This post is also available in:
עברית (Hebrew)
When a ransomware attack strikes, the damage often happens quickly. Files are encrypted or deleted, systems become inaccessible, and recovery efforts begin racing against time. While most cybersecurity defenses focus on preventing attacks, far less attention has been paid to what happens after data is already compromised.
Researchers have now developed a storage-level protection system that uses the internal behavior of solid-state drives (SSDs) to improve the chances of recovering recently deleted data. Instead of relying on software backups or operating system protections, the approach works directly inside the SSD itself.
According to TechXplore, the concept takes advantage of a little-known characteristic of flash storage. When a file is deleted, it is not immediately erased from the drive. Instead, it enters an intermediate state where the operating system no longer sees it, but the physical data still exists inside the SSD until storage space is needed. Eventually, a process known as garbage collection permanently removes those data blocks to free capacity.
The problem is that conventional SSDs treat all deleted data similarly. Their garbage collection algorithms focus on storage efficiency rather than recovery value. As a result, files deleted minutes ago may disappear before older, less important data, making post-attack recovery unpredictable.
The new system changes that behavior by organizing deleted data chronologically inside the SSD. As files enter this temporary storage state, the drive records their relative age. When space needs to be reclaimed, the garbage collection process removes the oldest deleted data first, preserving recently deleted files for as long as possible.
According to the researchers, this significantly extends the window during which valuable information can still be recovered after an attack. Testing showed that recoverable data retention improved by at least 60 percent, while introducing minimal impact on normal SSD performance. In some cases, deleted data remained recoverable for up to 126 days.
From a cybersecurity and defense perspective, the approach is notable because it moves protection below the operating system layer. Even if malware compromises a computer, the storage controller continues operating independently, creating an additional recovery mechanism that attackers may have difficulty influencing directly.
The work highlights a growing trend toward using hardware itself as part of the security architecture. Rather than acting solely as storage devices, future SSDs may also function as active participants in cyber resilience and post-attack recovery strategies.
The research was published here.
