IT202000028874A1 - METHOD, SYSTEM, DEVICE AND ANTI-RANSOMWARE USE OF RESTORE AND DATA PROTECTION FOR ENDPOINTS - Google Patents

Description

METHOD, SYSTEM, DEVICE AND ANTI-RANSOMWARE USE OF RESTORE AND DATA PROTECTION FOR ENDPOINTS

TECHNICAL SECTOR

The invention generally refers to a device, a system and a method for data protection, and more? specifically to the simple and immediate recovery of an endpoint where its file system data files are corrupted by unauthorized encryption while maintaining the integrity? and the availability? of application and personal data from possible exfiltrations.

For ?endpoint? means any device capable of connecting to the central corporate or home or office network. Are they endpoints such as smartphones, tablets and laptops, or typical productivity tools? which are used on a daily basis. Endpoint devices are potential entry points for cybersecurity threats and need effective protection because are often the ring pi? weak in network security.

In modern business computing, on-premise or cloud computing, smart working, what? such as in private computing environments, such as personal computers, private servers and/or mobile devices, security and accessibility? of data are critical elements for the availability? permanent data. However, external attackers may have an interest in corrupting the files where the data has been stored. Recently, ransomware-type attacks have grown exponentially, even in the ?double extortion? where small samples of the exfiltrated data are published as a warning to the victims in case they are late in paying, generating serious consequences from the point of view of brand reputation or privacy.

Ransomware represents the class of malicious software, also known generically as malware, that aims to prevent a legitimate data owner from accessing the data. Files, documents, storage systems or even entire computers are basically being held hostage. Data can be encrypted using an encryption key known only to the attacker. Users may then be forced to pay a ransom to regain access to their data. Ransomware differs from other types of malware in that its effects can be directly reversed via a decryption key known only to the attacker. Victims may have few options other than paying the attacker to reverse the encryption process. Some attackers might even impose strict deadlines for getting paid. Some ransomware can also start deleting encrypted files if certain conditions, such as a payment, are not met.

STATE OF ART

There are several solutions to deal with the ransomware problem, among them ? note the one mentioned ?US10742665B2 Systems and methods for modifying file backups in response to detecting potential ransomware? with the aim of safeguarding backups once a ransomware attack is detected, by copying new backups to separate storage.

Another solution dedicated to preserving backups? represented by ?US2019228148A1 RANSOMWARE RESETTER? which provides a method and a system to protect encrypted files from ransomware, where once it has been detected through entropy measurement, it writes new files through a ?copy-on-write? in a separate portion of memory.

An option similar to US2019228148A1 above ? provided by ?CN109711158A DEVICE-BASED ANTI-MALWARE? providing a method and system for writing to different memory blocks when an alleged ransomware attack? detected.

Or, in order not to corrupt the backups, backup copies are made on other storage spaces in mode? offline when an attack would not be in progress, although the latter could wake up later to evade this defense technique ?US2019050299A1 Method of Secure Storage Medium Backup and Recovery?.

Still others block the write area by giving access only to the trusted operating system ?US10049215B2 Apparatus and method for preventing access by malware to locally backed up data? or blocking the ransomware overwriting process to save memory space ?US10303877B2 Methods of preserving and protecting user data from modification or loss due to malware?

The activity of prevention? fundamental for data protection but ? it is also true that the management of post-accident recovery could be very expensive. The technique ?US2019188385A1 FILE RECOVERY USING ANTI-VIRUS ENGINE AND BACKUP PROVIDER? provides a solution as well as the ?US2020159624A1 System, Method and Process for Protecting Data Backup from Cyberattack? using artificial intelligence techniques and still ?US2020342106A1 AUTOMATED MALWARE REMEDIATION AND FILE RESTORATION MANAGEMENT? or ?CN110674502A Data detection method and device? or ?US2019347033A1 APPARATUSES AND METHODS AND COMPUTER PROGRAM PRODUCTS FOR FACILITATING DELETIONS OF FILE DATA THAT IS PROTECTED BY COPY-ON-WRITE SNAPSHOTS?.

Finally, do we know how ineffective NAS (network attached storage) systems alone are for responding to the ransomware attack, which are part of data protection in the event of hardware failure or errors?EP3553661A1 APPARATUSES AND COMPUTER PROGRAM PRODUCTS FOR A REDUNDANT ARRAY OF INDEPENDENT DISK (RAID) RECONSTRUCTION?.

It turns out that preserving the data ? critically important, however does this increase both redundancy and complexity? recovery for specialized staff. Does this translate into times of return to? Operation? that very often the cost of the recovery ? much higher than the ransom that would make the activity useless? of prevention.

Some of the above solutions include optimizing resources so as not to waste capacity? storage, unfortunately prevention does not always work and this translates either into the loss of useful data or into a successful attack.

Can you fight ransomware? be difficult for a couple of reasons. First, the ransomware ? easy to create or obtain and return on investment ? typically relatively high for attackers. Second, the operations performed by such ransomware can be difficult to distinguish from the operations of permitted software. To be affected by ransomware are Windows, Mac OS, Linux systems but also smartphones and even smart electronic devices that are part of the IoT (Internet Of Things) category, both in the private sector or smart working and in corporate edge environments or work stations. work of the functional areas in, for example, administration, sales, suppliers, or again, for example, the production lines in the manufacturing sector based on the new Industrial IoT paradigm.

Although the? Activity? of prevention is implemented by private users or by companies the problem? in the return to?operation? technically known as RTO (return time objective) or the requirement used in the business environment in the definition of a continuity plan? operational and disaster recovery. Generally have an RTO close to zero ? a stringent requirement in some activities? so-called critiques which could never stop. The latter are generally based on redundant mirror replicas of centrally managed server environments, which have significant costs, while a greater tolerance in terms of RTO for edge environments or endpoints both in the enterprise and from remote working. For a private user ? unthinkable today to speak of an RTO equal to zero, solutions against ransomware are generally based on prevention.

because the target of ransomware attacks ? often the "unsophisticated" user, the one who manages the endpoints, whether the same works in mode? smart working or in the company in production environments (so-called edge environments) or private user, ? very difficult for the same, if not practically impossible, to promptly return to?operation? without the support of a highly specialized staff that provides a complex recovery process due to the often centralized redundancy of data, the often non-automated execution of a recovery procedure deliberately increasing the time for return to operations. In the corporate sphere this also translates into wasted costs in terms of investments in infrastructure and human resources, losses in productivity, losses in reputation and image with financial repercussions, if we consider listed companies.

The object of the present invention generally refers to a device, a system and a method for data protection, and more specifically to the simple and immediate recovery of an endpoint where the data files of its file system are corrupted by unauthorized encryption, in which any user can initiate a recovery procedure with recovery mode? simple and immediate, drastically reducing to zero the return to? and preserving l?integrit? as well as the availability? of application and personal data from possible exfiltrations.

?User data? means all the data resulting from processing with user applications. For example, a word processing file or a photo file.

?Application data? they mean all the configuration data of system applications or user applications.

?shapshot? In computer systems, backups are usually unique copies of a system or directory taken periodically and stored in a different location, often external, while the snapshot ? the state of a system at a particular point in time and represents an instantaneous copy of the state of a system using less storage space or time to create the copies.

?Edge environments? Edge computing ? a design approach that provides resources such as capacity? of storage and computing power the pi? as close as possible to user devices or sensors that generate data. The concept therefore represents an alternative to classic cloud solutions with centralized servers. The term ?edge? comes from the English word which means angle, extremity? or margin. An allusion to the fact that with this approach the data processing does not take place centrally in the cloud, but in a decentralized manner at the edge of the network.

Is edge computing meant to provide us? that the cloud has not yet allowed so far: servers capable of evaluating large quantities? of data from smart factories, networks or transport systems without delays and to intervene immediately in case of problems.

?API? Application Programming Interface ? a processing interface that defines the interactions between pi? software intermediaries. It defines the types of calls or requests that can be made, how to make them, the data formats that should be used, the conventions to follow, etc. Can? also provide extension mechanisms so that users can extend the functionality? exist in various ways and at various levels. Can an API be completely customized, specific for a component or pu? be designed to an industry standard to ensure interoperability. Through information hiding, APIs allow for modular programming, which allows users to use the interface regardless of implementation.

?IFTTT? If This Then That? a web-based service that allows users to create chains of conditional statements triggered by changes that occur within other web services such as Gmail, Facebook, Telegram, Instagram or Pinterest. Conditional chains are called applets. An applet can For example, sending an email if the user tweets using a hashtag or copying a Facebook photo to a user's archive if someone tags a user in a photo. In addition to the web-based application, the service works on iOS and Android.

?TPM? Trusted Platform Module (TPM) technology ? designed to provide hardware-based security-related functions. A TPM chip? a secure cryptoprocessor designed to perform cryptographic operations. Does the chip include more? physical security mechanisms to make it resistant to tampering and malicious software is not ? capable of tampering with the security features of the TPM. Some of the key benefits of using TPM technology are as follows: Generate, store, and limit the use of cryptographic keys; Uses TPM technology for platform device authentication using the TPM's unique RSA key, which is burned to itself; Do you help ensure the integrity? of the platform by detecting and archiving the security measurements. The most TPM functions? common are used for the measurements of the integrity? of the system and for the creation and use of keys. During the boot process of a system, loaded boot code (including firmware and operating system components) can be measured and recorded in the TPM. Integrity measurements? can be used as evidence that a system has booted and to ensure that a TPM-based key has only been used when ? The correct software was used to boot the system. TPM-based keys can be configured in several ways. One option is to make a TPM-based key unavailable outside the TPM. This ? useful for mitigating phishing attacks why? prevents the key from being copied and used without the TPM. TPM-based keys can also be configured to require an authorization value to use them. If there are too many incorrect authorization guesses, the TPM will activate? the logic of attack of the dictionary and will prevent? further hypotheses of authorization value.

?ARM? ? a family of reduced instruction set computing (RISC) architectures for computer processors, configured for various environments. Arm Holdings develops the architecture and licenses it to other companies, who design their own products that implement one of those architectures, including systems on chips (SoCs) and systems on modules (SoMs) that incorporate memory, interfaces, radios , etc. It also designs cores that implement this instruction set and licenses these designs to a number of companies that incorporate these core designs into their own products.

?SoC? A system on a chip (SoC) ? an integrated circuit (also known as a "chip") that integrates all or most of the components of a computer or other electronic system. These components almost always include a drive? of central processing unit (CPU), memory, input/output ports and secondary memory, all on a single substrate or microchip, about the size of a coin. Can? contain digital, analog, mixed-signal, and often radio frequency signal processing functions (otherwise it is considered just an application processor).

?PCB? printed circuit board that mechanically supports and electrically connects electrical or electronic components using conductive traces, pads, and other features etched from one or more circuit boards. layers of copper foil laminated onto and/or between layers of foil of a non-conductive substrate.

?GPIO? General-Purpose input/output ? an unconstrained digital signal pin on an integrated circuit or electronic circuit board that can be used as input or output, or both, and ? user controllable at runtime.

?PoE? Power over Ethernet, describes any of several standards or ad hoc systems that transmit electrical power along with data over twisted-pair Ethernet cables.

?E-ink? electronic ink ? a brand of electronic paper display technology. ? currently commercially available in grayscale and color and ? commonly used in mobile devices such as e-readers and, to a lesser extent, digital signage, smart watches, cell phones, electronic shelf tags, and architectural panels.

?COW? copy-on-write ? an optimization strategy used in computer programming. The basic idea? what if more callers request initially indistinguishable resources, ? You can give them pointers to the same resource. This function can be maintained until? a caller does not attempt to modify his "copy" of the resource, at which point a true private copy is created to prevent the modifications from becoming visible to everyone else. All of this happens transparently to the callers. The main advantage ? that if a caller never makes changes, doesn't he? need to create no private copy.

?SOAR? Security Orchestration, Automation and Response ? an IT platform capable of connecting various security systems, consolidating various workflows.

?VPN? Virtual Private Networks ? a private telecommunications network, established as a connection between subjects who use, as a transport technology, a public and shared transmission protocol, such as the Internet protocol suite.

DESCRIPTION

In one embodiment of the present invention, ? provided an anti-ransomware method of restore and data protection for endpoints. The method ? performed by at least one processor and at least one RAM memory, by at least one hardware module including an interactive sensor for exclusive use for the response to a ransomware attack, by at least one ROM and/or EPROM type memory, which as a result of physical by a user by means of said interactive sensor, a unique coded message is generated by said sensor indicating the exclusive signal to start an immediate recovery in response to the ransomware attack which in turn the message is transmitted to said memory ROM and/or EPROM, which causes the execution of a firmware stored in said memory in response to the reception of the univocal message, where said firmware ? suitably configured to load and execute a set of instructions, which loads and and executes said set of predefined instructions for the specific endpoint which are stored in said ROM and/or EPROM memory, wherein said set of instructions comprises, loading into said RAM memory of a specific bootstrapping program and the execution of said bootstrapping program through said processor, that said specific bootstrapping program includes the restart of the user?s endpoint, the execution of a specific boot loader which includes recovery from a local and/or remote memory support of the image of a file system containing the kernel and/or the applications, the copy of the image in said RAM memory, the selection of the destination drive of the endpoint where ? file system corrupted by unauthorized encryption, overwriting the corrupt file system with the recovered image, restarting the endpoint, transferring control of the endpoint to the kernel, said kernel synchronizes user data in mode? background.

In one embodiment of the method, the specific bootstrapping program provides for execution from the network (NBP network bootstrap program) or in mode? Preboot Execution Environment (PXE) or boot mode iPXE or mode? gPXE or in mode? PXELINUX or that said specific bootstrapping program foresees execution from USB removable media, such as those based on the ISOHYBRID standard. Popular network boot programs (NBPs) using known mechanisms, such as Preboot eXecution Environment (PXE), for example, require a Dynamic Host Configuration Protocol (DHCP) server, various DHCP options to set, and a Trivial File Transfer Server protocol ( TFTP) to facilitate remote network booting of a computing device. Such mechanisms require dynamic IP address support which eliminates the ability to of static IP address processing devices to use these mechanisms. Other file transfer protocols may include for example http, sftp, ssh, etc.

In one embodiment of the method, ? expected a specific program called agent running in mode? background in the user?s endpoint machine, appropriately configured, which in response to physical operation by a user by means of said interactive sensor, a unique coded message is generated by said sensor indicating the exclusive signal to start an immediate reset in response to the ransomware attack which is transmitted both to said ROM and/or EPROM memory which causes both the execution of a firmware stored in said memory in response to the receipt of the unique message, and to the endpoint suitably interconnected by means of a network local possibly in wi-fi, in which the said unique coded message ? received from the agent, which in response performs a restart of the user?s endpoint.

In one embodiment of the method, said set of instructions (also called stubs) are stored in said ROM and/or EPROM memory, where one or more instructions are configured. bootstrapping procedures for the specific endpoint according to the hardware and/or software technology present in the same endpoint and that said procedure includes the configuration of a predefined data path for the recovery of the file system image containing the kernel and/or applications and which once configured are pre-loaded into memory. The set of instructions, also called stubs, can include different ransomware recovery procedures for different hardware and/or software technologies present in the same endpoint.

In one embodiment of the method, said predefined data path in the configuration procedure, for local and/or remote recovery, involves the following steps: selecting and storing the drive or partition or removable medium containing the? intact file system image including the kernel and/or applications and/or selecting an IP address statically or dynamically for downloading the intact file system image including the kernel and/or applications.

In one embodiment of the method, before executing the physical operation by means of said interactive sensor, the user performs an authentication action and which possibly said authentication procedure ? performed by means of hardware module for user authentication based on fingerprint.

In one embodiment of the method, said unique message encoded by said sensor comprises the configuration of user information, of its endpoints, of the connection address, the univocal association with one or more file system stored in the drive? end point of the user and / or more? user endpoint; the association of a unique identifier possibly composed of information regarding the sensor itself and/or information regarding the user profile associated with an account and/or possibly the association of a unique identifier possibly composed of information regarding the sensor itself and more? user profiles by means of the authentication system and/or possibly including information regarding the remote connection address. Examples of user information include general information, company, etc. Endpoint information may include, for example, universally unique identifier (UUID), drive, partition, etc.

In one embodiment of the method, the user as a result of the physical operation on the interactive sensor, can? select one of the associated endpoints, possibly through a message that appears on a display or as a result of receiving a notification message, for example via email or via a specific application running on the user's smartphone capable of receiving said notifications.

In one embodiment of the method, ? expected a check to verify if a? response action ? already running and therefore the request for action is aborted as long as the notification of completion does not occur.

In one embodiment of the method, said firmware comprises execution in mode? Unified Extensible Firmware Interface (UEFI) and that possibly the execution of said firmware in response to the receipt of the unique message? run with the UEFI secure boot option.

In one embodiment of the method, the file system image comprising the kernel and/or applications are generated by means of the activity? snapshot cloning and/or replication. The activity snapshot cloning and/or replication are based for example on ZFS. For the purposes of this discussion, it is assumed that whatever image exists in backup storage, the image represents valid data, and that the endpoint, if rebooted from that image, will work. correctly. For the purpose of further explanation, it may be necessary to use not only the smallest image but also the recent, but also another image, previously created, if you think the latest image does not represent valid data. However, it is assumed that there is at least one image available somewhere that can be used for endpoint data recovery and that it represents valid data and that the image can be stored either locally in an isolated storage medium or in another remote storage area such as public and/or private cloud. In turn ? It is possible to define storage policies, i.e. which types of files to save locally and which ones remotely and/or the period. The memorization policy provides for the conservation of several snapshots in such a way as to have different versions both locally and remotely and the synchronization with remote replication of the history of the various snapshots. File transfer protocols can be for example http, sftp, tftp ssh, etc. It is generally assumed that only a relatively small subset of the total image data is actually needed to enable boot and (at least) functionality. initial of the endpoint. The rest of the image can? be transferred gradually over time, depending on the need? of data and availability? of network resources. In other words, this procedure allows for a quick boot of the endpoint from a backup image, without having to wait tens of minutes or even hours for it to boot. the entire image is transferred. There? does it mean that the idle time? of the endpoint not ? essentially much more than the physical boot time of the endpoint (plus some additional, but relatively minor, time needed to copy the most critical parts of the image). Several networks can be used to store the image. For example, storage networks, peer-to-peer networks, remote storage on a remote server, and hard drives virtual disks, such as network disk emulators, can all be used to store the image. The image can be created on at least one server connected to a network. Examples include a unit disk on a remote server, a network RAID array, storage area networks, or network streamers (magnetic or optical tape devices that require serial access or streaming of data).

In one embodiment of the method, performed with at least one controller, it provides that the memorization procedure of said user data and/or of the image of said file system comprises the activity? exclusive storage by the firmware running in said controller in possibly external and/or removable non-volatile memory media locally and/or remotely interconnected and/or an in-memory database, and that said storage on said memory media includes the following phases: The exclusive control by the controller on the reading and writing processes in said memory supports; the reading by said controller of each file produced by the user?s endpoint; writing by the controller in said memory support of said file read by the user?s endpoint; and that said read and write operations comprise the following phases: the creation of a primary map, the assignment of said map for the exclusive use of said controller and the memorization of said map in a portion of said memory available only for the controller, wherein said primary map comprises linking the logical addresses with the physical addresses of a physical portion of said memory medium for exclusive use by the controller; the creation of a submap, the assignment to the kernel of the endpoint of said map and its storage in a portion of said physical memory shared and available to the kernel and the controller, wherein the submap includes the linking of logical addresses with the physical addresses of a physical portion of said memory support not belonging to the physical addresses contained in the primary map for the exclusive use of the controller and that possibly said logical addresses contained in said secondary map include dynamic generation with a mode? of pseudo random logical addressing and that the said pseudo random generation includes the initialization with a seed by the controller in modality? random. The management of the interrupt ? entrusted to the controller that holds the privileges for reading and writing the files produced.

In one embodiment of the method, the logical routings include the assignment of a timestamp and that the said submap includes the integrity checking of the of? logical addressing through cryptographic hash functions and that in response to? alteration of? integrity? of said address? the blocking action of the writing of said user data files by the controller is foreseen.

In one embodiment of the method, the user files which are stored in the portions of physical memory according to the secondary map, comprise the copy on write in the portion of the same physical memory according to the primary map and the sorting according to the logical addressing timestamp of the said data copied in mode? copy on write.

In one embodiment of the method, the procedure for synchronizing said user data comprises reading said data starting from the timestamp indicated in said unique generation message in response to the physical action of the user, checking the entropy on said data that in response to the verification of the entropy under a certain threshold value ? the transfer and copying of said data to the user?s endpoint is envisaged, otherwise the logical addressing of the secondary map is expected to be updated for those data subject to high entropy in order to allow subsequent overwriting on the data. In one embodiment of the method, before proceeding to update the logical addressing of the submap, the high entropy object data is copied in submap mode. COW in another non-volatile storage medium locally and/or remotely. User data is stored both locally in an isolated memory medium and in another remote storage area such as a public and/or private cloud. In turn ? It is possible to define storage policies, i.e. which types of files to save locally and which ones remotely and/or the period. Eg, ? You can keep your photos in the local storage medium and your word processing work files directly remotely. File transfer protocols can be for example http, sftp, tftp ssh, etc.

In one embodiment of the method, ? envisaged the notification of a ransomware attack response to at least one central control server and/or the end user, the notification of kernel recovery to said central server and/or the end user, the notification of the completed procedure to the said central server and / or to the end user and that said central server in response to said unique message received from one or more? endpoint as a result of? physical operation of one or more? users implement a predefined and automated contingency plan to limit the proliferation of the infection and that this plan possibly includes the isolation of the endpoints from the network, the blocking of network traffic to and from the attacked endpoint, the recovery of the logs on the endpoints, the recovery of files subject to unauthorized encryption, the forensic analysis of said files in combination with the logs, the possible update of vulnerabilities, the application of corrective measures, the notification of the attack to third parties and/or possibly to other users, possibly the reintegration of the endpoint in the network to which it belongs, the exfiltration of user data not corrupted by unauthorized encryption, the updating of network policies, application and physical logics, the migration of services in other backup stations possibly remotely, the activity? user awareness, analysis of malware running and/or installed on endpoints.

In one embodiment of the method, ? confirmation of the execution of the recovery by an intrusion prevention system and/or an intrusion detection system and/or an anti-ransomware and/or anti-malware system and that these systems possibly are based on machine technology learning and/or artificial intelligence and/or possibly the confirmation of the execution of the recovery to the user in response to the physical operation, possibly called confirmation ? transmitted on another out-band channel, such as SMS and/or on another endpoint such as smartphone or through a specific application running on it.

In one embodiment of the present invention, ? a restore and data protection anti-ransomware device for endpoints is provided. The device, interconnected with the user?s endpoint, comprises at least one ROM (read only memory) and/or EPROM (Erasable Programmable Read Only) memory and at least one hardware module including an interactive sensor for the exclusive use of responding to a ransomware attack, which in response to the physical action of a user on said sensor, a unique coded message is generated by said sensor indicating the exclusive signal to start an immediate recovery in response to the ransomware attack which in turn the message is transmitted to said ROM and/or EPROM memory, which causes the execution of a firmware stored in said memory in response to the reception of the univocal message, where said firmware ? suitably configured to load and execute a set of instructions, which loads and and executes said set of predefined instructions for the specific endpoint which are stored in said ROM and/or EPROM memory, wherein said set of instructions comprises, loading into said RAM memory of a specific bootstrapping program and the execution of said bootstrapping program through said processor, that said specific bootstrapping program includes the restart of the user?s endpoint, the execution of a specific boot loader which includes recovery from a local and/or remote memory support of the image of a file system containing the kernel and/or the applications, the copy of the image in said RAM memory, the selection of the destination drive of the endpoint where ? file system corrupted by unauthorized encryption, overwriting the corrupt file system with the recovered image, restarting the endpoint, transferring control of the endpoint to the kernel, said kernel synchronizes user data in mode? background. The interconnection between the device and the endpoint can? include a direct connection via bus and/or PCB with bus with the possible presence of controllers for managing the interrupt and/or via a local network and/or remotely possibly in VPN and/or via a server of services interconnected in a local network and/or remotely possibly in VPN.

The instruction set, also called a stub, represents a very small piece of code to perform some functionality? or routines or subroutines in programming. In one embodiment of the present invention, one or more may be encompassed stubs relating to different ransomware recovery procedures concerning different hardware and/or software technologies.

The types of interactive sensors used are those of the touch type or also called touch, for example touch sensors of the capacitive type or infrared touch sensors or push buttons or typical buttons. In one embodiment of the present invention, ? A hardware module is provided to provide user authentication based on the fingerprint system. In another embodiment, such hardware possibly integrated with the interactive sensor.

In one embodiment of the device, said ROM and/or EPROM memory ? included in whole and/or in part in the endpoint.

In one embodiment of the device, the communication between the interactive sensor and the ROM and/or EPROM memory takes place by means of a local network interconnection and/or remotely possibly in VPN and that said interconnection takes place possibly by means of a out-band communication channel, and that possibly said channel is of the unidirectional type and/or possibly based on the IoT standard.

In one embodiment of the device, the firmware contained in the ROM and/or EPROM memory? a Unified Extensible Firmware Interface (UEFI).

In one embodiment of the device, possibly, the interactive sensor and/or the fingerprint module and/or the possible integration of the interactive sensor with the fingerprint hardware module ?/are they provided with at least one ROM memory and/ or EPROM including a firmware.

In one embodiment of the device, it also comprises at least one controller and one or more controllers. data storage media, being called non-volatile memory media (NVM). In various forms, these memories include both removable ones and/or the fact that they are based on SSD, SD, micro SD, HDD, flash, UFS, E.MMC technologies.

In another embodiment of the device, the memories of the device of the present invention are installed and arranged in the Printed Circuit Board (PCB) in such a way that the conductive traces of a memory are isolated and electrically independent from each other. ?other and are interconnected to the controller, such that only the device controller alone can perform read/write operations using the firmware running on the controller.

In another embodiment of the device, one or more devices are integrated therein. CPU hardware modules and one or more? RAM-type memory. In another embodiment, the device is made with an architecture with ARM-type technology. In another embodiment, the device is made with an architecture with SoC type technology.

In another embodiment of the device, ? expected the presence of one or more? hardware modules of the type TPM and the firmware ? performed by that module.

In another embodiment of the device, possibly one or more are included? external cache memories with respect to the controller and/or CPU and/or SoC and/or TPM module and/or ARM already? present in the same device and/or one or more? hardware modules for data encryption, such as those based on the AES standard and / or one or more? hardware modules for wireless communications, such as those based on the Wifi, Bluetooth, LoraWAN, Sigfox and/or one or more? hardware modules for wired communications, such as those based on the Ethernet protocol, fast Ethernet and/or a touch-type or e-ink touch-type display hardware module and/or one or more? hardware modules for video connection such as those based on the HDMI or micro HDMI standard and / or one or more? hardware modules for audio connection and/or one more? hardware modules for serial connection, such as those based on the USB 2.0 standard, USB 3.0, USB -C and/or one or more? hardware modules for camera connection, such as those based on the MIPI CSI standard and/or one or more? hardware modules for connection based on the GPIO standard and/or one or more? hardware modules for connection based on the PoE (Power over Ethernet) standard and/or one or more? hardware modules for SIM Card and/or one or more? SIMs directly integrated into the PCB based on the eUICC standard (embedded universal integrated circuit card) and/or a hardware module for wireless energy recharging or, for example, according to resonance or induction technology and/or according to the Qi standard.

In another embodiment of the device, ? Is it possible to combine and/or limit the device in one or more? embodiments according to any form of the present invention.

In another embodiment of the device, ? the implementation, by means of said device according to any embodiment, of at least one method of the present invention according to any embodiment is envisaged.

In one embodiment of the present invention, ? the use of the device according to the present invention is envisaged, wherein said device is directly integrated into a common data storage device for external use and/or removable, such as a HDD, an SDD, a USB pendrive, a NAS (Network-attached storage) or a DAS (Direct-attached storage).

In another embodiment of use of the device of the present invention, said device ? directly integrated into common voice command smart device such as alexa or common smart home appliance product or common smart home management hub device.

In another embodiment of use of the device of the present invention, said device ? directly integrated in a common smartphone or in a common smartwatch or in a common smart wearable or in a common tablet.

In another embodiment of use of the device of the present invention, said device ? directly integrated in a common personal computer keyboard or in a common desktop or laptop computer mouse or in a common laptop pointing device or to be integrated on the keyboard or on the edges of the surface outside the keyboard or on the outside edges of the monitor of a common desktop or laptop computer or anywhere in the protective case of the desktop or laptop computer.

In another embodiment of use of the device of the present invention, said device ? directly integrated into a common PLC industrial computer or a common numerical control industrial machine.

In another embodiment of use of the device of the present invention, said device ? directly integrated in a common router or in a common access point and/or in a common network switch and/or in a common network interconnection device.

In another embodiment of use of the device of the present invention, said device ? directly integrated into a medical electronic instrument for outpatient or hospital use.

In another embodiment of use of the device of the present invention, said device ? directly integrated into a vehicle's electronic system.

In one embodiment of the present invention, ? provided an anti-ransomware system for restore and data protection for endpoints. Does the system comprise at least one endpoint, comprising at least one ROM and/or EPROM memory, interconnected with at least one smartphone by means of a service server in a local network and/or remotely possibly in VPN, wherein in said smartphone? including running an app that emulates an interactive sensor for exclusive use for the response to a ransomware attack, which in response to the physical action of a user on said sensor app, a unique coded message is generated by said sensor indicating the alert exclusive to initiate an immediate recovery in response to the ransomware attack which in turn the message is transmitted to said ROM and/or EPROM memory, which causes the execution of a firmware stored in said memory in response to the receipt of the unique message, where said firmware ? suitably configured to load and execute a set of instructions, which loads and and executes said set of predefined instructions for the specific endpoint which are stored in said ROM and/or EPROM memory, wherein said set of instructions comprises, loading into said RAM memory of a specific bootstrapping program and the execution of said bootstrapping program through said processor, that said specific bootstrapping program includes the restart of the user?s endpoint, the execution of a specific boot loader which includes recovery from a local and/or remote memory support of the image of a file system containing the kernel and the applications, the copy of the image in said RAM memory, the selection of the destination drive of the endpoint where ? file system corrupted by unauthorized encryption, overwriting the corrupt file system with the recovered image, restarting the endpoint, transferring control of the endpoint to the kernel, said kernel synchronizes user data in mode? background.

In another embodiment of the system, ? the integration of the authentication system provided directly by the smartphone is foreseen and that said system can include the insertion of a password, authentication by fingerprint or a combination of the two or any other form of authentication.

In another embodiment of the system, it provides at least one central control server possibly including an installed software platform SOAR, comprising at least one ROM and/or EPROM memory possibly in emulated form in said server through a software application, interconnected with at least an endpoint by means of a network service server or a local network and/or remotely possibly in VPN, wherein said endpoint comprises at least one interactive sensor hardware module for exclusive use for the response to a ransomware attack and that the communication between the interactive sensor and the central control server takes place by means of a local and/or remote network interconnection possibly in VPN and that this interconnection takes place possibly by means of an out band communication channel, such as for example SMS and that possibly said channel is of the unidirectional type and/or possibly based on the IoT (Internet of Things) standard, which in ris mail to the physical action of a user on said sensor or sensor app, a unique encoded message is generated by said sensor or sensor app indicating the exclusive signal to start an immediate recovery in response to the ransomware attack which in turn the message is transmitted to said ROM and/or EPROM memory, which causes the execution of a firmware stored in said memory in response to the reception of the univocal message, where said firmware ? suitably configured to load and execute a set of instructions, which loads and and executes said set of predefined instructions for the specific endpoint which are stored in said ROM and/or EPROM memory, wherein said set of instructions comprises, loading into said RAM memory of a specific bootstrapping program and the execution of said bootstrapping program through said processor, that said specific bootstrapping program includes the restart of the user?s endpoint, the execution of a specific boot loader which includes recovery from a local and/or remote memory support of the image of a file system containing the kernel and the applications, the copy of the image in said RAM memory, the selection of the destination drive of the endpoint where ? file system corrupted by unauthorized encryption, overwriting the corrupt file system with the recovered image, restarting the endpoint, transferring control of the endpoint to the kernel, said kernel synchronizes user data in mode? background.

In another embodiment the system provides at least one central control server possibly including an installed software platform SOAR, comprising at least one ROM and/or EPROM memory possibly in emulated form in said server through a software application, interconnected with at least one endpoint by means of a service server of a network or a local network and/or remotely possibly in VPN, in which the said endpoint in turn ? interconnected with a smartphone by means of a local network service server and/or remotely possibly in VPN, where in said smartphone ? including running an app that emulates an interactive sensor for exclusive use for the response to a ransomware attack, and that said interconnection possibly takes place by means of an out-band communication channel, such as for example SMS and that possibly said channel is unidirectional and/or possibly based on the IoT (Internet of Things) standard, which in response to the physical action of a user on said sensor or sensor app, a unique coded message is generated by said sensor or sensor app indicating the exclusive signaling of initiate an immediate recovery in response to the ransomware attack which in turn sends the message to said ROM and/or EPROM memory, which causes the execution of a firmware stored in said memory in response to receiving the unique message, where said firmware ? suitably configured to load and execute a set of instructions, which loads and and executes said set of predefined instructions for the specific endpoint which are stored in said ROM and/or EPROM memory, wherein said set of instructions comprises, loading into said RAM memory of a specific bootstrapping program and the execution of said bootstrapping program through said processor, that said specific bootstrapping program includes the restart of the user?s endpoint, the execution of a specific boot loader which includes recovery from a local and/or remote memory support of the image of a file system containing the kernel and the applications, the copy of the image in said RAM memory, the selection of the destination drive of the endpoint where ? file system corrupted by unauthorized encryption, overwriting the corrupt file system with the recovered image, restarting the endpoint, transferring control of the endpoint to the kernel, said kernel synchronizes user data in mode? background and/or in parallel the said server in response to the said univocal message received from one or more? endpoint as a result of? physical operation of one or more? users, implements a predefined and automated contingency plan to limit the proliferation of the infection and that this plan possibly includes isolating the endpoints from the network and/or blocking network traffic to and from the attacked endpoint and/or the recovery of logs on the endpoint and/or recovery of files subject to unauthorized encryption and/or forensic analysis of said files in combination with logs and/or possible vulnerability update, application of corrective measures , the notification of the attack to third parties and/or possibly to other users and/or possibly the reintegration of the endpoint into the network it belongs to and/or the exfiltration of user data not corrupted by unauthorized encryption and/or the updating of policies network, application and physical logics and/or the migration of services to other possibly remote backup stations and/or the activity? user awareness and/or analysis of malware running and/or installed on the endpoints.

In another embodiment of the system, it provides at least one central control server possibly comprising a SOAR software platform in RAM memory and executed by at least one processor, interconnected with at least one endpoint by means of a local network and/or remotely possibly in VPN, wherein said endpoint includes the device according to the present invention, where the communication between the interactive sensor of said device and the ROM and/or EPROM memory takes place by means of a local network interconnection and/or remotely possibly in VPN and that said interconnection possibly takes place by means of an out-band communication channel, such as for example SMS and that possibly said channel is of the unidirectional type and/or possibly based on the IoT (Internet of Things) standard, which in response to the ?physical action of a user on said sensor, a unique coded message is generated by said sensor or sensor app indicating the signal exclusive ion to initiate an immediate recovery in response to the ransomware attack which in turn the message is transmitted to said ROM and/or EPROM memory, which causes the execution of a firmware stored in said memory in response to the receipt of the unique message, where said firmware ? suitably configured to load and execute a set of instructions, which firmware loads and and executes said set of predefined instructions for the specific endpoint which are stored in said ROM and/or EPROM memory, where said set of instructions comprises, loading in said RAM memory of a specific bootstrapping program and the execution of said bootstrapping program through said processor, that said specific bootstrapping program includes the restart of the user?s endpoint, the execution of a specific boot loader which includes the recovery from a local and/or remote memory support of the image of a file system containing the kernel and/or the applications, the copy of the image in said RAM memory, the selection of the destination drive of the endpoint where ? file system corrupted by unauthorized encryption, overwriting the corrupt file system with the recovered image, restarting the endpoint, transferring control of the endpoint to the kernel, said kernel synchronizes user data in mode? background and, in parallel, the said server in response to the said unique message received from one or more? endpoint as a result of? physical operation of one or more? users, implements a predefined and automated contingency plan to limit the proliferation of the infection and that this plan possibly includes isolation of the endpoints from the network, blocking of network traffic to and from the attacked endpoint, recovery of logs on ?endpoint, the recovery of files subjected to unauthorized encryption, the forensic analysis of said files in combination with the logs, the possible update of vulnerabilities?, the application of corrective measures, the notification of the attack to third parties parties and/or possibly to other users, possibly the reintegration of the endpoint into the network it belongs to, the exfiltration of user data not corrupted by unauthorized encryption, the updating of network, logical-application and physical policies, the migration of services in other backup stations, possibly remotely, the activity? user awareness, analysis of malware running and/or installed on endpoints.

In another embodiment of the system, it provides for a distribution of interconnected endpoints by means of a local network and/or remotely possibly in VPN with at least one central control server, possibly including an installed SOAR software platform, and that said central server in response to said unique message received from one or more? endpoint as a result of? physical operation of one or more? users, in addition to activating the recovery process of the present invention, at the same time it implements a predefined and automated contingency plan to limit the proliferation of the infection and that said plan possibly includes the isolation of the endpoints from the network, the blocking of network to and from the attacked endpoint, recovery of logs on the endpoint, recovery of files subject to unauthorized encryption, forensic analysis of said files in combination with logs, possible vulnerability update, the application of corrective measures, the notification of the attack to third parties and/or possibly other users, possibly the reintegration of the endpoint into the network it belongs to, the exfiltration of user data not corrupted by unauthorized encryption, the updating of the network policies, application and physical logics, the migration of services to other possibly remote backup locations, the activity? user awareness, analysis of malware running and/or installed on endpoints.

In another embodiment of the system, it provides for the interconnection of said endpoint/s with one or more? memory supports of the non-volatile type by means of a direct connection to said endpoint, such as for example through the Ethernet or USB standard and/or possibly the interconnection of said/the endpoints with one or more? non-volatile memory supports present in a public and/or private cloud and/or via a local network and/or remotely possibly in VPN and/or that said non-volatile memory supports present in a public cloud and/or private include a storage system also based on the inmemory database system.

In another embodiment of the system, it comprises an authentication system based on asymmetric encryption systems and that optionally said authentication system comprises a Security Key based on the FIDO U2F standard.

In another embodiment of the system, it includes interconnection with third-party systems for the execution of specific services, via third-party application APIs to extend the storage media and create, for example, a hybrid multicloud. Examples of third party applications are Google Drive, Dropbox, iCloud, OneCloude, Druva, FreeNAS, CORTX. Other examples of integration via third-party application APIs include those services to facilitate interaction and management with user devices. Examples of this type of third party application are Google Home Hub, Amazon Home Hub, Apple Watch. Again, for data synchronization between various third-party applications? Is it possible to understand, for example, InSync and contextually the possibility? to be able to transfer them between the various storage media. Yet ? You can directly store or transfer user data files such as emails or photos from social networks. through automatisms with the integration of third-party applications based on the IFTTT paradigm. Other examples of integration via third-party application APIs include those incident response services provided by SOAR architectures.

In another embodiment of the system, it comprises integration with an intrusion prevention system and/or an intrusion detection system and/or an anti-ransomware and/or anti-malware system and that said systems are optionally based on machine learning and/or artificial intelligence technology.

In another embodiment of the system, it comprises at least one endpoint, comprising at least one central control server, interconnected with at least one endpoint by means of a network or a local network and/or remotely possibly in VPN, and that said endpoint comprises at least one ROM and/or EPROM memory, interconnected with at least one smartphone by means of a service server in a local network and/or remotely possibly in VPN, wherein in said smartphone? including running an app that emulates an interactive sensor for exclusive use for the response to a ransomware attack, which in response to the physical action of a user on said sensor app, a unique coded message is generated by said sensor indicating the alert exclusive to initiate an immediate recovery in response to the ransomware attack which in turn the message is transmitted to said ROM and/or EPROM memory, which causes the execution of a firmware stored in said memory in response to the receipt of the unique message, where said firmware ? suitably configured to load and execute a set of instructions, which loads and and executes said set of predefined instructions for the specific endpoint which are stored in said ROM and/or EPROM memory, wherein said set of instructions comprises, loading into said RAM memory of a specific bootstrapping program and the execution of said bootstrapping program through said processor, that said specific bootstrapping program includes the restart of the user?s endpoint, the execution of a specific boot loader which includes recovery from a local and/or remote memory support of the image of a file system containing the kernel and the applications, the copy of the image in said RAM memory, the selection of the destination drive of the endpoint where ? file system corrupted by unauthorized encryption, overwriting the corrupt file system with the recovered image, restarting the endpoint, transferring control of the endpoint to the kernel, said kernel synchronizes user data in mode? background and that the communication between said interactive sensor and the endpoint takes place by means of a local network interconnection and/or remotely possibly in VPN and that said interconnection takes place possibly by means of an out band communication channel and that possibly said channel is unidirectional and/or possibly based on the IoT (Internet of Things) standard.

In another embodiment of the system, ? is it possible to combine and/or limit the system in one or more? embodiments according to any form of the present invention.

In another embodiment of the system of the present invention, ? the implementation, by means of the system according to any embodiment, of at least one method of the present invention according to any embodiment is envisaged.

In another embodiment of the present invention, it is contemplated is a computer program product comprising a computer-readable or usable medium having a computer-readable program. The computer-readable program, when executed on a computing device, does s? that the processing device performs various operations and combinations of operations described above with reference to any embodiment of the method of the present invention.

In another embodiment, the computer program product is provided in combination in whole and/or in part with any of the embodiments of the device and/or system of the present invention.

These and other features and advantages of the present invention described will become apparent in light of the following description of some of the exemplary embodiments of the present invention.

The invention, what? as a mode? preferred usage, and further objects and advantages thereof, will be better understood by referring to the following detailed description of exemplary embodiments when read in conjunction with the accompanying drawings, wherein:

FIGURE 1 ? an example diagram of an endpoint restore and data protection anti-ransomware device where it can? be implemented in an embodiment of the present invention;

FIGURE.2 ? an example block diagram illustrating the operational elements of an anti-ransomware method of restore and data protection for endpoints where it can be implemented in an embodiment of the present invention;

FIGURE.3 ? an example block diagram, assisted example diagram of a device, illustrating the operational elements of an anti-ransomware method of restore and data protection for endpoints in which it can be implemented in an embodiment of the present invention;

FIGURE.4 ? an example diagram of an anti-ransomware system of restore and data protection for endpoints in which it can? be implemented in an embodiment of the present invention.

In FIG. 1 ? represented an embodiment of a device according to the present invention comprising an endpoint (100), having a processor (105), a RAM memory (110), a ROM and/or EPROM (115), an interactive sensor hardware module pressure for exclusive use for the response to a ransomware attack (120), which in response to physical pressure by a user, the sensor generates and transmits a unique message (125) to the memory (115), which in response performs a firmware (130) by loading a specific set of instructions (135) for the specific endpoint from said memory (115), for the execution of a bootstrapping program (140) comprising the immediate recovery of the user's endpoint.

In Fig.2 ? represented an embodiment of a method according to the present invention, where a user performs a physical operation (200) on the interactive sensor (120), which generates (205) a unique coded message by said sensor (120) indicating the exclusive signal to initiate an immediate recovery in response to the ransomware attack, which transmits it (210) to the ROM and/or EPROM memory (115), which causes the execution (215) of a firmware stored in said memory (115) in response to receiving the unique message, loading (220) and executing said set of instructions (225) predefined for the specific endpoint being the same instructions stored in said ROM and/or EPROM memory; loading a specific bootstrapping program (230) into said RAM memory (110) and executing said bootstrapping program through said processor (105), restarting (235) of the user?s endpoint (100), l ?execution of a specific boot loader which includes the recovery (240) from a local and/or remote memory medium of the image of a file system containing the kernel and/or the applications, the copy (245) of the image in called RAM memory (110), the selection of the drive (250) of destination of the endpoint where ? present the file system corrupted by unauthorized encryption, the overwriting (255) of the corrupt file system with the recovered image, the restart (260) of the endpoint, the transfer (265) of the control of the endpoint to the kernel, said kernel executes the synchronization (270) of user data in mode? background.

In Fig.3 ? represented an embodiment of a method according to the present invention, performed with at least one controller (305), the activity? of exclusive storage by the firmware (310) running in said controller in non-volatile memory supports (300), comprises the exclusive control (400) by the controller over the reading and writing processes in said memory supports, the creation of a primary map (405), assigning said map for the exclusive use of said controller (410) and storing said map (415) in a portion of said memory available only for the controller (315), in wherein said primary map comprises the connection (420) of the logical addresses with the physical addresses of a physical portion of said memory medium for the exclusive use of the controller (315); the creation of a secondary map (425), the assignment to the kernel of the endpoint of said map (430) and the storage (435) in a portion of said physical memory shared and available for the kernel and the controller (320), wherein said secondary map comprises the connection (440) of the logical addresses with the physical addresses of a physical portion of said memory medium which do not belong to the physical addresses contained in the primary map for the exclusive use of the controller (315)

In Fig.4 ? represented an embodiment of a system according to the present invention, comprising a central control server (500) comprising a SOAR software platform (515) in memory (510) and executed by at least one processor (505), interconnected with at least one endpoint (100) by means of a local and/or remote network possibly in VPN (600), comprising at least one memory of the ROM and/or EPROM type included in whole and/or in part in the endpoint (115), a module hardware comprising an interactive sensor (120) for exclusive use for the response to a ransomware attack, where the communication between the interactive sensor and the ROM and/or EPROM memory takes place by means of a communication channel based on the IoT standard (700), that in response to the physical action of a user on said sensor, a message (125) is generated and transmitted to the ROM and/or EPROM memory (115), which executes a firmware (130) by means of a processor (105), which executes a set of instructions (135) count using a bootstrapping procedure (140), and that in parallel, said server (500) in response to said univocal message (125), consequently to the physical activation of one or more? users for each endpoint, implements a predefined and automated contingency plan (520) to limit the proliferation of the infection, including for example isolating the endpoints from the network and/or blocking network traffic to and from the attacked endpoint and/or the recovery of the logs on the endpoint and/or the recovery of the files subject to unauthorized encryption and/or the forensic analysis of said files in combination with the logs and/or the possible update of vulnerability? and/or the application of corrective measures and/or the notification of the attack to third parties and/or possibly to other users.

How will it be? Appreciated by one skilled in the art, aspects of the present invention may be embodied as a system, method, device or use thereof, or a computer program product. Accordingly, aspects of the present invention may take the form of an all-hardware embodiment, an all-software embodiment (including firmware, resident software, microcode, etc.), or an embodiment that combines both software and hardware aspects at which can you? generally referred to herein as "circuit", "module", or "system". Additionally, aspects of the present invention may take the form of a computer program product incorporated into one or more programs. computer-readable media on which ? incorporated program code that can be used by computers. Can? be used any combination of one or more? computer readable media. Can computer-readable media be a computer-readable signal carrier or a computer-readable storage carrier. A computer-readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, device, device, or any suitable combination of the foregoing. The computer program code for performing operations for aspects of the present invention can be written in any combination of one or more? programming languages, including an object-oriented programming language such as Java?, Smalltalk?, C+ or similar, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code can run entirely on your computer, partially on your computer, as a stand-alone software package, partly on your computer and partly on a remote computer, or entirely on the remote computer or server. In the latter scenario, the remote computer can be connected to your computer over any type of network, including a local area network (LAN) or a wide area network (WAN), or the connection can? be made to an external computer (for example, over the Internet using an Internet service provider).

Claims (10)

1) An anti-ransomware method of restore and data protection for endpoints, performed by at least one processor and at least one RAM memory, by at least one hardware module including an interactive sensor for exclusive use for the response to a ransomware attack, by at least one ROM and/or EPROM type memory, characterized by the fact that it comprises the following phases: ? physical operation by a user by means of said interactive sensor; ? the generation of a unique coded message by said sensor indicating the exclusive signal to initiate an immediate recovery in response to the ransomware attack; ? the transmission of the univocal coded message to said ROM and/or EPROM memory; ? the execution of a firmware stored in said memory in response to the receipt of the univocal message, suitably configured to load and execute an instruction set; ? loading and executing said set of predefined instructions for the specific endpoint being the same instructions stored in said ROM and/or EPROM memory; ? and that said set of instructions comprises, the loading in said RAM memory of a specific bootstrapping program and the execution of said bootstrapping program through said processor, that said specific bootstrapping program comprises restarting the user?s endpoint, l ?execution of a specific boot loader which includes the recovery from a local and/or remote memory medium of the image of a file system containing the kernel and/or the applications, the copying of the image in said RAM memory, the selection of the destination drive of the endpoint where ? file system corrupted by unauthorized encryption, overwriting the corrupt file system with the recovered image, restarting the endpoint, transferring control of the endpoint to the kernel, said kernel synchronizes user data in mode? background. 2) The method according to the preceding claim, characterized by the fact that said specific bootstrapping program foresees the execution from network (NBP network bootstrap program) or in mode? Preboot Execution Environment (PXE) or boot mode iPXE or mode? gPXE or in mode? PXELINUX or that said specific bootstrapping program expects execution from USB removable media. 3) The method according to the preceding claims, characterized in that said set of instructions stored in said ROM and/or EPROM memory comprises the following steps: ? the configuration of one or more? bootstrapping procedures for the specific endpoint according to the hardware and/or software technology present in the same endpoint and that said procedure includes the configuration of a predefined data path for the recovery of the file system image containing the kernel and/or applications and that possibly the image of the file system including the kernel and/or the applications includes the creation of snapshots through snapshots and/or the replication; ? the pre-loading of one or more? configurations regarding the set of instructions relating to different ransomware recovery procedures for different hardware and/or software technologies present in the same endpoint. 4) The method according to claim 3, characterized in that said predefined data path comprises, for local and/or remote recovery, the following steps: ? selecting and storing the drive or partition or removable media containing the intact image of the file system including the kernel and/or applications; ? statically or dynamically selecting an IP address for downloading the whole file system image including the kernel and/or applications; and that the generation of said univocal coded message by said sensor according to the preceding claims comprises the following steps: ? the configuration of user information, its endpoints, the connection address; ? the unique association with one or more? file system stored in the drive? end point of the user and / or more? user endpoint; ? the association of a unique identifier possibly composed of information regarding the sensor itself and/or information regarding the user profile associated with an account and/or possibly the association of a unique identifier possibly composed of information regarding the sensor itself and more? user profiles by means of the authentication system and/or possibly including information regarding the remote connection address; ? storing the unique association and configuration information in said ROM and/or EPROM memory. 5) The method according to the preceding claims, characterized by the fact that said firmware in execution comprises the Unified Extensible Firmware Interface (UEFI) and that possibly the execution of said firmware in response to the receipt of the univocal message ? run with the UEFI secure boot option. 6) The method according to the preceding claims, performed with at least one controller, ? characterized by the fact that the memorization procedure of said user data and/or of the image of said file system includes the activity exclusive memorization by the firmware running in said controller in possibly external and/or removable non-volatile memory supports locally and/or remotely interconnected and/or an inmemory database, and that said memorization on said memory supports comprises the following stages: ? The exclusive control by the controller on the reading and writing processes in said memory supports; ? the reading by said controller of each file produced by the user?s endpoint; ? writing by the controller in said memory support of said file read by the user?s endpoint; and that said read and write operations comprise the following phases: ? the creation of a primary map, the assignment of said map for the exclusive use of said controller and the storage of said map in a portion of said memory available only to the controller, wherein said primary map includes address binding logical with the physical addresses of a physical portion of said memory support for the exclusive use of the controller; ? the creation of a submap, the assignment to the kernel of the endpoint of said map and its storage in a portion of said physical memory shared and available to the kernel and the controller, wherein the submap includes the linking of logical addresses with the physical addresses of a physical portion of said memory support not belonging to the physical addresses contained in the primary map for the exclusive use of the controller and that possibly said logical addresses contained in said secondary map include dynamic generation with a mode? of pseudo random logical addressing and that the said pseudo random generation includes the initialization with a seed by the controller in modality? random. 7) The method according to the preceding claims, characterized in that said user data memorized in the portions of physical memory according to the secondary map, include the on-write copy in the portion of the same physical memory according to the primary map and the sorting according to the timestamp logical addressing of said data copied in mode? copy on write. 8) An anti-ransomware device for restore and data protection for endpoints, comprising at least one ROM and/or EPROM type memory, said device interconnected with the user?s endpoint comprising at least one processor and memory, possibly called memory? included in whole and/or in part in said endpoint, ? characterized in that it has at least one hardware module comprising an interactive sensor for exclusive use for the response to a ransomware attack, which in response to the physical action of a user on said sensor, a unique coded message is generated by said sensor indicating the exclusive signaling to initiate an immediate recovery in response to the ransomware attack, in which said message is transmitted to said ROM and/or EPROM memory, which causes the execution of a firmware stored in said memory in response to receipt of the unique message , where the said firmware ? suitably configured to load and execute a set of instructions, which loads and and executes said set of predefined instructions for the specific endpoint being the same instructions stored in said ROM and/or EPROM memory, where said set of instructions comprises, the loading in said RAM memory of a specific bootstrapping program and the execution of said bootstrapping program through said processor, that said specific bootstrapping program includes the restart of the user?s endpoint, the execution of a specific boot loader which includes the recovery from a local and/or remote memory support of the image of a file system containing the kernel and/or the applications, the copy of the image in said RAM memory, the selection of the destination drive of the endpoint where? file system corrupted by unauthorized encryption, overwriting the corrupt file system with the recovered image, restarting the endpoint, transferring control of the endpoint to the kernel, said kernel synchronizes user data in mode? background. 9) Use of the device according to the preceding claim, characterized in that it is integrated in a common data storage device for external and/or removable use and/or in being integrated in a common keyboard for personal computers and/or in being integrated in a common desktop or portable personal computer mouse and/or to be integrated on the outer edges of the monitor of a common desktop personal computer and/or to be integrated in a common pointing tool for portable computers and/or to be integrated on the keyboard or on the edges of the surface outside the keyboard or on the outer edges of the monitor of a common desktop or laptop computer or anywhere in the protective case of the desktop or laptop computer and/or to be integrated into a common industrial computer PLC and/or in a common numerical control industrial machine and/or to be integrated in a common router or in a common access point and/or in a common network switch and/or in a common device network interconnection and/or to be integrated into a medical electronic instrument for office or hospital use and/or to be integrated into the electronic system of a vehicle. 10) An anti-ransomware system to restore and data protection endpoint, comprising at least one central control server comprising a SOAR software platform in RAM memory and executed by at least one processor, interconnected with at least one endpoint via a local network and/or remotely possibly in VPN, in which the said endpoint ? characterized in that it comprises the device according to claim 8, wherein the communication between the interactive sensor and the ROM and/or EPROM memory of said device takes place by means of a local network interconnection and/or remotely possibly in VPN and that said interconnection possibly takes place by means of an out-band communication channel, and that possibly said channel is of the unidirectional type and/or possibly based on the IoT standard, that in response to the physical action of a user on said sensor, a unique message encoded by said sensor indicating the exclusive signal to initiate an immediate recovery in response to the ransomware attack, wherein said message is transmitted to said ROM and/or EPROM memory, wherein in response to receipt of the unique message the execution of a firmware stored in said memory, where said firmware ? suitably configured to load and execute a set of instructions, which firmware loads and and executes said set of predefined instructions for the specific endpoint which are stored in said ROM and/or EPROM memory, and which said set of instructions comprises, the loading in said RAM memory of a specific bootstrapping program and the execution of said bootstrapping program through said processor, and that said specific bootstrapping program includes the restart of the user?s endpoint, the execution of a specific boot loader which includes the recovery from a local and/or remote memory support of the image of a file system containing the kernel and/or the applications, the copy of the image in said RAM memory, the selection of the destination drive of the endpoint where ? file system corrupted by unauthorized encryption, overwriting the corrupt file system with the recovered image, restarting the endpoint, transferring control of the endpoint to kernel, said kernel synchronizes user data in user mode. background and, in parallel, the said server in response to the said unique message received from one or more? endpoint as a result of? physical operation of one or more? users, implements a predefined and automated contingency plan to limit the proliferation of the infection, and that this plan possibly includes isolating the endpoints from the network and/or blocking network traffic to and from the attacked endpoint and/or the recovery of the logs on the endpoint and/or the recovery of files subject to unauthorized encryption and/or the forensic analysis of said files in combination with the logs and/or the possible update of vulnerability? and/or the application of corrective measures and/or the notification of the attack to third parties and/or possibly other users and/or possibly the reintegration of the endpoint into the network it belongs to and/or the exfiltration of uncorrupted user data from unauthorized encryption and/or the updating of network, logical-application and physical policies and/or the migration of services to other possibly remote backup stations and/or the activity? user awareness and/or analysis of malware running and/or installed on the endpoints.