On the File Recovery in Systems Infected by Ransomware

Ransomware represent one of the most dangerous threats in the modern era. Indeed, they are able to block the access to the data (e.g., images, documents, etc.) in infected systems. After the infection of a system, a ransomware asks the user of this system for the payment of a ransom, to regain the access to the blocked data. However, sometimes also the payment of such a ransom does not guarantee the recovery of all the blocked files. Despite several methods and countermeasures have been proposed in the state of the art to protect systems against ransomware, we remark that a system could be still infected by ransomware, mainly because of human errors. In the state of the art several techniques have been proposed to mitigate the issues caused by ransomware. A mitigation technique consists in the usage of data recovery tools (e.g., file carving tools, etc.) to recover the lost data of the victim infected by ransomware. The aim of this work is to introduce an extensible methodology to evaluate the performance of file carving tools for the recovery of files lost due to a ransomware attack in a simulated environment, where by the term performance we basically intend the number of files recovered. The proposed methodology can be useful to estimate the performance of such tools in real-life scenarios, in which one or more systems are the victims of ransomware attacks. The main objective of this paper is to estimate how effective these tools are against ransomware and, on the other hand, how much time you have available in trying to recover files on a system affected by ransomware. Furthermore, in this paper we provide some best practices for recovering files from a system affected by ransomware. Finally, we present and discuss the preliminary results achieved by using the proposed methodology on three popular ransomware, that is, WannaCry, JigSaw and Cerber.