Ransomware continues encrypting files during the delay between attack onset and detection. ROFBS mitigates this problem by backing up pre-modification files in real time upon file-open events. However, because the Linux file-open path traverses multiple kernel functions, it remains unclear how the choice of hook point affects defense effectiveness. In this study, we kept the ROFBS mechanism fixed and changed only the hook points on the Linux file-open path. We compared may_open, inode_permission, do_dentry_open, security_file_open, and xfs_file_open on AlmaLinux with XFS using three ransomware families: AvosLocker, Conti, and IceFire. We used Backup Ratio as the main metric and also compared the number of encrypted files with backups and the total number of encrypted files. The results showed that hook-point selection substantially affected both recoverability and damage scale. For AvosLocker, security_file_open achieved the highest Backup Ratio (82.5%). For Conti and IceFire, xfs_file_open achieved the highest values (100.0% and 63.2%, respectively). Moreover, xfs_file_open minimized the total number of encrypted files for all three ransomware families. These results indicate that, in ROFBS, the layer at which file-open events are observed is a key design factor. In particular, on XFS, hooking the filesystem-specific callback xfs_file_open may be advantageous when the goal is to reduce overall damage.

翻译：勒索软件在攻击开始与检测之间的延迟期内持续加密文件。ROFBS通过实时备份文件打开事件发生前的文件来缓解此问题。然而，由于Linux文件打开路径涉及多个内核函数，钩子点的选择如何影响防御效果尚不明确。在本研究中，我们保持ROFBS机制不变，仅改变Linux文件打开路径上的钩子点。我们在搭载XFS文件系统的AlmaLinux系统上，针对三种勒索软件家族（AvosLocker、Conti和IceFire），比较了may_open、inode_permission、do_dentry_open、security_file_open和xfs_file_open五种钩子点。我们以备份率作为主要评估指标，同时比较了有备份的加密文件数量与加密文件总数。结果表明，钩子点选择对可恢复性和损害规模均有显著影响。对于AvosLocker，security_file_open实现了最高备份率（82.5%）；对于Conti和IceFire，xfs_file_open分别达到最高值（100.0%和63.2%）。此外，xfs_file_open在所有三种勒索软件攻击下均实现了最小的加密文件总数。这些结果表明，在ROFBS中，观测文件打开事件的层级是关键设计因素。特别是在XFS文件系统上，当以减少总体损害为目标时，钩取文件系统特定回调函数xfs_file_open可能更具优势。