Systems and methods for detecting malicious processes that encrypt files

US 10,210,330 B1
Filed: 09/13/2016
Issued: 02/19/2019
Est. Priority Date: 09/13/2016
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for preventing malicious computer processes from encrypting computer files, at least a portion of the method being performed by a computing device comprising at least one computer processor, the method comprising:

identifying, by the computing device, a backup computer file previously created by a backup computer process on the computing device;

automatically detecting, by the computing device, an attempt to electronically alter the backup computer file by a computer process that is not the backup computer process, wherein the computer process appears to be a known benign process not expected to interact with the backup computer file;

determining, by the computing device based at least in part on the attempt to electronically alter the backup computer file being made by the computer process, that the computer process is a malicious computer process designed to encrypt backup computer files on the computing device so that a legitimate owner of the computer files cannot access the backup computer files, wherein determining that the computer process is the malicious computer process comprises determining, based on the computer process appearing to be a known benign process not expected to interact with the backup computer file, an origin of the computer process and analyzing previous actions of the computer process; and

performing a security action in response to determining that the computer process is malicious.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for detecting malicious processes that encrypt files may include (i) identifying a backup file created by a backup process on the computing device, (ii) detecting an attempt to alter the backup file by a process that is not the backup process, (iii) determining, based at least in part on the attempt to alter the backup file being made by the process that is not the backup process, that the process is a malicious process designed to encrypt files on the computing device so that a legitimate owner of the files cannot access the files, and (iv) performing a security action in response to determining that the process is malicious. Various other methods, systems, and computer-readable media are also disclosed.

Citations

20 Claims

1. A computer-implemented method for preventing malicious computer processes from encrypting computer files, at least a portion of the method being performed by a computing device comprising at least one computer processor, the method comprising:
- identifying, by the computing device, a backup computer file previously created by a backup computer process on the computing device;
  
  automatically detecting, by the computing device, an attempt to electronically alter the backup computer file by a computer process that is not the backup computer process, wherein the computer process appears to be a known benign process not expected to interact with the backup computer file;
  
  determining, by the computing device based at least in part on the attempt to electronically alter the backup computer file being made by the computer process, that the computer process is a malicious computer process designed to encrypt backup computer files on the computing device so that a legitimate owner of the computer files cannot access the backup computer files, wherein determining that the computer process is the malicious computer process comprises determining, based on the computer process appearing to be a known benign process not expected to interact with the backup computer file, an origin of the computer process and analyzing previous actions of the computer process; and
  
  performing a security action in response to determining that the computer process is malicious.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The computer-implemented method of claim 1, wherein performing the security action comprises notifying an administrator of the computing device about the attempt to electronically alter the backup computer file by the malicious computer process.
  - 3. The computer-implemented method of claim 1, wherein performing the security action comprises blocking the attempt to electronically alter the backup computer file.
  - 4. The computer-implemented method of claim 1, wherein performing the security action comprises removing the malicious computer process from the computing device.
  - 5. The computer-implemented method of claim 1, wherein detecting the attempt to electronically alter the backup computer file by the computer process that is not the backup computer process comprises determining that the computer process is not on a list of backup computer processes expected to electronically alter the backup computer file.
  - 6. The computer-implemented method of claim 1, wherein detecting the attempt to electronically alter the backup computer file comprises monitoring the backup computer file for attempts to electronically alter the backup computer file.
  - 7. The computer-implemented method of claim 1, wherein:
    - the computing device comprises a backup server; and
      
      the backup computer file comprises a backup of a computer file stored on an additional computing device that does not comprise the backup server.
  - 8. The computer-implemented method of claim 1, wherein:
    - the computing device comprises an endpoint computing device; and
      
      the backup computer file comprises a backup of a computer file stored on the endpoint computing device.

9. A system for detecting malicious computer processes that encrypt files, the system comprising:
- an identification module, stored in memory, that identifies a backup computer file previously created by a backup computer process on a computing device;
  
  a detection module, stored in memory, that automatically detects an attempt to electronically alter the backup computer file by a computer process that is not the backup computer process, wherein the computer process appears to be a known benign process not expected to interact with the backup computer file;
  
  a determination module, stored in memory, that determines, based at least in part on the attempt to electronically alter the backup computer file being made by the computer process, that is not the backup computer process, that the computer process is a malicious computer process designed to encrypt backup computer files on the computing device so that a legitimate owner of the backup computer files cannot access the backup computer files, wherein the computer process is determined to be the malicious computer process by determining, based on the computer process appearing to be a known benign process not expected to interact with the backup computer file, an origin of the computer process and analyzing previous actions of the computer process;
  
  a security module, stored in memory, that performs a security action in response to determining that the computer process is malicious; and
  
  at least one physical processor configured to execute the identification module, the detection module, the determination module, and the security module.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
- - 10. The system of claim 9, wherein the security module performs the security action by notifying an administrator of the computing device about the attempt to electronically alter the backup computer file by the malicious computer process.
  - 11. The system of claim 9, wherein the security module performs the security action by blocking the attempt to electronically alter the backup computer file.
  - 12. The system of claim 9, wherein the security module performs the security action by removing the malicious computer process from the computing device.
  - 13. The system of claim 9, wherein the detection module detects the attempt to electronically alter the backup computer file by the computer process that is not the backup computer process by determining that the computer process is not on a list of backup computer processes expected to electronically alter the backup computer file.
  - 14. The system of claim 9, wherein the detection module detects the attempt to electronically alter the backup computer file by monitoring the backup computer file for attempts to alter the backup computer file.
  - 15. The system of claim 9, wherein:
    - the computing device comprises a backup server; and
      
      the backup computer file comprises a backup of a computer file stored on an additional computing device that does not comprise the backup server.
  - 16. The system of claim 9, wherein:
    - the computing device comprises an endpoint computing device; and
      
      the backup computer file comprises a backup of a computer file stored on the endpoint computing device.

17. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- identify, by the computing device, a backup computer file previously created by a backup computer process on the computing device;
  
  automatically detect, by the computing device, an attempt to electronically alter the backup computer file by a computer process that is not the backup computer process, wherein the computer process appears to be a known benign process not expected to interact with the backup computer file;
  
  determine, by the computing device based at least in part on the attempt to electronically alter the backup computer file being made by the computer process that is not the backup computer process, that the computer process is a malicious computer process designed to encrypt backup computer files on the computing device so that a legitimate owner of the backup computer files cannot access the backup computer files, wherein the computer process is determined to be the malicious computer process by determining, based on the computer process appearing to be a known benign process not expected to interact with the backup computer file, an origin of the computer process and analyzing previous actions of the computer process; and
  
  perform a security action in response to determining that the computer process is malicious.
- View Dependent Claims (18, 19, 20)
- - 18. The non-transitory computer-readable medium of claim 17, wherein the one or more computer-readable instructions cause the computing device to perform the security action by notifying an administrator of the computing device about the attempt to electronically alter the backup computer file by the malicious computer process.
  - 19. The non-transitory computer-readable medium of claim 17, wherein the one or more computer-readable instructions cause the computing device to perform the security action by blocking the attempt to electronically alter the backup computer file.
  - 20. The non-transitory computer-readable medium of claim 17, wherein the one or more computer-readable instructions cause the computing device to perform the security action by removing the malicious computer process from the computing device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Chen, Joseph
Primary Examiner(s)
Abedin, Shanto

Application Number

US15/263,398
Time in Patent Office

889 Days
Field of Search

726 22- 25
US Class Current
CPC Class Codes

G06F 11/1448   Management of the data invo...

G06F 11/1451   by selection of backup cont...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 2201/80   Database-specific techniques

Systems and methods for detecting malicious processes that encrypt files

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods for detecting malicious processes that encrypt files

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links