According to news reports an international team of researchers has developed an SSD security solution that acts at the controller firmware level, meaning the feature is baked right into the storage device to detect out-of-the-ordinary activity that signals a ransomware infection and its attempt to encrypt your data. According to the researchers, the method degrades performance slightly, to the tune of a 17% latency performance decrease and a maximum of 8% lower throughput. The solution is said to be easily integrated into the SSD manufacturing chain, and aims to become an integral barrier on commercial SSD solutions to the ransomware problem - made all the more graver due to most users not deploying ransomware-focused (or at the very least, ransomware-aware) security solutions. This research differs from other SSD-bound security solutions in that it is completely hardware-based and can purportedly repair the damage done by ransomware attacks.

DaeHun Nyang, Ph.D., at EWU said, "I came up with the idea of firmware level detection because I know that many [users] don't install anti-ransomware software. So I thought that it would be good if we can protect people not having anti-ransomware installed on their computers by providing them with an anti-ransomware-intrinsic SSD."

The firmware solution, tentatively named SSD-Insider++, takes advantage of the inherent writing and deletion mechanisms in NAND flash. The firmware has been shown to detect and stop ransomware incursions with 100% efficacy whilst reverting any encryption that's actually achieved within 10 seconds of the process' start.

The firmware uses the SSD controller to constantly monitor SSD activity, with red flags being raised if any sort of encryption workload is being carried out that isn't user-triggered. Should that happen, the controller stops all write requests to the SSD, effectively suspending the encryption process, notifying the user via its companion software app to allow for immediate action (such as running an antivirus sweep to remove the cause of the ransomware encryption attempt). The software layer in the companion app isn't a part of the solution itself, which is entirely hardware-based. Still, it allows the user to interact with the firmware solution and immediately recovery any data that was encrypted before the process was stopped in its tracks.

While this particular firmware solution is deployable in the current crop of SSD drives, further improvements to ransomware protection technologies may require manufacturers to improve controller performance "To implement some advanced features like entropy-based detection, however, extra hardware resources - e.g., higher performance Arm CPU or hardware accelerators - would be needed," Sungjin Lee, Ph.D. and a member of the research team, said.

However, SSDs are currently in the process of integrating more powerful (and more varied) hardware accelerators such as FPGAs, NPUs, and encryption processing engines, so the researchers expect that more complex protection mechanisms will walk alongside the developing SSD ecosystem. The firmware solution is also theoretically deployable on Shingled Magnetic Recording (SMR) HDDs (where the performance impact is more severe than in an SSD). However, it hasn't been tested in that environment.