A senior lecturer at New South Wales’ Charles Sturt University (CSU) has launched a “revolutionary approach” to stopping ransomware attacks.
Named “Ransomware-Resilient File Safe Haven” (RFSH) or “Redwire”, the technology offers a last line of defence in the event upper-layer security systems – such as antivirus, endpoint detection or intrusion detection systems – fail.
As the name suggests, RFSH leverages ‘file safe havens’ which are designed to thwart ransomware attacks by looking for and preventing unauthorised attempts to encrypt data.
This essentially means if a network is infected with ransomware, RFSH can stop the ransomware from locking access to sensitive data.
Dr Arash Mahboubi from the Charles Sturt School of Computing, Mathematics and Engineering, said RFSH “addresses a critical gap in existing cybersecurity defences” and offers a “last line of defence to safeguard sensitive data from ransomware threats”.
“[Ransomware] impacts extend to both individuals and organisations, leading to psychological distress, financial losses, reputational damage, operational disruption and potential legal ramifications,” said Mahboubi.
“Ransomware developers continuously refine their tactics, making these threats increasingly sophisticated and pervasive.
“Research in this domain must not remain theoretical but must be actively supported and adopted by businesses to enhance real-world cybersecurity resilience.”
CSU explained what began as Mahboubi’s PhD thesis research evolved into a large-scale, two-year project in collaboration with cybersecurity institutions CSIRO Data61 and the Cyber Security Cooperative Research Centre (CSCRC).
Initially supported by seed funding in October 2022 during the COVID-19 pandemic, the project has achieved a benchmark Technology Readiness Level 7 – meaning its prototype has been successfully demonstrated in an operational environment – and has been tested by the NSW Government’s Department of Customer Service.
RFSH’s novel approach to ransomware
Mahboubi told Information Age while traditional approaches for ransomware mitigation primarily rely on “detecting suspicious behaviour, known signatures, or Indicators of Compromise (IoCs),” detection-based strategies are “increasingly ineffective as ransomware continuously evolves to circumvent these defences”.
“To address these shortcomings, we developed RFSH,” he said.
According to its World Intellectual Property Organisation (WIPO) listing, RFSH works as a “proxy server for controlling access to a cloud data storage service”, and effectively tampers with data buffers when they’re found to contain suspicious, encrypted data.
Mahboubi elucidated that RFSH “strategically sits between endpoint systems and various storage environments” – which can include the cloud, storage servers or more advanced network storage solutions – and proactively inspects all data transferred, accessed, modified, or written to the storage environment.
Dr Arash Mahboubi's tech could stop ransomware in its tracks. Photo: Supplied
If RFSH “detects encrypted blocks of buffers indicative of unauthorised encryption activity” – or rather, if it suspects a potential ransomware is attempting to push around encrypted data – it immediately invokes a “novel inverse encoding algorithm”.
“This unique algorithm dramatically expands the encrypted data buffers – up to 10GB practically and potentially terabytes in theoretical scenarios – effectively overwhelming and parallelising the ransomware's encryption engine,” Mahboubi told Information Age.
This process either halts ransomware activity outright or forces it into “self-termination” due to resource exhaustion, Mahboubi explained.
A simple inspiration
Mahboubi said after observing that “existing perimeter protection is ineffective for ransomware attacks”, his team started to “think about what else can be done”.
“Rather than dealing with the malicious processes, would it not be nice to make data un-encryptable?”
He said the bottlenecking approach the team arrived at was “inspired from the knots which get tighter as you pull more”, with ransomware being thwarted by exponentially reducing the resources available to “complete encryption within a reasonable time”.
Since the process focuses on malicious data encryption rather than typical indicators like network traffic or log anomalies, Mahboubi explained RFSH can also provide critical defence against zero-day ransomware attacks and ransomware which disguise their encryption activities as legitimate file operations.
Furthermore, the method is “fully reversible” and can rapidly restore affected data in the case of false positives.
No one-size-fits-all
Australia last year experienced a significant spike in data breaches, while cybersecurity technology company BitDefender saw that for February 2025 – the “worst ransomware month in history” – Australia ranked as the 6th country most affected by ransomware.
Co-researcher and principal research scientist at CSIRO’s data and digital arm Data 61, Seyit Camtepe, said despite the availability of various cybersecurity solutions, malicious data encryption continues to be a growing problem.
“This project materialised a decade of novel research into a future-proof solution enabling data protection and availability, even when end-point computers are infected,” said Camtepe.
He added RFSH “does not replace” existing security solutions, but “identifies and fills a significant gap to ensure those solutions’ efficacy”.
Furthermore, Mahboubi said while the technology “does provide indirect benefits against certain forms of data theft”, its primary objective is preventing unauthorised data encryption, and directly preventing data theft that occurs without encryption typically “requires complementary cybersecurity solutions”.
“Our end-users understand the value, but RFSH is a new approach which requires time to prove itself,” said Mahboubi.
