To use the warehouse metaphor, the malware first got rid of the cameras, then locked up the security guards and then proceeded to do the box flipping while having complete control of the warehouse.

There are many ways to counter it. One possible approach is via smarter storage (think those dedicated datacenter storage servers) that lets the malware think they flipped the box while keeping the original safe as a previous version of the box, even if the box is a virtualized block storage instead of a file.

Another is to run your OS (and the malware) under a hypervisor, hoping the malware can't escape the virtual environment (which is more or less what gaming consoles do which varying levels of success).

  a technique where modifications to data on a disk drive exceeding x storage measurement units per time unit triggers an alarm

You don't clarify what "modifications to data on a disk drive" means here so I'm going to assume it's "change existing files/directories/symlinks etc and create new ones".

I don't think it'd work because a) it would give you a false positive when installing legit software, for example and b) let's assume you want to develop some sort of signalling system where "OK, this software package is legit" to a running OS service (using digital signatures or something like that) - then you'd have to worry about if that signaling/messaging can't be forged by the ransomware as well and you'd invariably need Digital Rights Management (DRM) "always on-line" system to control it. Do you want to avoid "always on-line"? OK, now you have to worry about Root Certificate management on your box which means you'd have to come up with a way to renew them or deprecate such hardware at some point. And trust that those certificates can't be tampered with by hostile actors (nation states, common crackers, etc) as well.

  If ransomware starts to change (encrypt and delete) gigabytes of data within minutes, would it not make sense that your operating system pauses the process, shows a popup question and asks you if process X is supposed to be doing what it is currently doing?

How would the OS know if such process is encrypting? Assume the ransomware uses an in-house encryption interface that doesn't depend on the OS's native interfaces, for instance. The deletion can be detected probably through some sort of inotify(7)-alike subsystem, but there's always a chance of racing conditions, etc. Hm, one could reverse them or undelete them, but I don't see it working across all OSes people care about. I don't know.

The dialog part may make sense, but how is a clueless user - remember that not all users are as technical as we are - meant to understand any of that? What if the ransomware uses a filename to disguise itself as a legit OS service or similar?

Here is a hospital scenario (I worked at one): 400+ users only use e-mail, browser and a local clinical information system or two. They never generate gigabytes of local data and never modify local data other than dragging an email attachment (or scanning a paper lab result) and dropping it into a clinical IS from time to time.

How is it possible that ransomware can wreck this (windows computer) and hundreds like it? Hundreds of similar hospital scenarios are happening all over the world as we speak. The issue here is that clinical IS will not be accessible because 400+ machines are refusing to boot into windows.

Should Microsoft be working on a windows version for healthcare, where execution of unsigned application is simply not allowed? The best we could do is "this application was downloaded from the internet, are you sure you want to allow it to run?"

I feel like the most logical explanation, given what you wrote, is lack of software updates and/or lack or lax procedures on behalf of system users (f.e. people opening up attachments they shouldn't, etc).

Microsoft could do that, but hospitals would shell out way more money for a niche feature. Remember that once you specialize something it becomes expensive. Should a fix come to light it has to be as general as possible. The fix should solve a problem experienced by everyone if it is to be adopted en masse and cheap.

Personally, I'd change / reinforce users' behaviours such as not opening attachments from e-mails they do not know (or have a good anti-virus scan their attachments OR have their SMTP server helper do that), maintain a strict software update policy and so on. The usual procedures. Quite frankly, I don't believe this is what a good percentage of people, companies, etc do.

What if ransomware starts by first disabling the storage counting services?

These could be part of the storage device firmware and require an unlock code from a trusted environment.

Anything is better than the current whack-a-mole game being played with evolving ransomware, where even hospitals are not spared and are suffering even during global pandemic as a result.

If I'm writing an email, and a background process starts modifying gigabytes of data on one of my disks or network locations, I would not be annoyed if a popup asked me to verify that this is something I approve of.

> gigabytes of data on one of my disks

This would require some cleverness at the device itself - perhaps a throttling mechanism and entropy checks on the content to effectively limit how much encrypted (or, sadly, compressed - they can't be easily told apart) information you can write to disk. Exceeding it would make the disk unusable and, perhaps, require very annoying manual intervention. The device also doesn't have any way to warn the user without going through the computer and the OS which, at this point, should be considered hostile.

> or network locations

This is easier to tackle by keeping backups and snapshots that are invisible and inaccessible to the end users and their OSs. Even if your workstation is mounting remote data as virtual block disks, you can still snapshot the whole disk at any given point in time. The problem will be cost - this requires a lot of extra storage capacity.

> I would not be annoyed if a popup asked me to verify that this is something I approve of.

In general the user (and anything on their machine) cannot be trusted. This confirmation should go to a separate channel - a phone call or other alert that's not going through the suspect computer.

Lots of Apple fans were not sharing your opinion when Catalina came if I remember things correctly. If the safeguard is not calibrated correctly, people will just click "okay" all the time. If the ransomware is smart enough, it will rate limit itself or will distribute the work between different processes, including innocent ones that it has managed to inject itself into.

Not saying that it is not possible, but its usefulness might not prove as high as hoped.

The firmware is not ment and most likely does not have the capacity to contain such complex logic. You wish it to observe storage devices, to know its size and what is likely to be normal, and to observe witch processes are accessing it without being sure what os it is running. This is kernel level stuff and it would be just one more mitigation tactic.

run zfs n snapshot often.

computers cant tell intent.

you want to tune parameters for everyone??