Ransomware works by modifying the data in the file system. The original data is overwritten with the data encrypted. The data can only be retrieved with the key to undo the encryption. According to PentestPeople, in 2021, Ransomware Attacks cost businesses an estimated $11.5 billion (https://www.pentestpeople.com/blog-posts/ransomware-2022-facts-and-statistics).
A WORM file system stands for Write Once Read Many. A file can only be written once, but cannot be changed afterwards. This would in itself be safe against ransomware. The file cannot be modified once it s created. There are however some disadvantages, besides there are no WORM file systems available for Linux.
Often a file has to be modified during its use. If you are programming code, you test the code, find the bugs, and then modify the code. A solution would be to store the old file as backup, before modification, as was done in the old VMS system. These backup files should be read only, otherwise the ransomware can delete/encrypt these backup files. Let’s call this kind of file system: a Protected Revertible File System (PRFS).
At some point the storage will be full with old copies and you want to delete these old copies (once you have tested the newest files are intact). So there should be some way to delete the old files. But if you can, so can the ransomware. A solution is a switch; the storage can be in three modes; the protected PRFS mode, a read-only mode, and a mode in which only the backup files can be deleted. In the read-only mode the files can be safely analyzed. In the last mode, ransomware cannot modify the normal files since modification of the latest file is not allowed.
This system cannot
be implemented as file system on the computer itself. If the
ransomware would gain root access, it can circumvent the file system
and modify the data on a lower level. That is why this should be
implemented on another server (e.g. SMB or FTP), or (in possible
future projects) in the controller of the storage device (USB, SATA,
I have created a file system on a RPi Zero W with storage. It is based on the FAT32 code included in the kernel.. All servers that can run on a RPi can use the PRFS file system. In this project both a FTP and a SMB server are using the PRFS and are safe against ransomware attacks from the client on the windows laptop. Any FAT32 formatted storage device can be used.