Hello, can you explain the detailed procedure on how it creates a back up when it encounters an open syscall?

[kailashg26]

No description provided.

[kailashg26]

No description provided.

Just for the information, I'm using this ransomware candidate: https://github.com/DaniAffCH/Ransomware to experiment and basically trying to use the mechanism provided by you to protect the file (have a backup)

[gunh0]

Thank you for your interest in my work.

First of all, the Backup Linux kernel module I created must be aware of the file extensions targeted by ransomware.

If the ransomware does not attack specific file extensions and encrypts randomly binary files, even files backed up by this module will be infected.

As you can see here, when the user opens the target file,
(https://github.com/devgunho/Automatic_Recovery_In_Linux/blob/master/auto_recovery_lkm/filename_extension_check.c)

It is a hooking flow at main.c.
(https://github.com/devgunho/Automatic_Recovery_In_Linux/blob/master/auto_recovery_lkm/main.c)

[gunh0]

Oh, and An essential hypothesis of this recovery module is that 'OPEN' behavior should occur in the Linux kernel.
If this ransomware (https://github.com/DaniAffCH/Ransomware) attack does not 'OPEN' target files, this solution will fail.

Thank you for introducing me to interesting ransomware.

I will experiment with this ransomware as soon as I have time later.