Detection of malware, such as ransomware
First Claim
Patent Images
1. A computer-implemented method to detect and act with respect to malware, comprising:
- for a plurality of stored files, calculating and storing respective first entropy values for individual files of the stored files;
subsequent to the calculating and storing of the respective first entropy values, determining that a predetermined event has occurred with respect to a file of the plurality of stored files, the predetermined event being at least one of;
occurrence of a predetermined date, occurrence of a predetermined time, elapse of a predetermined amount time since a last predetermined event occurred, creation of a new file, storage of a new file, modification of the file to produce a modified version of the file, a write operation, an instruction to write to the file to produce a modified version of the file, or a read operation;
retrieving a first entropy value for the file;
calculating a second entropy value, the second entropy value being fora current version of the file when the predetermined event is occurrence of a predetermined date, occurrence of a predetermined time, elapse of a predetermined amount time since a last predetermined event occurred, or a read operation;
the modified version when the predetermined event is modification of the file, or an instruction to write to the file;
orthe new file when the predetermined event is creation of the new file, storage of the new file, or a write operation;
comparing the second entropy value with the first entropy value;
determining that the second entropy value is substantially different from the first entropy value; and
performing, or causing another computer to perform, a predetermined action regarding the malware, wherein the predetermined action comprises at least one of;
locking one or more files of the plurality of stored files, making one or more of the files of the plurality of stored files to be read-only, causing the modified version to be recorded as a new file or as a different version of the file, causing a copy of one or more files of the plurality of stored files to be sent to a backup server, postponing a scheduled destruction or erasure of a backup file, stopping any scheduled destruction or erasure of a backup file, marking the file or the modified version as encrypted, or marking a cached-block as encrypted.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and devices for detection of malware, such as ransomware, are disclosed. Ransomware encrypts files, making them useless to the owner. The entropy value of files is calculated and, in response to a predetermined event, such as a write operation to the file, a new entropy value is calculated. If the change in entropy value exceeds a threshold, or if the magic number of a file is missing or is inconsistent with the file type, then malware may be present. Steps are then taken to prevent further encryption by the malware.
-
Citations
20 Claims
-
1. A computer-implemented method to detect and act with respect to malware, comprising:
-
for a plurality of stored files, calculating and storing respective first entropy values for individual files of the stored files; subsequent to the calculating and storing of the respective first entropy values, determining that a predetermined event has occurred with respect to a file of the plurality of stored files, the predetermined event being at least one of;
occurrence of a predetermined date, occurrence of a predetermined time, elapse of a predetermined amount time since a last predetermined event occurred, creation of a new file, storage of a new file, modification of the file to produce a modified version of the file, a write operation, an instruction to write to the file to produce a modified version of the file, or a read operation;retrieving a first entropy value for the file; calculating a second entropy value, the second entropy value being for a current version of the file when the predetermined event is occurrence of a predetermined date, occurrence of a predetermined time, elapse of a predetermined amount time since a last predetermined event occurred, or a read operation; the modified version when the predetermined event is modification of the file, or an instruction to write to the file;
orthe new file when the predetermined event is creation of the new file, storage of the new file, or a write operation; comparing the second entropy value with the first entropy value; determining that the second entropy value is substantially different from the first entropy value; and performing, or causing another computer to perform, a predetermined action regarding the malware, wherein the predetermined action comprises at least one of;
locking one or more files of the plurality of stored files, making one or more of the files of the plurality of stored files to be read-only, causing the modified version to be recorded as a new file or as a different version of the file, causing a copy of one or more files of the plurality of stored files to be sent to a backup server, postponing a scheduled destruction or erasure of a backup file, stopping any scheduled destruction or erasure of a backup file, marking the file or the modified version as encrypted, or marking a cached-block as encrypted. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
-
-
15. A system to detect and act with respect to malware, comprising:
one or more computing devices configured to; for a plurality of stored files, calculate and store respective first entropy values for individual files of the stored files; subsequent to the calculate and store of the respective first entropy values, determine that a predetermined event has occurred with respect to a file of the plurality of stored files, the predetermined event being at least one of;
occurrence of a predetermined date, occurrence of a predetermined time, elapse of a predetermined amount time since a last predetermined event occurred, creation of a new file, storage of a new file, modification of the file to produce a modified version of the file, a write operation, an instruction to write to the file to produce a modified version of the file, or a read operation;retrieve a first entropy value for the file; calculate a second entropy value, the second entropy value being for; a current version of the file when the predetermined event is occurrence of a predetermined date, occurrence of a predetermined time, elapse of a predetermined amount time since a last predetermined event occurred, or a read operation; the modified version when the predetermined event is modification of the file or an instruction to write to the file;
orthe new file when the predetermined event is creation of the new file, storage of the new file, or a write operation; compare the second entropy value with the first entropy value; determine that the second entropy value is substantially different from the first entropy value; and perform, or cause another computer to perform, a predetermined action regarding the malware, wherein the predetermined action comprises at least one of;
locking one or more files of the plurality of stored files, making one or more of the files of the plurality of stored files to be read-only, causing the modified version to be recorded as a new file or as a different version of the file, causing a copy of one or more files of the plurality of stored files to be sent to a backup server, postponing a scheduled destruction, or erasure of a backup file, stopping any scheduled destruction, or erasure of a backup, marking the file or the modified version as encrypted, or marking a cached-block as encrypted.- View Dependent Claims (16, 17)
-
18. A computer storage medium having computer-executable instructions stored thereupon to detect and act with respect to malware and which, when executed by a computer, cause the computer to:
-
for a plurality of stored files, calculate and store respective first entropy values for individual files of the stored files; subsequent to the calculate and store of the first entropy values, determine that a predetermined event has occurred with respect to a file of the plurality of stored files, the predetermined event being at least one of;
occurrence of a predetermined date, occurrence of a predetermined time, elapse of a predetermined amount time since a last predetermined event occurred, creation of a new file, storage of a new file, modification of the file to produce a modified version of the file, a write operation, an instruction to write to the file to produce a modified version of the file, or a read operation;calculate a second entropy value, the second entropy value being for; a current version of the file when the predetermined event is occurrence of a predetermined date, occurrence of a predetermined time, elapse of a predetermined amount time since a last predetermined event occurred, or a read operation; the modified version when the predetermined event is modification of the file, or an instruction to write to the file;
orthe new file when the predetermined event is creation of the new file, storage of the new file, or a write operation; compare the second entropy value with the first entropy value; determine that malware may be present based on the second entropy value being substantially different from the first entropy value; and perform, or cause another computer to perform, a predetermined action regarding the malware, wherein the predetermined action comprises at least one of;
locking one or more files of the plurality of stored files, making one or more of the files of the plurality of stored files to be read-only, causing the modified version to be recorded as a new file or as a different version of the file, causing a copy of one or more files of the plurality of stored files to be sent to a backup server, postponing a scheduled destruction, or erasure of a backup file, stopping any scheduled destruction, or erasure of a backup file, marking the file or the modified version as encrypted, or marking a cached-block as encrypted. - View Dependent Claims (19, 20)
-
Specification