193 results about "Ransomware" patented technology

Operating system events are monitored and a file change request of a process is detected. If the process is suspicious, then the file to be changed is backed up and then the process is allowed to change the file as requested. If it is later determined that the process is ransomware, the process is blocked and further file backups are halted. The original file is recovered and the encrypted file is discarded. If it is later determined that the process is not malicious, then further file backups are halted. Any backup files are discarded. Ransomware may be detected by comparing a file extension of the process with file extensions of any files requested to be changed, by comparing file extensions of any files requested to be changed, or by an analysis of behavior of the process itself.

A cloud storage server-based approach allows detection of ransomware activity in cloud storage systems caused by ransomware infections on an endpoint device. A heuristic or rule-based technique is employed for recognizing sequences of file operations that may indicate ransomware activity. In some embodiments, users may be offered an opportunity to approve or disapprove of the possible ransomware activity. In others, cloud system file activity may be suspended or halted for the affected user upon recognition of possible ransomware actions. Enhanced recovery of files affected prior to recognition of the ransomware activity may be performed in some embodiments.

Computerized methods and systems mitigate the effect of a ransomware attack on an endpoint by detecting access events associated with requests by processes, including ransomware processes, to access data items on the endpoint. The data items are hidden from the operating system processes executed on the endpoint. In response to detecting an access event, an action is taken against the process associated with the access event.

A system and a method for identifying the presence of ransomware on a network including a plurality of resources, and for trapping the ransomware therein.

Systems and methods for file encrypting malware detection are provided. According to one embodiment, a monitoring module is installed within active processes running on a computer system by a kernel mode driver. Performance of a directory traversal operation on a directory of the computer system is detected by a monitoring module of a first process of the multiple active processes in which a parameter of the traversal operation includes a wildcard character. When a number of wildcard-based directory traversal operations performed by the first process exceeds a threshold, a decoy file is deployed by the monitoring module within the directory and the driver is notified. The driver monitors for and detects an attempt by the first process to tamper with the decoy file by intercepting and evaluating file system operations. Responsive to detection of the attempt, the first process is confirmed to be a malware process and is terminated.

The invention relates to a ransomware prevention method and system. The method comprises the steps of creating at least one bait file with the type conforming to a ransomware encryption type and inserting the bait file into an original file sequence of a to-be-protected disk; judging whether the bait file is changed or not; and prohibiting the to-be-protected disk to be subjected to a preset operation when the bait file is changed. According to the method and the system, the bait file with the type conforming to the ransomware encryption type is created by utilizing a characteristic that ransomware traverses disk files necessarily to search for a file type suitable for encryption, and the bait file is put in the original file sequence of the to-be-protected disk; the effects of prewarning the ransomware and protecting other disk files are achieved by monitoring the bait file; the prewarning accuracy is high; a targeted scheme is designed based on an inevitable common behavior of the ransomware, so that known and unknown ransomware can be detected; and the disk space occupied by the created bait file nearly can be ignored.

System, method and process for securing and protecting data and data backups from cyberattack and implementing disaster recovery using machine learning and artificial intelligence. Embodiments learn and establish baseline parameters of routine, normal and non-compromised behavior and activity of virtual machines operative in cloud ecosystem, detect and recognize anomalous events related to advanced persistent threats to the instance, such as ransomware, and automatically implement preconfigured actions as determined by a user with the primary objective of protecting data and data backups.

Systems and methods for detecting ransomware are provided. According to one embodiment, a computer device intercepts an operation on a file by an application and determines whether the application is ransomware based on one or more factors. The computer device mitigates the operation to the file when the application is deemed to be ransomware.

A protection system and a protection method for protecting a computer system against ransomware attacks is provided. The system and method effectively detect the effects of ransomware attacks by combining automatic detection and transparent file-recovery capabilities at the filesystem level.

The invention discloses a ransomware detection method, which is divided into two parts executed in sequence. The method comprises the following steps that: 1) training a ransomware detection model: firstly, determining a training set for training the ransomware detection model, and utilizing a distributed sandbox to carry out dynamic analysis on samples in the training set, wherein the training set is divided into two subsets including a ransomware sample set 1) and a normal sample set 2); and 2) testing the ransomware detection model: according to a feature construction algorithm, establishing a feature set, adopting a five-fold crossover method to train and test the model, and using an index with the accuracy to measure model performance. By use of the method, the defects in the prior art that ransomware is difficult in detection, the characteristics of different types of ransomware can not be deeply researched, a detected result is more and more seriously interfered and a constructed algorithm is high in dimension and complexity can be solved.

Described herein is a system that detects ransomware infection in filesystems. The system detects ransomware infection by using backup data of machines. The system detects ransomware infection in two stages. In the first stage, the system analyzes a filesystem's behavior. The filesystem's behavior can be obtained by loading the backup data and crawling the filesystem to create a filesystem metadata including information about file operations during a time interval. The filesystem determines a pattern of the file operations and compares the pattern to a normal patter to analyze the filesystem's behavior. If the filesystem's behavior is abnormal, the system proceeds to the second stage to analyze the content of the files to look for signs of encryption in the filesystem. The system combines the analysis of both stages to determine whether the filesystem is infected by ransomware.

Techniques for preventing ransomware from encrypting files on a target machine are disclosed. In some embodiments, a system/process/computer program product for preventing ransomware from encrypting files on a target machine includes monitoring file system activities on a computing device; detecting an unauthorized activity associated with a honeypot file or honeypot folder; and performing an action based on a policy in response to the unauthorized activity associated with the honeypot file or honeypot folder.

The invention provides a ransomware real-time detecting and defending method based on file request monitoring, and belongs to the technical field of system security. The method includes the steps of monitoring whether a tested program has operation behaviors on a user file or not in a user host, if yes, mirroring the file to a protected storage area, operating the file in the area, recording the complete operation information, judging whether the program is ransomware or not in combination with a dubiety measuring mechanism based on the file content and operation behavior analysis, if yes, deleting the file in the protected area and deleting the program, and if not, updating and synchronizing the file according to the file in the protected area so that the consistency of data under normalcircumstances can be ensured. Through the process, the malicious ransomware can be effectively detected, the damage of malicious codes to user data is minimized, and the aim of improving the securityand defending capacity of a server host system is achieved.

The invention discloses a ransomware detection method and system. The method comprises the steps of suspending a process and backing up files to a readable region if the file modification process exists, and releasing the process after the backup is finished; comparing entropy values of modified files and the backed-up files, and judging whether the current process performs encryption operation on the files or not; if the encryption operation exists, collecting all the encrypted files, and judging whether a proportion of the files with the same expanded names exceeds a preset value or not; if yes, continuing to judge whether the file names of the files with the same expanded names are consistent in length and part of same character strings exist or not; and if yes, judging that the files are suspected ransomware. According to the technical scheme, the ransomware can be effectively identified, the false alarm rate is reduced, and the operation of normal software on the files is not influenced.

Systems, methods, and computer-readable media can present improved detection of ransomware in a computer system. Embodiments can provide receiving backup data from the computer system. Metadata may be extracted from the backup data. Change rates of the backup metadata against prior backup data may be computed. Ransomware may be then detected by determining that the change rate exceeds a threshold change rate.

The invention provides a ransomware variation detection method based on a sequence alignment algorithm. The method comprises the specific steps of inputting a ransomware sample, extracting a sample feature sequence, processing the sample feature sequence into a gene sequence, and detecting a ransomware variation. The step of variation detection specifically comprises the sub-steps of clustering each gene sequence in a sample set, extracting clustering result information to acquire various ransomware families; using the sequence alignment algorithm Needleman-Wunsch to compute similarity betweena sample to be detected and a class cluster center sample of various ransomware families, screening out clusters with the similarity more than a preset threshold, and using the screened clusters to form a new ransomware training sample set; determining the ransomware family class to which the sample to be detected belongs b using the newly screened training sample set in combination with the sequence alignment algorithm and a KNN classification algorithm to achieve variation detection. According to the method, the purpose of quickly achieving ransomware variation detection is achieved by combining the sequence alignment algorithm with the existing classification algorithm.