Search

EP-4700557-B1 - RANSOMWARE RECOVERY FOR NVME-OF SSD

EP4700557B1EP 4700557 B1EP4700557 B1EP 4700557B1EP-4700557-B1

Inventors

  • BLAICHMAN, EVGENY
  • BERMAN, AMIT
  • SHABO, Reut

Dates

Publication Date
20260513
Application Date
20250205

Claims (13)

  1. A storage system comprising: processing circuitry (201, 202, 205) configured to: maintain a buffer as a cyclic buffer in a first mode for each host, of a plurality of hosts (211, 212), transmitting read/write commands; maintain the buffer for a first host of the plurality of hosts (211, 212) in a second mode different from the first mode, in response to a warning indicating that the first host may be infected by ransomware malware; increase a size of the cyclic buffer of the first host in the second mode; convert the cyclic buffer of the first host to a constant buffer in the second mode, wherein data stored within the constant buffer is maintained and deletion or overwriting of the data stored in the constant buffer is not allowed; and restore data backed up in the buffer for the first host to a storage in response to determining that the first host is infected by the ransomware malware.
  2. The storage system of claim 1, wherein the processing circuitry (201, 202, 205) is further configured to: clear all data from the buffer for the first host in response to determining that the first host is not infected by the ransomware malware; and maintain the buffer for the first host in the first mode in response to clearing the data from the buffer.
  3. The storage system of claim 1 or claim 2, wherein the processing circuitry (201, 202, 205) is further configured to: increase the size of the cyclic buffer of the first host by decreasing a size of the cyclic buffer of the other hosts of the plurality of hosts (211, 212).
  4. The storage system of any preceding claim, wherein the processing circuitry (201, 202, 205) is further configured to: back up read commands and read data associated with the read commands for the first host in the constant buffer in the second mode; and back up the read commands and read data associated with the read commands for the first host in a reserved backup of the storage in response to the constant buffer being full.
  5. The storage system of claim 4, wherein the reserved backup is not accessible by the plurality of hosts (211, 212).
  6. The storage system of any preceding claim, wherein the processing circuitry (201, 202, 205) is further configured to: back up read commands and read data associated with the read commands for each host of the plurality of hosts (211, 212) in the respective buffer for each host.
  7. The storage system of any of claims 4-6, wherein the processing circuitry (201, 202, 205) is further configured to store a plurality of inodes respectively corresponding with the read data.
  8. The storage system of claim 7, wherein the processing circuitry (201, 202, 205) is configured to restore the data backed up in the buffer based on the plurality of inodes.
  9. The storage system of claim 7 or claim 8, wherein the processing circuitry (201, 202, 205) is configured to restore the data backed up in the buffer by building a plurality of new files based on the data backed up in the buffer and the plurality of inodes.
  10. The storage system of any preceding claim, wherein the processing circuitry (201, 202, 205) is further configured to: clear the data in the buffer for the first host in the second mode in response to determining that the first host is not infected by ransomware malware; and maintain the buffer for the first host in the first mode in response to clearing the data in the buffer.
  11. The storage system of any preceding claim, wherein the storage system is a non-volatile memory express over-fabrics NVMe-oFstorage system.
  12. A computer-implemented method for restoring data in a storage system, the method comprising: maintaining (S300) a buffer as a cyclic buffer in a first mode for each host, of a plurality of hosts, transmitting read/write commands; maintaining (S330) the buffer for a first host of the plurality of hosts in a second mode different from the first mode, in response to a warning indicating that the first host may be infected by ransomware malware; increasing (S320) a size of the cyclic buffer of the first host in the second mode; converting the cyclic buffer of the first host to a constant buffer in the second mode, wherein data stored within the constant buffer is maintained and deletion or overwriting of the data stored in the constant buffer is not allowed; and restoring (S370) data backed up in the buffer to a storage in response to determining that the first host is infected by the ransomware malware.
  13. The method of claim 12, further comprising: clearing all data from the buffer for the first host in response to determining that the first host is not infected by the ransomware malware; and maintaining the buffer for the first host in the first mode in response to clearing the data from the buffer for the first host.

Description

BACKGROUND Ransomware is a type of malware that encodes data targeted for attack and demands money in exchange for an encryption key necessary for decrypting the encrypted data. Ransomware has become a risk factor that causes enormous financial and social losses. Accordingly, there are measures that allow a storage device to cope with the ransomware attack. Ransomware viruses read data from the system and encrypt it, then write the encrypted data to the same place. Any storage system may be vulnerable to a ransomware virus. Non-volatile memory express (NVMe)-over fabrics (of) is a protocol specification designed to connect hosts to storage across a network fabric using the NVMe network protocol. US 12058169 B1 discloses techniques for monitoring and analyzing input/output (I/O) messages for patterns indicative of ransomware attacks affecting computer systems of a cloud provider, and for performing various remediation actions to mitigate data loss once a potential ransomware attack is detected. The monitoring of I/O activity for such patterns is performed at least in part by I/O proxy devices coupled to computer systems of a cloud provider network, where an I/O proxy device is interposed in the I/O path between guest operating systems running on a computer system and storage devices to which I/O messages are destined. An I/O proxy device can analyze I/O messages for patterns indicative of potential ransomware attacks by monitoring for anomalous I/O patterns which may, e.g., be indicative of a malicious process attempting to encrypt or otherwise render in accessible a significant portion of one or more storage volumes as part of a ransomware attack. SUMMARY Herein is provided a storage system according to claim 1 and a computer-implemented method for restoring data in a storage system according to claim 12. Some example embodiments of the inventive concepts described herein relate to a method and an apparatus for early detection of a ransomware attack in a non-volatile memory express-over fabrics (NVMe-oF) storage system. According to some example embodiments, a storage system includes processing circuitry configured to maintain a buffer in a first mode for each host, of a plurality of hosts, transmitting read/write commands, maintain the buffer in a second mode different from the first mode, in response to a warning indicating that a first host of the plurality of hosts may be infected by ransomware malware, and restore data backed up in the buffer to a storage in response to determining that the first host is infected by the ransomware malware. According to some example embodiments, a method for restoring data in a storage system includes maintaining a buffer in a first mode for each host, of a plurality of hosts, transmitting read/write commands, maintaining the buffer in a second mode different from the first mode, in response to a warning indicating that a first host of the plurality of hosts may be infected by ransomware malware, and restoring the data backed up in the buffer to a storage in response to determining that the first host is infected by the ransomware malware. According to some example embodiments, a non-transitory computer-readable storage medium having a computer program recorded thereon, the computer program, when executed by at least one processor, is configured to cause the at least one processor to perform a method including maintaining a buffer in a first mode for each host, of a plurality of hosts, transmitting read/write commands, maintaining the buffer in a second mode different from the first mode, in response to a warning indicating that a first host of the plurality of hosts may be infected by ransomware malware, and restoring the data backed up in the buffer to a storage in response to determining that the first host is infected by the ransomware malware. At least some of the above and other features of the invention are set out in the claims. BRIEF DESCRIPTION OF THE FIGURES The above and other objects and features of the inventive concepts will become apparent by describing in detail some example embodiments thereof with reference to the accompanying drawings. FIG. 1 is a diagram of a system to which a storage device is applied, according to example embodiments.FIG. 2 is an example of a NVMe-over-fabrics (NVMe-oF) storage system according to example embodiments.FIG. 3 is a flow chart illustrating a method according to example embodiments.FIG. 4A illustrates an example of inode details of an original file.FIG. 4B illustrates an example of inode details of a file encrypted by ransomware malware.FIG. 4C illustrates an example of inode details of a restored file, according to example embodiments.FIG. 5 is a flow chart illustrating a method according to example embodiments.FIG. 6 is a graph illustrating an amount of data kept in each buffer in under-warning mode, according to example embodiments. DETAILED DESCRIPTION Below, some example embodiments of the inventive concepts will