Abstract
This study introduces the Digital Immunity Module (DIM), a novel pass-through file system gateway, positioned strategically between storage and endpoints to enhance the security of files accessed via network protocols such as NFS and SMB on SharePoint. DIM serves as a protective layer against ransomware, designed with dual objectives: (1) detecting statistical anomalies that may indicate potential encryption within the network file system, and (2) proactively expanding under-attack files using a reverse source-coding algorithm to deprive ransomware of the resources it needs to operate. For practical deployment, we have developed a proxy gateway that connects endpoints to Azure storage using the SMB protocol. This setup effectively differentiates between benign and malicious activities without needing to identify specific processes at the endpoints, i.e., a critical advantage in combating fileless ransomware, which often eludes conventional security mechanisms such as behavioral analysis. Upon detecting malicious encryption, DIM reacts by expanding the size of buffer blocks, preventing ransomware from accessing subsequent files and frequently causing the ransomware to self-terminate. Our comprehensive evaluation, involving a benign dataset of 11,928 files against 75 ransomware families, including fileless types, demonstrates that DIM significantly impedes and often terminates ransomware operations early in the attack life cycle. This confirms the practicality and effectiveness of this pass-through defence strategy.