In this paper, we focus on building a ransomware detection and recovery system for the cloud block store. We start with discussing the possibility of directly using existing methods or porting one to our scenario with modifications. These attempts, though failed, led us to identify the unique IO characteristics of ransomware, and further drive us to build Deftpunk, a block-level ransomware detection and recovery system. Deftpunk uses a two-layer classifier for fast and accurate detection, creates pre-/post-attack snapshots to avoid data loss, and leverages the log-structured support for low overhead recovery. Our large-scale benchmark shows that Deftpunk can achieve nearly 100% recall across 13 types of ransomware and low runtime overhead.