Defense and Recovery Strategies for Flash-Based Storage Under Ransomware Attacks: A Survey

Abstract

As ransomware evolves, traditional OS-based de-tection mechanisms face growing challenges, particularly from advanced attacks exploiting system vulnerabilities and escalating privileges. The continuous evolution of ransomware attacks has driven researchers to explore storage-level defense strategies, focusing on the potential of Solid-State Drives (SSDs) to enhance data protection and recovery. This paper presents a compre-hensive survey of the current state and future developments in SSD firmware-level ransomware detection and recovery, based on literature published between 2015 and 2024. Firmware-level I/O monitoring helps detect ransomware by identifying the typical 'read-encrypt-overwrite' pattern. This low-level access offers an advantage in detecting ransomware activity. However, conventional detection methods are often prone to false pos-itives. To enhance detection accuracy, some systems integrate machine learning models within the SSD controllers, analyzing I/O request patterns and entropy values of written data to assess potential threats. The Garbage Collection(Gc)mechanism plays a crucial role in data recovery by retaining older versions of data until reclaimed, which can aid in restoring encrypted content. Similarly, backing up legitimate I/O operations incurs performance overhead. To address this, some systems utilize techniques such as neural networks and remote backups to reduce unnecessary performance degradation. Future research should prioritize developing lightweight solutions tailored for SSDs with limited computational resources. Emphasis should be placed on enhancing the timeliness of real-time detection to effectively respond to the rapidly evolving nature of ransomware attacks. © 2025 IEEE.