Detection of malware, such as ransomware

US 10,121,003 B1
Filed: 12/20/2016
Issued: 11/06/2018
Est. Priority Date: 12/20/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method to detect and act with respect to malware, comprising:

for a plurality of stored files, calculating and storing respective first entropy values for individual files of the stored files;

subsequent to the calculating and storing of the respective first entropy values, determining that a predetermined event has occurred with respect to a file of the plurality of stored files, the predetermined event being at least one of;

occurrence of a predetermined date, occurrence of a predetermined time, elapse of a predetermined amount time since a last predetermined event occurred, creation of a new file, storage of a new file, modification of the file to produce a modified version of the file, a write operation, an instruction to write to the file to produce a modified version of the file, or a read operation;

retrieving a first entropy value for the file;

calculating a second entropy value, the second entropy value being fora current version of the file when the predetermined event is occurrence of a predetermined date, occurrence of a predetermined time, elapse of a predetermined amount time since a last predetermined event occurred, or a read operation;

the modified version when the predetermined event is modification of the file, or an instruction to write to the file;

orthe new file when the predetermined event is creation of the new file, storage of the new file, or a write operation;

comparing the second entropy value with the first entropy value;

determining that the second entropy value is substantially different from the first entropy value; and

performing, or causing another computer to perform, a predetermined action regarding the malware, wherein the predetermined action comprises at least one of;

locking one or more files of the plurality of stored files, making one or more of the files of the plurality of stored files to be read-only, causing the modified version to be recorded as a new file or as a different version of the file, causing a copy of one or more files of the plurality of stored files to be sent to a backup server, postponing a scheduled destruction or erasure of a backup file, stopping any scheduled destruction or erasure of a backup file, marking the file or the modified version as encrypted, or marking a cached-block as encrypted.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and devices for detection of malware, such as ransomware, are disclosed. Ransomware encrypts files, making them useless to the owner. The entropy value of files is calculated and, in response to a predetermined event, such as a write operation to the file, a new entropy value is calculated. If the change in entropy value exceeds a threshold, or if the magic number of a file is missing or is inconsistent with the file type, then malware may be present. Steps are then taken to prevent further encryption by the malware.

Citations

20 Claims

1. A computer-implemented method to detect and act with respect to malware, comprising:
- for a plurality of stored files, calculating and storing respective first entropy values for individual files of the stored files;
  
  subsequent to the calculating and storing of the respective first entropy values, determining that a predetermined event has occurred with respect to a file of the plurality of stored files, the predetermined event being at least one of;
  
  occurrence of a predetermined date, occurrence of a predetermined time, elapse of a predetermined amount time since a last predetermined event occurred, creation of a new file, storage of a new file, modification of the file to produce a modified version of the file, a write operation, an instruction to write to the file to produce a modified version of the file, or a read operation;
  
  retrieving a first entropy value for the file;
  
  calculating a second entropy value, the second entropy value being fora current version of the file when the predetermined event is occurrence of a predetermined date, occurrence of a predetermined time, elapse of a predetermined amount time since a last predetermined event occurred, or a read operation;
  
  the modified version when the predetermined event is modification of the file, or an instruction to write to the file;
  
  orthe new file when the predetermined event is creation of the new file, storage of the new file, or a write operation;
  
  comparing the second entropy value with the first entropy value;
  
  determining that the second entropy value is substantially different from the first entropy value; and
  
  performing, or causing another computer to perform, a predetermined action regarding the malware, wherein the predetermined action comprises at least one of;
  
  locking one or more files of the plurality of stored files, making one or more of the files of the plurality of stored files to be read-only, causing the modified version to be recorded as a new file or as a different version of the file, causing a copy of one or more files of the plurality of stored files to be sent to a backup server, postponing a scheduled destruction or erasure of a backup file, stopping any scheduled destruction or erasure of a backup file, marking the file or the modified version as encrypted, or marking a cached-block as encrypted.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The computer-implemented method of claim 1, wherein the predetermined event is receipt of an instruction to write to the file.
  - 3. The computer-implemented method of claim 1, wherein determining that the second entropy value is substantially different from the first entropy value comprises:
    - determining a percentage of change for the second entropy value with respect to the first entropy value; and
      
      determining that the percentage of change exceeds a percentage threshold value.
  - 4. The computer-implemented method of claim 1, wherein determining that the second entropy value is substantially different from the first entropy value comprises:
    - determining a first log of the first entropy value;
      
      determining a second log of the second entropy value;
      
      determining a ratio of the second log to the first log; and
      
      determining that the ratio exceeds a ratio threshold value.
  - 5. The computer-implemented method of claim 1 wherein the file has a plurality of sections and calculating the first entropy value for the file comprises:
    - calculating an entropy value for each section of the file; and
      
      calculating the first entropy value for the file as an average of entropy values for the sections of the file.
  - 6. The computer-implemented method of claim 1 wherein the predetermined action comprises to lock one or more files of the plurality of files.
  - 7. The computer-implemented method of claim 1 and further comprising:
    - determining a file type for the file, wherein the file type is one of;
      
      ASCII text, an Adobe Photoshop image, an Adobe Illustrator image file, a Microsoft Outlook message, GIF image data, an HTML file, ISO MP4 media, a JPEG image data, a text file, a WordPerfect™
      
      file, a Microsoft Excel file, a Microsoft PowerPoint™
      
      file, a Microsoft Visio file, a word processing document, a spreadsheet, a drawing file, an image file, a 3D image file, a raster image file, a vector image file, a page layout file, a database file, an audio file, a video file, an executable file, a game file, a geographical information system file, a computer aided drawing file, a web file, a font file, a system file, a settings file, an encoded file, a compressed file, a disk image file, an application development file, a backup file, a javascript object notation file, an extensible markup language file, or an unstructured data file.
  - 8. The computer-implemented method of claim 1 wherein the predetermined action comprises to make one or more of the files of the plurality of stored files to be read-only.
  - 9. The computer-implemented method of claim 1 wherein the predetermined action comprises to cause the modified version to be recorded as a new file or as a different version of the file.
  - 10. The computer-implemented method of claim 1 wherein the predetermined action comprises to cause a copy of one or more files of the plurality of stored files to be sent to a backup server.
  - 11. The computer-implemented method of claim 1 wherein the predetermined action comprises to send an alert to one or more human operators.
  - 12. The computer-implemented method of claim 1 wherein the predetermined action comprises at least one of:
    - to postpone any scheduled destruction, or erasure of a backup tape or backup file;
      
      orto stop any scheduled destruction, or erasure of a backup tape or backup file.
  - 13. The computer-implemented method of claim 1 and further comprising:
    - determining a file type of the file;
      
      determining that the second entropy value is not within a predetermined range of entropy values for the file type; and
      
      wherein the predetermined action comprises marking the file as encrypted.
  - 14. The computer-implemented method of claim 1, wherein the predetermined event is the modification of the file, and further comprising:
    - determining a file type of the file;
      
      determining that the second entropy value is not within a predetermined range of entropy values for the file type; and
      
      marking the modified version of the file as encrypted.

15. A system to detect and act with respect to malware, comprising:
- one or more computing devices configured to;
  
  for a plurality of stored files, calculate and store respective first entropy values for individual files of the stored files;
  
  subsequent to the calculate and store of the respective first entropy values, determine that a predetermined event has occurred with respect to a file of the plurality of stored files, the predetermined event being at least one of;
  
  occurrence of a predetermined date, occurrence of a predetermined time, elapse of a predetermined amount time since a last predetermined event occurred, creation of a new file, storage of a new file, modification of the file to produce a modified version of the file, a write operation, an instruction to write to the file to produce a modified version of the file, or a read operation;
  
  retrieve a first entropy value for the file;
  
  calculate a second entropy value, the second entropy value being for;
  
  a current version of the file when the predetermined event is occurrence of a predetermined date, occurrence of a predetermined time, elapse of a predetermined amount time since a last predetermined event occurred, or a read operation;
  
  the modified version when the predetermined event is modification of the file or an instruction to write to the file;
  
  orthe new file when the predetermined event is creation of the new file, storage of the new file, or a write operation;
  
  compare the second entropy value with the first entropy value;
  
  determine that the second entropy value is substantially different from the first entropy value; and
  
  perform, or cause another computer to perform, a predetermined action regarding the malware, wherein the predetermined action comprises at least one of;
  
  locking one or more files of the plurality of stored files, making one or more of the files of the plurality of stored files to be read-only, causing the modified version to be recorded as a new file or as a different version of the file, causing a copy of one or more files of the plurality of stored files to be sent to a backup server, postponing a scheduled destruction, or erasure of a backup file, stopping any scheduled destruction, or erasure of a backup, marking the file or the modified version as encrypted, or marking a cached-block as encrypted.
- View Dependent Claims (16, 17)
- - 16. The system of claim 15 wherein the one or more computing devices are further configured to compare the second entropy value with the first entropy value of the file by:
    - determining a percentage of change for the second entropy value with respect to the first entropy value; and
      
      determining that the percentage of change exceeds a percentage threshold value.
  - 17. The system of claim 15 wherein the one or more computing devices are further configured to compare the second entropy value with the first entropy value of the file by:
    - determining a first log of the first entropy value;
      
      determining a second log of the second entropy value;
      
      determining a ratio of the second log to the first log; and
      
      determining that the ratio exceeds a ratio threshold value.

18. A computer storage medium having computer-executable instructions stored thereupon to detect and act with respect to malware and which, when executed by a computer, cause the computer to:
- for a plurality of stored files, calculate and store respective first entropy values for individual files of the stored files;
  
  subsequent to the calculate and store of the first entropy values, determine that a predetermined event has occurred with respect to a file of the plurality of stored files, the predetermined event being at least one of;
  
  occurrence of a predetermined date, occurrence of a predetermined time, elapse of a predetermined amount time since a last predetermined event occurred, creation of a new file, storage of a new file, modification of the file to produce a modified version of the file, a write operation, an instruction to write to the file to produce a modified version of the file, or a read operation;
  
  calculate a second entropy value, the second entropy value being for;
  
  a current version of the file when the predetermined event is occurrence of a predetermined date, occurrence of a predetermined time, elapse of a predetermined amount time since a last predetermined event occurred, or a read operation;
  
  the modified version when the predetermined event is modification of the file, or an instruction to write to the file;
  
  orthe new file when the predetermined event is creation of the new file, storage of the new file, or a write operation;
  
  compare the second entropy value with the first entropy value;
  
  determine that malware may be present based on the second entropy value being substantially different from the first entropy value; and
  
  perform, or cause another computer to perform, a predetermined action regarding the malware, wherein the predetermined action comprises at least one of;
  
  locking one or more files of the plurality of stored files, making one or more of the files of the plurality of stored files to be read-only, causing the modified version to be recorded as a new file or as a different version of the file, causing a copy of one or more files of the plurality of stored files to be sent to a backup server, postponing a scheduled destruction, or erasure of a backup file, stopping any scheduled destruction, or erasure of a backup file, marking the file or the modified version as encrypted, or marking a cached-block as encrypted.
- View Dependent Claims (19, 20)
- - 19. The computer storage medium of claim 18 having further computer-executable instructions stored thereupon which, when executed by the computer, cause the computer to compare the second entropy value with first entropy value by:
    - determining a percentage of change for the second entropy value with respect to the first entropy value; and
      
      determining that the percentage of change exceeds a percentage threshold value.
  - 20. The computer storage medium of claim 18 having further computer-executable instructions stored thereupon which, when executed by the computer, cause the computer to compare the second entropy value with first entropy value by:
    - determining a first log of the first entropy value;
      
      determining a second log of the second entropy value;
      
      determining a ratio of the second log to the first log; and
      
      determining that the ratio exceeds a ratio threshold value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Original Assignee
Amazon Technologies, Inc. (Amazon.com, Inc.)
Inventors
Adams, Gavin Anthony
Primary Examiner(s)
Li, Meng

Application Number

US15/385,099
Time in Patent Office

686 Days
Field of Search
US Class Current
CPC Class Codes

G06F 21/565 by checking file integrity

G06F 2221/034 Test or assess a computer o...

Detection of malware, such as ransomware

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of malware, such as ransomware

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links