Systems and methods for detecting malicious processes that encrypt files
First Claim
1. A computer-implemented method for preventing malicious computer processes from encrypting computer files, at least a portion of the method being performed by a computing device comprising at least one computer processor, the method comprising:
- identifying, by the computing device, a backup computer file previously created by a backup computer process on the computing device;
automatically detecting, by the computing device, an attempt to electronically alter the backup computer file by a computer process that is not the backup computer process, wherein the computer process appears to be a known benign process not expected to interact with the backup computer file;
determining, by the computing device based at least in part on the attempt to electronically alter the backup computer file being made by the computer process, that the computer process is a malicious computer process designed to encrypt backup computer files on the computing device so that a legitimate owner of the computer files cannot access the backup computer files, wherein determining that the computer process is the malicious computer process comprises determining, based on the computer process appearing to be a known benign process not expected to interact with the backup computer file, an origin of the computer process and analyzing previous actions of the computer process; and
performing a security action in response to determining that the computer process is malicious.
2 Assignments
0 Petitions
Accused Products
Abstract
The disclosed computer-implemented method for detecting malicious processes that encrypt files may include (i) identifying a backup file created by a backup process on the computing device, (ii) detecting an attempt to alter the backup file by a process that is not the backup process, (iii) determining, based at least in part on the attempt to alter the backup file being made by the process that is not the backup process, that the process is a malicious process designed to encrypt files on the computing device so that a legitimate owner of the files cannot access the files, and (iv) performing a security action in response to determining that the process is malicious. Various other methods, systems, and computer-readable media are also disclosed.
-
Citations
20 Claims
-
1. A computer-implemented method for preventing malicious computer processes from encrypting computer files, at least a portion of the method being performed by a computing device comprising at least one computer processor, the method comprising:
-
identifying, by the computing device, a backup computer file previously created by a backup computer process on the computing device; automatically detecting, by the computing device, an attempt to electronically alter the backup computer file by a computer process that is not the backup computer process, wherein the computer process appears to be a known benign process not expected to interact with the backup computer file; determining, by the computing device based at least in part on the attempt to electronically alter the backup computer file being made by the computer process, that the computer process is a malicious computer process designed to encrypt backup computer files on the computing device so that a legitimate owner of the computer files cannot access the backup computer files, wherein determining that the computer process is the malicious computer process comprises determining, based on the computer process appearing to be a known benign process not expected to interact with the backup computer file, an origin of the computer process and analyzing previous actions of the computer process; and performing a security action in response to determining that the computer process is malicious. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A system for detecting malicious computer processes that encrypt files, the system comprising:
-
an identification module, stored in memory, that identifies a backup computer file previously created by a backup computer process on a computing device; a detection module, stored in memory, that automatically detects an attempt to electronically alter the backup computer file by a computer process that is not the backup computer process, wherein the computer process appears to be a known benign process not expected to interact with the backup computer file; a determination module, stored in memory, that determines, based at least in part on the attempt to electronically alter the backup computer file being made by the computer process, that is not the backup computer process, that the computer process is a malicious computer process designed to encrypt backup computer files on the computing device so that a legitimate owner of the backup computer files cannot access the backup computer files, wherein the computer process is determined to be the malicious computer process by determining, based on the computer process appearing to be a known benign process not expected to interact with the backup computer file, an origin of the computer process and analyzing previous actions of the computer process; a security module, stored in memory, that performs a security action in response to determining that the computer process is malicious; and at least one physical processor configured to execute the identification module, the detection module, the determination module, and the security module. - View Dependent Claims (10, 11, 12, 13, 14, 15, 16)
-
-
17. A non-transitory computer-readable medium comprising one or more computer-readable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
identify, by the computing device, a backup computer file previously created by a backup computer process on the computing device; automatically detect, by the computing device, an attempt to electronically alter the backup computer file by a computer process that is not the backup computer process, wherein the computer process appears to be a known benign process not expected to interact with the backup computer file; determine, by the computing device based at least in part on the attempt to electronically alter the backup computer file being made by the computer process that is not the backup computer process, that the computer process is a malicious computer process designed to encrypt backup computer files on the computing device so that a legitimate owner of the backup computer files cannot access the backup computer files, wherein the computer process is determined to be the malicious computer process by determining, based on the computer process appearing to be a known benign process not expected to interact with the backup computer file, an origin of the computer process and analyzing previous actions of the computer process; and perform a security action in response to determining that the computer process is malicious. - View Dependent Claims (18, 19, 20)
-
Specification