×

Detection of malware, such as ransomware

  • US 10,121,003 B1
  • Filed: 12/20/2016
  • Issued: 11/06/2018
  • Est. Priority Date: 12/20/2016
  • Status: Active Grant
First Claim
Patent Images

1. A computer-implemented method to detect and act with respect to malware, comprising:

  • for a plurality of stored files, calculating and storing respective first entropy values for individual files of the stored files;

    subsequent to the calculating and storing of the respective first entropy values, determining that a predetermined event has occurred with respect to a file of the plurality of stored files, the predetermined event being at least one of;

    occurrence of a predetermined date, occurrence of a predetermined time, elapse of a predetermined amount time since a last predetermined event occurred, creation of a new file, storage of a new file, modification of the file to produce a modified version of the file, a write operation, an instruction to write to the file to produce a modified version of the file, or a read operation;

    retrieving a first entropy value for the file;

    calculating a second entropy value, the second entropy value being fora current version of the file when the predetermined event is occurrence of a predetermined date, occurrence of a predetermined time, elapse of a predetermined amount time since a last predetermined event occurred, or a read operation;

    the modified version when the predetermined event is modification of the file, or an instruction to write to the file;

    orthe new file when the predetermined event is creation of the new file, storage of the new file, or a write operation;

    comparing the second entropy value with the first entropy value;

    determining that the second entropy value is substantially different from the first entropy value; and

    performing, or causing another computer to perform, a predetermined action regarding the malware, wherein the predetermined action comprises at least one of;

    locking one or more files of the plurality of stored files, making one or more of the files of the plurality of stored files to be read-only, causing the modified version to be recorded as a new file or as a different version of the file, causing a copy of one or more files of the plurality of stored files to be sent to a backup server, postponing a scheduled destruction or erasure of a backup file, stopping any scheduled destruction or erasure of a backup file, marking the file or the modified version as encrypted, or marking a cached-block as encrypted.

View all claims
  • 1 Assignment
Timeline View
Assignment View
    ×
    ×