system.
At step 102, the method 100 comprises detecting an activity of a ransomware software in a primary file system that uses a file system level continuous data protection, CDP, system for logging all file operations for backing up the primary file system to a backup storage. In an implementation, a primary file system controller is used for detecting the activity of the ransomware software that corresponds to an execution of a computer executable code that is designed to destroy the data or obstruct a user from accessing the data, such as by installing itself in a computing system and further encrypting a user data that is stored in the primary file system. In addition, the primary system uses the file system level CDP system by logging all the file operations, such as a write operation, a delete operation, a link operation, an unlink operation, a copy file range, a rename operation, and the like to back up the primary file system to the backup storage.
Furthermore, at step 104, the method 100 comprises blocking the ransomware software activity by declining new inputs and outputs, IOs, associated with the detected ransomware software activity. In other words, the new IOs, which are detected as malware IOs are blocked, such as through an agent at a host that detects a process that is responsible for the creation of the new IOs. For example, the IOs associated with the detected ransomware software activity is a “create” operation and an encrypted copy of the existing file is created after the execution of the “create” operation, then, in that case, the “create” operation is blocked. As a result, the blocking of the new IOs prevents the ransomware software activity from causing any further damage to the primary file system.
At step 106, the method 100 comprises determining a last clean point in time, PIT, before the ransomware software activity has occurred. In an implementation, a backup controller (or a CDP engine) is used to determine the last clean PIT before the occurrence of the ransomware software activity, such as by analyzing the backup data of the primary file system in the backup storage. The last clean PIT is used to detect a PIT after which the ransomware software activity is initiated. As a result, the operations that are executed after the determination of the last clean PIT can be ignored to eliminate the adverse effect of the ransomware software activity. In accordance with an embodiment, the determining of the last clean PIT includes analyzing a backup data of the primary file system in the backup storage including one or more snapshots of the primary file system on the backup storage, changesets and changeset indexes that are related to the one or more snapshots in the log file of the file system level CDP system on the backup storage. In an example, if a ransomware software activity is detected and the primary file system missed the operation by the ransomware software activity before the detection, then the method 100 includes, re-start rolling of the backup data from the last clean PIT before the ransomware software activity started and updating the primary file system controller with the parameters of the detected ransomware software activity so as to block all the operations of the ransomware software activity.
At step 108, the method 100 comprises determining one or more files that are infected by the ransomware software in the primary file system. Moreover, the one or more files that are infected by the ransomware software activity are determined based on the analysis of the backup data of the primary file system in the backup storage that includes one or more files that are deleted by the ransomware software, such as through the new IOs. Furthermore, at step 110, the method 100 comprises obtaining an uninfected version of the file for each of the infected files. The uninfected version of the file for each of the infected files corresponds to a version of the file, which is not affected by the ransomware software activity. In accordance with an embodiment, the obtaining of the uninfected version of the file comprises obtaining a version of the file at the last clean PIT from a backup data of the primary file system. In an implementation, a backup controller is used to obtain the uninfected version of the file from the determined last clean PIT before the occurrence of the ransomware software activity. As a result, the uninfected version of the files for each of the infected files allows the recovery of the infected files, such as through the last clean PIT and with reduced time. In addition, at step 112, the method 100 comprises selecting operations from a log file of the file system level CDP system recorded for the uninfected version of the file after the last clean PIT that is not associated with the detected ransomware software activity. The selection of the operations that are not associated with the detected ransomware software activity is beneficial to recover an updated version of the infected file.
In accordance with an embodiment, the selecting of operations from the log file of the file system level CDP system includes determining whether an operation in the log file of the file system level CDP system is associated with the detected ransomware software activity based on an activity pattern of the ransomware software. The method 100 provides a continuous data protection by detecting the ransomware software activity in the primary file system, such as by updating a ransomware detection means with a data about the detected ransomware software activity. Moreover, the data about the detected ransomware software activity includes paraments and/or the activity pattern of the detected ransomware software activity. For example, a file with a specific suffix is encrypted and the suffix of the file is further converted to a random suffix. In such embodiment, the method 100 further comprises, determining that a file delete operation is associated with the detected ransomware software activity if it is created by the ransomware software. In an implementation scenario, if the operation from the log file of the file system level CDP system is the file delete operation that is associated with the detected ransomware software activity, then, in such a case, the file is not deleted and is marked as a suspicious deletion. Furthermore, the method 100 comprises, determining that a data write operation is associated with the detected ransomware software activity if it includes writing an encrypted data. In an implementation scenario, if the operation from the log file of the file system level CDP system is the data write operation that is associated with the detected ransomware software activity and includes encryption of data, then, in such a case, the corresponding write data operations are ignored and further operations are applied. In addition, the method 100 comprises, determining that a file create operation is associated with the detected ransomware software activity if it includes creating an encrypted copy of a file. In an implementation scenario, if the operation from the log file of the file system level CDP system is the file create operation that is associated with the detected ransomware software activity and includes encryption of data, then, in such a case, the corresponding file create operation is blocked and the data write operations corresponding to that file are further ignored. Thus, the method 100 allows the selective application of the primary file system operations and further allows to ignore all the operations that are associated with the ransomware software activity to eliminate the adverse effect of the ransomware software activity.
At step 114, the method 100 comprises applying the selected operations to the uninfected version of the file. The operations that are not associated with the detected ransomware software activity are selected to update the uninfected version of the file for each of the files after the last clean PIT and to obtain a final updated version of the file. As a result, the method 100 allows an efficient recovery of the infected files with reduced processing time. In accordance with an embodiment, the selected operations are applied by a re-player means of the file system level CDP system. In an implementation, online ransomware detection tools are integrated with a file system level CDP re-player that applies the file system level CDP system operation to a replica file system to recover the infected files, such as by replaying the selected operations. Hence, by virtue of replaying the selected operations enables the primary file system to roll back the changes that are performed by the ransomware software activity.
In an example, the primary file system includes three files, such as a first file (e.g., a “A.txt” file), a second file (e.g., a “B.text” file), and a third file (e.g., a “C.txt” file). Moreover, operations that are performed on the primary file system are listed below:
1. A read operation to read the first file (i.e., a “read A.txt” operation).
2. A write operation to write the first file (i.e., a “write A.Enc” operation).
3. A write operation to write the second file (i.e., a “write to B.txt” operation).
4. A delete operation to delete the first file (i.e., a “delete A.enc” operation).
5. A write operation to write the third file (i.e., a “write to C.txt” operation). 6. A read operation to read the second file (i.e., a “read B.txt” operation).
7. A write operation to write the second file (i.e., a “write B.enc” operation).
8. A delete operation to delete the second file (i.e., a “delete B.txt” operation).
9. A read operation to read the third file (i.e., a “read C.txt” operation).
10. A write operation to write the third file (i.e., “write C.enc” operation).
11. A delete operation to delete the third file (i.e., “deleted C.txt” operation).
In the above-mentioned example, the operations with the “. enc” suffix are determined as the operations that are associated with the ransomware software activity. Thus, by using a re-player means, the operations with the “enc.” suffix is ignored and the write operations, such as the operations to write the second file (i.e., the “write B.txt” operation) and the third file (i.e., the “write C.txt” operation) is applied. Thus, the infected files, such as the second file and the third file are recovered by eliminating the adverse effect of the ransomware software activity.
In accordance with an embodiment, the primary file system resides on a primary storage. Moreover, the method 100 further comprises returning the recovered files from the backup storage to the primary storage. Therefore, the adverse effects of the ransomware software activity, such as data loss, loss of money in the form of ransom, and the like are eliminated. In accordance with an embodiment, the backup storage resides in a network-attached storage, NAS, comprising one or more snapshots of the primary file system and the log file of the file system level CDP system. Moreover, the recovery of the infected files includes manipulating metadata of the infected files within the NAS. In an implementation scenario, if the log file of the file system level CDP system and the snapshots of the primary file system are in the same storage pool in the NAS system, then, in that case, the recovery of the infected file is performed by manipulating the metadata of the infected files within the NAS. Moreover, the recovery of the infected files does not require copying of the data from the primary file system, which reduces the processing time that is required for the recovery of the infected files.
The method 100 is used for recovering the file system, such as from the ransomware software activity by identifying the potential malware attack and by raising alerts from the detected ransomware attacks. The method 100 provides an efficient recovery of the data with reduced processing time, such as by recovering all the infected files that are affected by the ransomware software activity. Furthermore, the method 100 is used to monitor and trace the paraments of the ransomware software activity. Thus, a prior knowledge of the paraments of the ransomware software activity provides an improved and immediate detection of the ransomware software activity in the future. In addition, the method 100 is used for leveraging the ability of the file system level CDP system to track the full life cycle of each file, such as from creation to all other changes that are performed on the file.
The steps 102 to 114 are only illustrative, and other alternatives can also be provided where one or more steps are added, one or more steps are removed, or one or more steps are provided in a different sequence without departing from the scope of the claims herein.
FIG. 2 is a block diagram of an apparatus for recovering a file system, in accordance with an embodiment of the present disclosure. With reference to the FIG. 2, there is shown an apparatus 202 that includes a primary file system controller 204 and a backup controller 212. The apparatus 202 is configured to execute the method 100 of FIG. 1.
The primary file system controller 204 is configured to detect an activity of a ransomware software in a primary file system 206. Examples of the primary file system controller 204 may include but are not limited to, a general-purpose processor, a controller, a microcontroller, a microprocessor, a complex instruction set computing, CISC, processor, an application-specific integrated circuit, ASIC, processor, a reduced instruction set, RISC, processor, a very long instruction word, VLIW, processor, a data processing unit, and other processors or control circuitry.
The backup controller 212 is configured for blocking the ransomware software activity. Examples of the backup controller 212 may include but are not limited to, a general-purpose processor, a controller, a microcontroller, a microprocessor, a CISC processor, an ASIC processor, a RISC processor, a VLIW processor, a data processing unit, and other processors or control circuitry.
There is provided the apparatus 202 to recover a file system from a ransomware attack, such as by using a live file system ransomware recovery leveraging a smart file system level CDP system.
In operation, the primary file system controller 204 is configured to detect an activity of the ransomware software in the primary file system 206. Moreover, the primary file system 206 uses a file system level CDP system 208 that logs file operations for backing up the primary file system 206 to a backup storage 210. The activity of the ransomware software corresponds to an execution of a computer executable code that is designed to destroy the data or obstruct a user from accessing the data, such as by installing itself in a computing system and further encrypting the user data that is stored in the primary file system 206. In addition, the primary file system 206 uses the file system level CDP system 208 (or may also be referred to as a CDP system 208) by logging all the file operations, such as a write operation, a delete operation, a link operation, an unlink operation, a copy file range, a rename operation, and the like to back up the primary file system 206 to the backup storage 210.
The primary file system controller 204 is further configured to block the ransomware software activity by declining new IOs associated with the detected ransomware software activity. In other words, the new IOs, which are detected as malware IOs are blocked, such as through an agent at a host that detects a process that is responsible for the creation of the new IOs. Furthermore, the primary file system controller 204 is configured to determine one or more files 222 that are infected by the ransomware software in the primary file system 206. Moreover, the one or more files that are infected by the ransomware software activity are determined based on the analysis of the backup data 214 of the primary file system 206 in the backup storage 210 that includes the one or more files 222 that are deleted by the ransomware software, such as through the new IOs. Furthermore, the backup controller 212 is configured to determine a clean PIT before the ransomware software activity has occurred. In an implementation, a CDP engine is used to determine the last clean PIT before the occurrence of the ransomware software activity, such as by analyzing the backup data of the primary file system in the backup storage. The last clean PIT is used to detect a PIT after which the ransomware software activity is initiated. As a result, the operations that are executed after the determination of the last clean PIT can be ignored to eliminate the adverse effect of the ransomware software activity. In accordance with an embodiment, the backup controller 212 is configured to determine the last clean PIT by analyzing a backup data 214 of the primary file system 206 in the backup storage 210 that includes one or more snapshots of the primary file system 206 on the backup storage 210, changesets and changeset indexes that are related to the one or more snapshots in the log file 220 of the file system level CDP system 208 on the backup storage 210. In an example, if a ransomware software activity is detected and the primary file system 206 missed the operation by the ransomware software activity before the detection, then the backup controller 212 restarts rolling of the backup data 214 from the last clean PIT before the ransomware software activity started and updates the primary file system controller 204 with the parameters of the detected ransomware software activity so as to block all the operations of the ransomware software activity.
Furthermore, the backup controller 212 is configured to obtain an uninfected version of the file for each of the infected files. The uninfected version of the file for each of the infected files corresponds to a version of the file, which is not affected by the ransomware software activity. In accordance with an embodiment, the backup controller 212 is configured to obtain the uninfected version of the file by obtaining a version of the file at the last clean PIT from a backup data 214 of the primary file system 206. Thus, the uninfected version of the files for each of the infected files allows the recovery of the infected files, such as through the last clean PIT more efficiently with reduced processing time. Furthermore, the backup controller 212 is configured to select operations from a log file 220 of the file system level CDP system 208 recorded for the uninfected version of the file after the last clean PIT that is not associated with the detected ransomware software activity. The selection of the operations from the log file 220 is beneficial to recover an updated version of the infected file.
In accordance with an embodiment, the backup controller 212 is configured to determine whether an operation in the log file 220 of the file system level CDP system 208 is associated with the detected ransomware software activity based on an activity pattern of the ransomware software. The apparatus 202 provides the continuous data protection by detecting the ransomware software activity in the primary file system 206, such as by updating a ransomware detection means with a data about the detected ransomware software activity. Moreover, the data about the detected ransomware software activity includes paraments and/or the activity pattern of the detected ransomware software activity. In such embodiment, the backup controller 212 is configured to determine that a file delete operation is associated with the detected ransomware software activity if the file delete operation is created by the ransomware software. In an implementation scenario, if the operation from the log file of the file system level CDP system is the file delete operation that is associated with the detected ransomware software activity, then, in such a case, the file is not deleted and is marked as a suspicious deletion. Furthermore, the backup controller 212 is configured to determine that a data write operation is associated with the detected ransomware software activity if data write operation includes writing an encrypted data. In an implementation scenario, if the operation from the log file of the file system level CDP system is the data write operation that is associated with the detected ransomware software activity and includes encryption of data, then, in such a case, the corresponding write data operations are ignored and further operations are applied. In addition, the backup controller 212 is configured to determine that a file create operation is associated with the detected ransomware software activity if the file create operation includes creating an encrypted copy of a file. In an implementation scenario, if the operation from the log file of the file system level CDP system is the file create operation that is associated with the detected ransomware software activity and includes encryption of data, then, in such a case, the corresponding file create operation is blocked and the data write operations corresponding to that file are further ignored. Thus, the backup controller 212 is configured to selectively apply the primary file system 206 operations and ignore all the operations associated with the ransomware software activity to eliminate the adverse effect of the ransomware software activity.
The backup controller 212 is configured for applying the selected operations to the uninfected version of the file. Thus, backup controller 212 is configured to selectively apply the primary file system 206 operations to ignore all the operations associated with the ransomware software activity in order to eliminate the adverse effect of the ransomware software activity. In accordance with an embodiment, the backup controller 212 is configured for applying the selected operations using a re-player means of the file system level CDP system 208. By virtue of replaying the selected operations enables the primary file system 206 to roll back the changes that are performed after the detection of the ransomware software activity.
In accordance with an embodiment, the primary file system 206 resides on a primary storage 216, and the primary file system controller 204 is configured to return the recovered files from the backup storage 210 to the primary storage 216. Therefore, the adverse effects of the ransomware software activity, such as data loss, loss of money in the form of ransom, and the like are eliminated. In accordance with an embodiment, the backup storage 210 resides in a network-attached storage, NAS, 218 that includes one or more snapshots of the primary file system 206 and the log file 220 of the file system level CDP system 208. Moreover, the backup controller 212 is configured to apply the selected operations by means of manipulating metadata of the infected files within the NAS 218. In an implementation scenario, if the log file of the file system level CDP system and the snapshots of the primary file system are in the same storage pool in the NAS system, then, in that case, the recovery of the infected file is performed by manipulating the metadata of the infected files within the NAS. Moreover, the recovery of the infected files does not require copying of the data from the primary file system, which reduces the processing time that is required for the recovery of the infected files.
The apparatus 202 is used to recover the file system, such as from the ransomware software activity by identifying the potential malware attack and by raising alerts from the detected ransomware attacks, and the like. The apparatus 202 provides an efficient recovery of the data with reduced processing time, such as by recovering all the infected files that are affected by the ransomware software activity. Furthermore, the primary file system 206 is used to monitor and trace the paraments of the ransomware software activity. Thus, a prior knowledge of the paraments of the ransomware software activity provides an improved and immediate detection of the ransomware software activity. In addition, the apparatus 202 is used for leveraging the ability of the file system level CDP system 208 to track the full life cycle of each file, such as from creation to all other changes that are performed on the file.
FIG. 3 is a diagram that depicts an exemplary scenario for recovering a file system, in accordance with an embodiment of the present disclosure. FIG. 3 is described in conjunction with elements from FIG. 2. With reference to the FIG. 3, there is shown a production host 302 and a NAS system 304.
In an exemplary scenario, the production host 302 is configured to write to a primary file system 30, which is included in the NAS system 304. In an implementation, the NAS system, 304 includes a built-in file system level CDP system (e.g., FIG. 2), which includes a CDP journal 306. Moreover, the CDP journal 306 includes all the changes related to the primary file system 308 and also includes one or more snapshots of the primary file system 308, such as for leveraging the one or more snapshots. The CDP journal 306 allows the primary file system 308 to roll back and eliminate the adverse effect of the ransomware software activity.
In an implementation, if the ransomware software activity is detected, then, the apparatus 202 of FIG. 2 is configured to determine related infected files from the primary file system 308. For example, if a file Fl that is stored in the primary file system 308 is found infected, then the apparatus 202 (of FIG. 2) is configured to roll back the changes and eliminate the adverse effect of the ransomware software activity. Moreover, the backup controller 212 is configured to determine an uninfected version of each of the infected files and determine the last clean PIT, such as by analyzing the backup data 214 of the primary file system 308 that is stored in a backup storage 210. In addition, the backup storage 210 resides in the NAS system 304 that includes the one or more snapshots of the primary file system 206, such as a first snapshot 308A and a Kth snapshot 308K. In addition, the backup controller 212 is configured for determining the last clean PIT by analyzing the one or more snapshots of the primary file system 308, such as by analyzing the first snapshot 308A to the Kth snapshot 308K on the NAS system 304, by analyzing changesets and the changeset indexes related to the one or more snapshots in the log file 220 (of FIG. 2) of the file system level CDP system 208 of FIG. 2 on the backup storage 210 of the NAS system 304. Moreover, the primary file system 308 allows a continuous snapshotting, such as from the first snapshot 308A to the Kth snapshot 308K that enables the apparatus 202 to restore the uninfected version of each of the infected files from the last clean PIT leveraging the detection of the ransomware software activity by the CDP journal 306. Furthermore, the backup controller 212 (of FIG. 2) of the apparatus 202 is configured to apply the changes, such as by selecting operations that are not associated with the detected ransomware software activity by means of manipulating metadata to the infected files within the NAS system 304 to obtain an updated version of the infected file (i.e., the file Fl). Thus, the infected file is recovered with reduced processing time.
Modifications to embodiments of the present disclosure described in the foregoing are possible without departing from the scope of the present disclosure as defined by the accompanying claims. Expressions such as "including", "comprising", "incorporating", "have", "is" used to describe and claim the present disclosure are intended to be construed in a non-exclusive manner, namely allowing for items, components or elements not explicitly described also to be present. Reference to the singular is also to be construed to relate to the plural. The word "exemplary" is used herein to mean "serving as an example, instance or illustration". Any embodiment described as “exemplary” is not necessarily to be construed as preferred or advantageous over other embodiments or to exclude the incorporation of features from other embodiments. The word "optionally" is used herein to mean "is provided in some embodiments and not provided in other embodiments". It is appreciated that certain features of the present disclosure, which are, for clarity, described in the context of separate embodiments, may also be provided in combination in a single embodiment. Conversely, various features of the invention, which are, for brevity, described in the context of a single embodiment, may also be provided separately or in any suitable combination or as suitable in any other described embodiment of the disclosure.

Claims

1. A method (100) of recovering a file system, comprising: detecting an activity of a ransomware software in a primary file system (206) that uses a file system level continuous data protection, CDP, system (208) logging all file operations for backing up the primary file system (206) to a backup storage (210), blocking the ransomware software activity by declining new Inputs and Outputs, IOs, associated with the detected ransomware software activity, determining a last clean point in time, PIT, before the ransomware software activity has occurred, determining one or more files infected by the ransomware software in the primary file system (206), for each of the infected files: obtaining an uninfected version of the file, selecting operations from a log file (220) of the CDP system (208) recorded for the uninfected version of the file after the last clean PIT that are not associated with the detected ransomware software activity, and applying the selected operations to the uninfected version of the file.
2. The method (100) of claim 1, wherein the obtaining of the uninfected version of the file comprises obtaining a version of the file at the last clean PIT from a backup data (214) of the primary file system (206).
3. The method (100) of claim 1 or 2, wherein the determining of the last clean PIT comprises analyzing a backup data (214) of the primary file system (206) in the backup storage (210) including one or more snapshots of the primary file system (206) on the backup storage (210), changesets and changeset indexes related to the one or more snapshots in the log file (220) of the CDP system (208) on the backup storage (210).
4. The method (100) of any of claims 1 to 3, wherein the selected operations are applied by a re-player means of the CDP system (208).
5. The method (100) of any of claims 1 to 4, wherein the selecting of operations from the log file (220) of the CDP system (208) comprises: determining whether an operation in the log file (220) of the CDP system (208) is associated with the detected ransomware software activity based on an activity pattern of the ransomware software.
6. The method (100) of claims 1 to 5, wherein the selecting of operations from the log file (220) of the CDP system (208) comprises: determine that a file delete operation is associated with the detected ransomware software activity if it is created by the ransomware software, determine that a data write operation is associated with the detected ransomware software activity if it comprises writing an encrypted data, and determine that a file create operation is associated with the detected ransomware software activity if it comprises creating an encrypted copy of a file.
7. The method (100) of any of claims 1 to 6, wherein the primary file system (206) resides on a primary storage (216), and the method (100) further comprises returning the recovered files from the backup storage (210) to the primary storage (216).
8. The method (100) of any of claims 1 to 7, wherein the backup storage (210) resides in a Network Attached Storage, NAS (218), comprising snapshots of the primary file system (206) and the log file (220) of the CDP system (208), and the recovering of the infected files comprises manipulating metadata of the infected files within the NAS (218).
9. An apparatus (202) for recovering a file system, comprising: a primary file system controller (204) configured for: detecting an activity of a ransomware software in a primary file system (206), wherein the primary file system (206) uses a file system level continuous data protection, CDP, system (208) that logs file operations for backing up the primary file system (206) to a backup storage (210), blocking the ransomware software activity by declining new Inputs and Outputs, IOs, associated with the detected ransomware software activity, and determining one or more files (222) infected by the ransomware software in the primary file system (206), and a backup controller (212) configured for: determining a last clean point in time, PIT, before the ransomware software activity has occurred, and for each of the infected files: obtaining an uninfected version of the file, selecting operations from a log file (220) of the CDP system (208) recorded for the uninfected version of the file after the last clean PIT that are not associated with the detected ransomware software activity, and applying the selected operations to the uninfected version of the file.
10. The apparatus (202) of claim 9, wherein the backup controller (212) is configured for obtaining the uninfected version of the file by obtaining a version of the file at the last clean PIT from a backup data (214) of the primary file system (206).
11. The apparatus (202) of claims 9 or 10, wherein the backup controller (212) is configured for determining the last clean PIT by analyzing a backup data (214) of the primary file system (206) in the backup storage (210) including one or more snapshots of the primary file system (206) on the backup storage (210), changesets and changeset indexes related to the one or more snapshots in the log file of the file system level CDP system (208) on the backup storage (210).
12. The apparatus (202) of any of claims 9 to 11, wherein the backup controller (212) is configured for applying the selected operations using a re-player means of the CDP system.
13. The apparatus (202) of any of claims 9 to 12, wherein the backup controller (212) is configured for determining whether an operation in the log file (220) of the CDP system is associated with the detected ransomware software activity based on an activity pattern of the ransomware software.
14. The apparatus (202) of claim 13, wherein the backup controller (212) is configured for: determining that a file delete operation is associated with the detected ransomware software activity if it is created by the ransomware software, determining that a data write operation is associated with the detected ransomware software activity if it comprises writing an encrypted data, and determining that a file create operation is associated with the detected ransomware software activity if it comprises creating an encrypted copy of a file.
15. The apparatus (202) of any of claims 9 to 14, wherein the primary file system (206) resides on a primary storage (216), and the primary file system controller (204) is configured for returning the recovered files from the backup storage (210) to the primary storage (216).
16. The apparatus (202) of any of claims 9 to 15, wherein the backup storage (210) resides in a Network Attached Storage, NAS, (218) comprising snapshots of the primary file system (206) and the log file (220) of the file system level CDP system (208), and the backup controller is configured for applying the selected operations by means of manipulating metadata of the infected files within the NAS (218).
PCT/EP2023/050263 2023-01-09 2023-01-09 Method and apparatus for recovering file system Pending WO2024149436A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
CN202380083320.5A CN120322769A (en) 2023-01-09 2023-01-09 Method and apparatus for restoring a file system
PCT/EP2023/050263 WO2024149436A1 (en) 2023-01-09 2023-01-09 Method and apparatus for recovering file system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2023/050263 WO2024149436A1 (en) 2023-01-09 2023-01-09 Method and apparatus for recovering file system

Publications (1)

Publication Number Publication Date
WO2024149436A1 true WO2024149436A1 (en) 2024-07-18

Family

ID=84943848

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2023/050263 Pending WO2024149436A1 (en) 2023-01-09 2023-01-09 Method and apparatus for recovering file system

Country Status (2)

Country Link
CN (1) CN120322769A (en)
WO (1) WO2024149436A1 (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210216408A1 (en) * 2019-11-22 2021-07-15 Pure Storage, Inc. Recovery Point Determination for Data Restoration in a Storage System
US20220179748A1 (en) * 2020-12-08 2022-06-09 Cohesity, Inc. Standbys for continuous data protection-enabled objects
US20220374519A1 (en) * 2021-05-17 2022-11-24 Rubrik, Inc. Application migration for cloud data management and ransomware recovery

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20210216408A1 (en) * 2019-11-22 2021-07-15 Pure Storage, Inc. Recovery Point Determination for Data Restoration in a Storage System
US20220179748A1 (en) * 2020-12-08 2022-06-09 Cohesity, Inc. Standbys for continuous data protection-enabled objects
US20220374519A1 (en) * 2021-05-17 2022-11-24 Rubrik, Inc. Application migration for cloud data management and ransomware recovery

Also Published As

Publication number Publication date
CN120322769A (en) 2025-07-15

Similar Documents

Publication Publication Date Title
US11681591B2 (en) System and method of restoring a clean backup after a malware attack
US8468604B2 (en) Method and system for detecting malware
US8255998B2 (en) Information protection method and system
US8533818B1 (en) Profiling backup activity
US7756834B2 (en) Malware and spyware attack recovery system and method
EP1915719B1 (en) Information protection method and system
US11290492B2 (en) Malicious data manipulation detection using markers and the data protection layer
US20150058988A1 (en) Reversion of system objects affected by a malware
US20210349748A1 (en) Virtual machine restoration for anomaly condition evaluation
US20120030766A1 (en) Method and system for defining a safe storage area for use in recovering a computer system
US8938806B1 (en) Partial pattern detection with commonality factoring
CN105204973A (en) Abnormal behavior monitoring and analysis system and method based on virtual machine technology under cloud platform
US20230306108A1 (en) Data encryption detection
May et al. Combating ransomware using content analysis and complex file events
US20240354411A1 (en) Rapid ransomware detection and recovery
WO2024165152A1 (en) Device and method for recovering data blocks at a production site
Wang et al. Ransom Access Memories: Achieving Practical Ransomware Protection in Cloud with {DeftPunk}
US10880316B2 (en) Method and system for determining initial execution of an attack
JP2024502973A (en) Executable file unpacking system and method for static analysis of malicious code
WO2024149436A1 (en) Method and apparatus for recovering file system
US20240346143A1 (en) Tracking of files required for running malware processes
US20240330461A1 (en) Ransomware detection via detecting system calls pattern in encryption phase
US8621632B1 (en) Systems and methods for locating malware
US20240111865A1 (en) Cyber recovery forensics kit configured to send return malware
WO2018225070A1 (en) A system and method for continuous monitoring and control of file-system content and access activity

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 23700111

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 202380083320.5

Country of ref document: CN

WWP Wipo information: published in national office

Ref document number: 202380083320.5

Country of ref document: CN

NENP Non-entry into the national phase

Ref country code: DE