Time Machine: An Efficient and Backend-Migratable Architecture for Defending Against Ransomware in the Hypervisor

Ransomware has caused escalating financial losses for individuals and companies, increasing annually. To combat this, we present Time Machine, a real-time, fine-grained sector-level live view navigation solution designed to safeguard filesystems from ransomware attacks at the hypervisor level. Time Machine offers several key advancements over existing solutions. Operating at the hypervisor level minimizes the risk of bypassing via privilege escalation and eliminates reliance on hardware-based solutions. Time Machine redirects I/O operations without altering the original storage disk. Utilizing local or cloud-based key-value store backends, it offers flexible storage spaces for live view navigation and the capability of backend migration. This approach ensures comprehensive filesystem protection without data loss, allowing users to browse and recover data to any specific timestamp. Time Machine is designed to operate independently of detection algorithms but can also integrate with them for enhanced protection. Evaluation results demonstrate that our prototype effectively safeguards the filesystem with minimal overhead. With a 256MB memory cache and affordable storage, Time Machine successfully defends against 12 ransomware variants on Windows and Linux platforms, incurring an average runtime overhead of less than 5%.