{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,30]],"date-time":"2026-06-30T03:59:49Z","timestamp":1782791989371,"version":"3.54.5"},"reference-count":41,"publisher":"Springer Science and Business Media LLC","issue":"1","license":[{"start":{"date-parts":[[2024,12,17]],"date-time":"2024-12-17T00:00:00Z","timestamp":1734393600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"},{"start":{"date-parts":[[2024,12,17]],"date-time":"2024-12-17T00:00:00Z","timestamp":1734393600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["2225424-CNS"],"award-info":[{"award-number":["2225424-CNS"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["1928349-CNS"],"award-info":[{"award-number":["1928349-CNS"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]},{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["2043022-DGE"],"award-info":[{"award-number":["2043022-DGE"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":["Cybersecurity"],"abstract":"<jats:title>Abstract<\/jats:title><jats:p>Ransomware attacks are increasingly prevalent in recent years. Crypto-ransomware corrupts files on an infected device and demands a ransom to recover them. In computing devices using flash memory storage (e.g., SSD, MicroSD, etc.), existing designs recover the compromised data by extracting the entire raw flash memory image, restoring the entire external storage to a good prior state. This is feasible through taking advantage of the out-of-place updates feature implemented in the flash translation layer (FTL). However, due to the lack of \u201cfile\u201d semantics in the FTL, such a solution does not allow a fine-grained data recovery in terms of files. Considering the file-centric nature of ransomware attacks, recovering the entire disk is mostly unnecessary. In particular, the user may just wish a speedy recovery of certain critical files after a ransomware attack. In this work, we have designed <jats:inline-formula><jats:alternatives><jats:tex-math>$$\\textsf{FFRecovery}$$<\/jats:tex-math><mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n                  <mml:mi>FFRecovery<\/mml:mi>\n                <\/mml:math><\/jats:alternatives><\/jats:inline-formula>, a new ransomware defense strategy that can support fine-grained per file data recovery after the ransomware attack. Our key idea is that, to restore a file corrupted by the ransomware, we (1) restore its file system metadata via file system forensics, and (2) extract its file data via raw data extraction from the FTL, and (3) assemble the corresponding file system metadata and the file data. Another essential aspect of <jats:inline-formula><jats:alternatives><jats:tex-math>$$\\textsf{FFRecovery}$$<\/jats:tex-math><mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n                  <mml:mi>FFRecovery<\/mml:mi>\n                <\/mml:math><\/jats:alternatives><\/jats:inline-formula> is that we add a garbage collection delay and freeze mechanism into the FTL so that no raw data will be lost prior to the recovery and, additionally, the raw data needed for the recovery can be always located. A prototype of <jats:inline-formula><jats:alternatives><jats:tex-math>$$\\textsf{FFRecovery}$$<\/jats:tex-math><mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n                  <mml:mi>FFRecovery<\/mml:mi>\n                <\/mml:math><\/jats:alternatives><\/jats:inline-formula> has been developed and our experiments using real-world ransomware samples demonstrate the effectiveness of <jats:inline-formula><jats:alternatives><jats:tex-math>$$\\textsf{FFRecovery}$$<\/jats:tex-math><mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n                  <mml:mi>FFRecovery<\/mml:mi>\n                <\/mml:math><\/jats:alternatives><\/jats:inline-formula>. We also demonstrate that <jats:inline-formula><jats:alternatives><jats:tex-math>$$\\textsf{FFRecovery}$$<\/jats:tex-math><mml:math xmlns:mml=\"http:\/\/www.w3.org\/1998\/Math\/MathML\">\n                  <mml:mi>FFRecovery<\/mml:mi>\n                <\/mml:math><\/jats:alternatives><\/jats:inline-formula> has negligible storage cost and performance impact.<\/jats:p>","DOI":"10.1186\/s42400-024-00287-9","type":"journal-article","created":{"date-parts":[[2024,12,17]],"date-time":"2024-12-17T02:02:03Z","timestamp":1734400923000},"update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":7,"title":["Enabling per-file data recovery from ransomware attacks via file system forensics and flash translation layer data extraction"],"prefix":"10.1186","volume":"7","author":[{"given":"Josh","family":"Dafoe","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Niusen","family":"Chen","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9372-9607","authenticated-orcid":false,"given":"Bo","family":"Chen","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"given":"Zhenlin","family":"Wang","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2024,12,17]]},"reference":[{"key":"287_CR1","unstructured":"Amazon S3 Pricing. https:\/\/aws.amazon.com\/s3\/pricing\/?nc=sn&loc=4"},{"key":"287_CR2","unstructured":"Analysts Predict SSD Prices May Halve by Mid-2023. https:\/\/www.tomshardware.com\/news\/analysts-predict-ssd-prices-may-halve-by-mid-2023"},{"key":"287_CR3","doi-asserted-by":"crossref","unstructured":"Baek S, Jung Y, Mohaisen A, Lee S, Nyang D (2018) Ssd-insider: Internal defense of solid-state drive against ransomware with perfect data recovery. In: 2018 IEEE 38th International conference on distributed computing systems (ICDCS), pp. 875\u2013884. IEEE","DOI":"10.1109\/ICDCS.2018.00089"},{"key":"287_CR4","doi-asserted-by":"crossref","unstructured":"Baek S, Jung Y, Mohaisen A, Lee S, Nyang D (2020) Ssd-assisted ransomware detection and data recovery techniques. IEEE Trans Comput","DOI":"10.1109\/TC.2020.3011214"},{"key":"287_CR5","doi-asserted-by":"crossref","unstructured":"Bajaj S, Sion R (2013) Hifs: History independence for file systems. In: Proceedings of the 2013 ACM SIGSAC conference on computer & communications security, pp. 1285\u20131296","DOI":"10.1145\/2508859.2516724"},{"key":"287_CR6","unstructured":"Code G. OpenNFM. https:\/\/code.google.com\/p\/opennfm\/"},{"key":"287_CR7","doi-asserted-by":"crossref","unstructured":"Continella A, Guagnelli A, Zingaro G, De\u00a0Pasquale G, Barenghi A, Zanero S, Maggi F (2016) Shieldfs: a self-healing, ransomware-aware filesystem. In: Proceedings of the 32nd annual conference on computer security applications, pp. 336\u2013347","DOI":"10.1145\/2991079.2991110"},{"issue":"1","key":"287_CR8","doi-asserted-by":"publisher","first-page":"1","DOI":"10.1109\/TDSC.2022.3214781","volume":"20","author":"AA Elkhail","year":"2023","unstructured":"Elkhail AA, Lachtar N, Ibdah D, Aslam R, Khan H, Bacha A, Malik H (2023) Seamlessly safeguarding data against ransomware attacks. IEEE Trans Depend Secure Comput 20(1):1\u201316","journal-title":"IEEE Trans Depend Secure Comput"},{"key":"287_CR9","unstructured":"Ext4 Data structures and algorithms. https:\/\/docs.kernel.org\/filesystems\/ext4\/globals.html"},{"key":"287_CR10","unstructured":"FFRecovery. https:\/\/snp.cs.mtu.edu\/ffrecovery.html"},{"key":"287_CR11","unstructured":"Fio. http:\/\/freecode.com\/projects\/fio (2014)"},{"key":"287_CR12","unstructured":"Google Cloud: Ransomware attacks surge, rely on public legitimate tools. Accessed: 2024-06-17 (2024). https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/ransomware-attacks-surge-rely-on-public-legitimate-tools"},{"key":"287_CR13","doi-asserted-by":"crossref","unstructured":"Guan L, Jia S, Chen B, Zhang F, Luo B, Lin J, Liu P, Xing X, Xia L (2017) Supporting transparent snapshot for bare-metal malware analysis on mobile devices. In: Proceedings of the 33rd annual computer security applications conference, pp. 339\u2013349","DOI":"10.1145\/3134600.3134647"},{"key":"287_CR14","doi-asserted-by":"crossref","unstructured":"Huang J, Xu J, Xing X, Liu P, Qureshi MK (2017) Flashguard: leveraging intrinsic flash properties to defend against encryption ransomware. In: Proceedings of the 2017 ACM SIGSAC Conference on Computer and Communications Security, pp. 2231\u20132244. ACM","DOI":"10.1145\/3133956.3134035"},{"key":"287_CR15","unstructured":"Kharraz A, Arshad S, Mulliner C, Robertson W, Kirda E (2016) Unveil: a large-scale, automated approach to detecting ransomware. In: 25th USENIX security symposium (USENIX Security 16), pp. 757\u2013772"},{"issue":"2","key":"287_CR16","first-page":"136","volume":"19","author":"S Kok","year":"2019","unstructured":"Kok S, Abdullah A, Jhanjhi N, Supramaniam M (2019) Ransomware, threat and detection techniques: A review. Int. J. Comput. Sci. Netw. Secur 19(2):136","journal-title":"Int. J. Comput. Sci. Netw. Secur"},{"key":"287_CR17","unstructured":"Kolmogorov-Smirnov A, Kolmogorov AN, Kolmogorov M (1933) Sulla determinazione emp\u00edrica di uma legge di distribuzione. https:\/\/api.semanticscholar.org\/CorpusID:222427298"},{"key":"287_CR18","doi-asserted-by":"publisher","unstructured":"Kolodenker E, Koch W, Stringhini G, Egele M (2017). Paybreak: Defense against cryptographic ransomware. In: Proceedings of the 2017 ACM on Asia conference on computer and communications security. ASIA CCS \u201917, pp. 599\u2013611. Association for Computing Machinery, New York, NY, USA https:\/\/doi.org\/10.1145\/3052973.3053035","DOI":"10.1145\/3052973.3053035"},{"key":"287_CR19","doi-asserted-by":"publisher","unstructured":"Li N, Hao M, Li H, Lin X, Emami T, Gunawi HS (2022) Fantastic ssd internals and how to learn and use them. In: Proceedings of the 15th ACM International conference on systems and storage. SYSTOR \u201922, pp. 72\u201384. Association for Computing Machinery, New York, NY, USA. https:\/\/doi.org\/10.1145\/3534056.3534940","DOI":"10.1145\/3534056.3534940"},{"key":"287_CR20","unstructured":"LPC-H3131. https:\/\/www.olimex.com\/Products\/ARM\/NXP\/LPC-H3131\/"},{"key":"287_CR21","unstructured":"Malware Bazaar. https:\/\/bazaar.abuse.ch\/browse\/"},{"key":"287_CR22","doi-asserted-by":"publisher","unstructured":"Matos DR, Pardal ML, Carle G, Correia M (2018) Rockfs: cloud-backed file system resilience to client-side attacks. In: Proceedings of the 19th international middleware conference. Middleware \u201918, pp. 107\u2013119. Association for Computing Machinery, New York, NY, USA. https:\/\/doi.org\/10.1145\/3274808.3274817","DOI":"10.1145\/3274808.3274817"},{"key":"287_CR23","doi-asserted-by":"publisher","unstructured":"Ma B, Yang Y, Li J, Zhang F, Shen W, Zhou Y, Ma J (2023) Travelling the hypervisor and ssd: A tag-based approach against crypto ransomware with fine-grained data recovery. In: Proceedings of the 2023 ACM SIGSAC conference on computer and communications security. CCS \u201923, pp. 341\u2013355. Association for Computing Machinery, New York, NY, USA. https:\/\/doi.org\/10.1145\/3576915.3616665","DOI":"10.1145\/3576915.3616665"},{"issue":"2","key":"287_CR24","doi-asserted-by":"publisher","first-page":"245","DOI":"10.1109\/LCA.2018.2883431","volume":"17","author":"D Min","year":"2018","unstructured":"Min D, Park D, Ahn J, Walker R, Lee J, Park S, Kim Y (2018) Amoeba: an autonomous backup and recovery ssd for ransomware attack defense. IEEE Comput Arch Lett 17(2):245\u2013248","journal-title":"IEEE Comput Arch Lett"},{"issue":"7","key":"287_CR25","doi-asserted-by":"publisher","first-page":"2038","DOI":"10.1109\/TCAD.2021.3099084","volume":"41","author":"D Min","year":"2021","unstructured":"Min D, Ko Y, Walker R, Lee J, Kim Y (2021) A content-based ransomware detection and backup solid-state drive for ransomware defense. IEEE Trans Comput Aided Des Integ Circuits Syst 41(7):2038\u20132051","journal-title":"IEEE Trans Comput Aided Des Integ Circuits Syst"},{"key":"287_CR26","unstructured":"Morgan S (2016) Cybercrime to Cost the World \\$10.5 Trillion Annually by 2025. https:\/\/cybersecurityventures.com\/hackerpocalypse-cybercrime-report-2016\/"},{"key":"287_CR27","unstructured":"NTFS Overview. http:\/\/ntfs.com\/ntfs_basics.htm"},{"key":"287_CR28","doi-asserted-by":"crossref","unstructured":"Park J, Jung Y, Won J, Kang M, Lee S, Kim J (2019) Ransomblocker: a low-overhead ransomware-proof ssd. In: 2019 56th ACM\/IEEE Design Automation Conference (DAC), pp. 1\u20136","DOI":"10.1145\/3316781.3317889"},{"key":"287_CR29","unstructured":"Ransomware Families 2020\u20132023. https:\/\/snp.cs.mtu.edu\/research\/drm2\/ransomware-families-ffrecovery.pdf"},{"key":"287_CR30","doi-asserted-by":"publisher","unstructured":"Scaife N, Carter H, Traynor P, Butler KRB (2016) Cryptolock (and drop it): Stopping ransomware attacks on user data. In: 2016 IEEE 36th international conference on distributed computing systems (ICDCS), pp. 303\u2013312. https:\/\/doi.org\/10.1109\/ICDCS.2016.46","DOI":"10.1109\/ICDCS.2016.46"},{"key":"287_CR31","unstructured":"SSD Market Share. https:\/\/www.t4.ai\/industry\/ssd-market-share"},{"key":"287_CR32","doi-asserted-by":"crossref","unstructured":"Student (1908) The probable error of a mean. Biometrika 6(1):1\u201325","DOI":"10.1093\/biomet\/6.1.1"},{"key":"287_CR33","doi-asserted-by":"crossref","unstructured":"Subedi KP, Budhathoki DR, Chen B, Dasgupta D (2017) Rds3: Ransomware defense strategy by using stealthily spare space. In: Computational Intelligence (SSCI), 2017 IEEE Symposium Series On, pp. 1\u20138. IEEE","DOI":"10.1109\/SSCI.2017.8280842"},{"key":"287_CR34","unstructured":"Tankasala D, Chen N, Chen B (2020) A step-by-step guideline for creating a testbed for flash memory research via lpc-h3131 and opennfm"},{"key":"287_CR35","unstructured":"The 10 Biggest Ransomware Attacks of 2021. https:\/\/illinois.touro.edu\/news\/the-10-biggest-ransomware-attacks-of-2021.php"},{"key":"287_CR36","unstructured":"Top 10 Cloud attacks and what you can do about them. https:\/\/www.aquasec.com\/cloud-native-academy\/cloud-attacks\/cloud-attacks\/"},{"key":"287_CR37","unstructured":"VirusShare. https:\/\/virusshare.com\/"},{"key":"287_CR38","doi-asserted-by":"crossref","unstructured":"Wang P, Jia S, Chen B, Xia L, Liu P (2019) Mimosaftl: adding secure and practical ransomware defense strategy to flash translation layer. In: Proceedings of the Ninth ACM conference on data and application security and privacy, pp. 327\u2013338","DOI":"10.1145\/3292006.3300041"},{"key":"287_CR39","doi-asserted-by":"crossref","unstructured":"Xie W, Chen N, Chen B (2023) Enabling accurate data recovery for mobile devices against malware attacks. In: Security and privacy in communication networks: 18th EAI international conference, SecureComm 2022, Virtual Event, October 2022, Proceedings, pp. 431\u2013449. Springer","DOI":"10.1007\/978-3-031-25538-0_23"},{"key":"287_CR40","doi-asserted-by":"publisher","DOI":"10.1587\/transinf.2017EDL8052","author":"J Yun","year":"2017","unstructured":"Yun J, Hur J, Shin Y, Koo D (2017) Cldsafe: an efficient file backup system in cloud storage against ransomware. IEICE Trans Inf Syst. https:\/\/doi.org\/10.1587\/transinf.2017EDL8052","journal-title":"IEICE Trans Inf Syst"},{"key":"287_CR41","doi-asserted-by":"publisher","unstructured":"Zhou C, Guo L, Hou Y, Ma Z, Zhang Q, Wang M, Liu Z, Jiang Y (2023) Limits of i\/o based ransomware detection: An imitation based attack. In: 2023 IEEE symposium on security and privacy (SP), pp. 2584\u20132601. https:\/\/doi.org\/10.1109\/SP46215.2023.10179372","DOI":"10.1109\/SP46215.2023.10179372"}],"container-title":["Cybersecurity"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-024-00287-9.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/article\/10.1186\/s42400-024-00287-9\/fulltext.html","content-type":"text\/html","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1186\/s42400-024-00287-9.pdf","content-type":"application\/pdf","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2024,12,17]],"date-time":"2024-12-17T03:03:15Z","timestamp":1734404595000},"score":1,"resource":{"primary":{"URL":"https:\/\/cybersecurity.springeropen.com\/articles\/10.1186\/s42400-024-00287-9"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,12,17]]},"references-count":41,"journal-issue":{"issue":"1","published-online":{"date-parts":[[2024,12]]}},"alternative-id":["287"],"URL":"https:\/\/doi.org\/10.1186\/s42400-024-00287-9","relation":{},"ISSN":["2523-3246"],"issn-type":[{"value":"2523-3246","type":"electronic"}],"subject":[],"published":{"date-parts":[[2024,12,17]]},"assertion":[{"value":"22 January 2024","order":1,"name":"received","label":"Received","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"1 September 2024","order":2,"name":"accepted","label":"Accepted","group":{"name":"ArticleHistory","label":"Article History"}},{"value":"17 December 2024","order":3,"name":"first_online","label":"First Online","group":{"name":"ArticleHistory","label":"Article History"}},{"order":1,"name":"Ethics","group":{"name":"EthicsHeading","label":"Declarations"}},{"value":"The authors declare no Conflict of interest.","order":2,"name":"Ethics","group":{"name":"EthicsHeading","label":"Competing interests"}}],"article-number":"75"}}