Fighting Ransomware with Guided Undo

  • Matthias Held
  • Marcel Waldvogel


Ransomware attacks are rare, yet catastrophic. On closer inspection, they differ from
other malware infections: Given appropriate preparation, they do not need to be detected
and prevented, but could be recovered later. However, current ransomware protection
follows the beaten path of anti-malware copying their fallacies. We show how the move to
personal cloud storage allows for a paradigm shift in ransomware protection: exceptional
attack isolation, perfect elimination of false positive alerts, and simplified recovery.
In this paper, we analyze the necessary operations for ransomware, extend existing
ransomware taxonomy, and verify them against real-world malware samples. We analyze
the costs and benefits of moving ransomware detection to versioned personal cloud stor-
age. Our content, meta data, and behavior analysis paired with a `guilt by association'
capability greatly improve the false positive rate, but the guided undo make this rate all
but inconsequential. Even though the user now carries a new burden, it comes with clear
responsibilities and benefits, while being freed from questionable duties, resulting in a
win-win situation for user experience and detection quality.