Ransomware detection and mitigation

US 10,503,904 B1
Filed: 07/24/2017
Issued: 12/10/2019
Est. Priority Date: 06/29/2017
Status: Active Grant

First Claim

Patent Images

1. A computerized method for detecting and mitigating a ransomware attack on an endpoint device, the method comprising:

detecting, by a kernel mode agent, an initiation of a process;

determining, by the user mode agent, the process is a suspicious process;

intercepting, by the kernel mode agent, a first request by the suspicious process to open a protected file, wherein the suspicious process has write permissions;

prior to enabling the suspicious process to open the protected file, (i) responsive to determining a size of the protected file is greater than or equal to a predefined size threshold, generating a copy of a portion of the protected file less than an entirety of the protected file for storage at a secure storage location, and (ii) responsive to determining the size is less than the predefined size threshold, generating a copy of the entirety of the protected file for storage at the secure storage location;

intercepting, by the kernel mode agent, a second request by the suspicious process to close the protected file;

determining, by the user mode agent, whether the suspicious process is associated with the ransomware attack based on an analysis of the protected file; and

responsive to determining the suspicious process is associated with the ransomware attack, generating, by the user mode agent, an alert notifying a user of the endpoint device.

View all claims

5 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A computerized method for detecting and mitigating a ransomware attack is described. The method features (i) a kernel mode agent that intercepts an initiation of a process, intercepts one or more system calls made by the process when the process is determined to be suspicious and copies at least a portion of a protected file to a secure storage location when a request to open a protected file by the process is intercepted when the process is determined to be suspicious, and (ii) a user mode agent that determines whether the process is a suspicious process, monitors processing of the suspicious process and determines whether the suspicious process is associated with a ransomware attack. Additionally, in order to mitigate effects of a ransomware attack, the kernel mode agent may restore the protected file with a copy stored in the secure storage location when a ransomware attack is detected.

818 Citations

21 Claims

1. A computerized method for detecting and mitigating a ransomware attack on an endpoint device, the method comprising:
- detecting, by a kernel mode agent, an initiation of a process;
  
  determining, by the user mode agent, the process is a suspicious process;
  
  intercepting, by the kernel mode agent, a first request by the suspicious process to open a protected file, wherein the suspicious process has write permissions;
  
  prior to enabling the suspicious process to open the protected file, (i) responsive to determining a size of the protected file is greater than or equal to a predefined size threshold, generating a copy of a portion of the protected file less than an entirety of the protected file for storage at a secure storage location, and (ii) responsive to determining the size is less than the predefined size threshold, generating a copy of the entirety of the protected file for storage at the secure storage location;
  
  intercepting, by the kernel mode agent, a second request by the suspicious process to close the protected file;
  
  determining, by the user mode agent, whether the suspicious process is associated with the ransomware attack based on an analysis of the protected file; and
  
  responsive to determining the suspicious process is associated with the ransomware attack, generating, by the user mode agent, an alert notifying a user of the endpoint device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The computerized method of claim 1, further comprising:
    - restoring, by the kernel mode agent, the protected file with the copy stored in the secure storage location when the suspicious process is determined to be associated with the ransomware attack.
  - 3. The computerized method of claim 1, wherein the determining the process is the suspicious process includes:
    - performing a static analysis of the process by the user mode agent and assigning, by the user mode agent, a first score to a result of the static analysis;
      
      determining, by the user mode agent, whether an executable file corresponding to the process was generated through data manipulation of a monitored process and assigning, by the user mode agent, a second score to a result of determining whether the executable file corresponding to the process was generated through data manipulation of the monitored process;
      
      determining, by the user mode agent, whether the process is a non-system process being analyzed for a first time and assigning a third score to a result of determining whether the process is the non-system process being analyzed for the first time; and
      
      determining, by the user mode agent, the process is the suspicious process when at least one of the first score, the second score, or the third score are above a first predefined threshold, or a combination of the first score, the second score, or the third score is above a second predefined threshold.
  - 4. The computerized method of claim 1, wherein the at least the portion of the protected file includes an entirety of the protected file.
  - 5. The computerized method of claim 1, further comprising:
    - subsequent to generating the copy of at least the portion of the protected file, providing, by the kernel mode agent, the suspicious process having write permissions access to open the protected file, wherein the copy of at least the portion of the protected file is stored at the secure storage location.
  - 6. The computerized method of claim 5, further comprising:
    - monitoring, by the user mode agent, operations performed by the suspicious process involving the protected file.
  - 7. The computerized method of claim 1, wherein determining whether the suspicious process is associated with the ransomware attack includes:
    - a first determination by the user mode agent as to whether a result of an entropy calculation of the protected file by the kernel mode agent is greater than a predefined entropy threshold.
  - 8. The computerized method of claim 7, wherein determining whether the suspicious process is associated with the ransomware attack further includes:
    - a second determination by the user mode agent as to whether the protected file has been modified by the suspicious wherein the protected file is not accessible by a corresponding application.
  - 9. The computerized method of claim 8, wherein determining whether the suspicious process is associated with the ransomware attack includes:
    - a third determination by the user mode agent as to whether the protected file was encrypted by the kernel mode agent.
  - 10. The computerized method of claim 1, further comprising:
    - responsive to determining the suspicious process is associated with the ransomware attack, quarantining, by the user mode agent, a software application that caused the initiation of the suspicious process.

11. A non-transitory computer readable medium, when processed by a hardware processor, monitors processing of a process on an endpoint device and determines whether the process is associated with a ransomware attack, the non-transitory computer readable medium comprising:
- a kernel mode agent to intercept an initiation of a process, intercept one or more system calls made by the process when the process is determined to be suspicious and generate a copy of at least a portion of a protected file when a request to open a protected file by the process is intercepted when the process is determined to be suspicious, wherein the copy is stored at a secure storage location, and wherein (i) when a size of the protected file is greater than or equal to a predefined size threshold, the copy is less than an entirety of the protected file, and (ii) when the size of the protected file is less than the predefined size threshold, the copy is of an entirety of the protected file; and
  
  a user mode agent to determine whether the process is a suspicious process, monitor processing of the suspicious process, determine whether the suspicious process is associated with a cyber-attack, and generate an alert to notify a user of the endpoint device.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 12. The non-transitory computer readable medium of claim 11, wherein determining whether the process is the suspicious process includes:
    - performing a static analysis of the process by the user mode agent and assigning a first score to a result of static analysis;
      
      determining, by the user mode agent, whether an executable file corresponding to the process was generated through data manipulation of a monitored process and assigning a second score to a result of determining whether the executable file corresponding to the process was generated through data manipulation of the monitored process;
      
      determining, by the user mode agent, whether the process is a non-system process being analyzed for a first time and assigning a third score to determining whether the process is the non-system process being analyzed for the first time; and
      
      determining, by the user mode agent, the process is the suspicious process when at least one of the first score, the second score, or the third score are above a first predefined threshold, or a combination of the first score, the second score, or the third score is above a second predefined threshold.
  - 13. The non-transitory computer readable medium of claim 11, wherein the kernel mode agent to permit the suspicious process to open the protected file with write permissions following generating the copy of at least the portion of the protected file, wherein the copy is stored at the secure storage location.
  - 14. The non-transitory computer readable medium of claim 11, wherein the kernel mode agent to intercept a request by the suspicious process to close the protected file.
  - 15. The non-transitory computer readable medium of claim 14, wherein the kernel mode agent to perform an entropy calculation on the protected file following interception of the request to close the protected file.
  - 16. The non-transitory computer readable medium of claim 15, wherein the user mode agent to instruct the kernel mode agent to restore the protected file with the copy stored in the secure storage location when the suspicious process is associated with the ransomware attack.
  - 17. The non-transitory computer readable medium of claim 11, wherein determining whether the suspicious process is associated with the ransomware attack includes:
    - a first determination by the user mode agent as to whether a result of an entropy calculation of the protected file by the kernel mode agent is greater than a predefined entropy threshold.
  - 18. The non-transitory computer readable medium of claim 17, wherein determining whether the suspicious process is associated with the ransomware attack further includes:
    - a second determination by the user mode agent as to whether the protected file has been modified by the suspicious wherein the protected file is not accessible by a corresponding application; and
      
      a third determination by the user mode agent as to whether the protected file was encrypted by the kernel mode agent.
  - 19. The non-transitory computer readable medium of claim 11, wherein the cyber-attack is a ransomware attack.
  - 20. The non-transitory computer readable medium of claim 11, wherein responsive to determining the suspicious process is associated with the cyber-attack, the user mode agent to quarantine a software application that caused the initiation of the suspicious process.

21. A network device, comprising:
- a hardware processor; and
  
  a memory communicatively coupled to the hardware processor, the memory comprises;
  
  (i) a kernel mode agent that, when executed by the processor, intercepts an initiation of a process, intercepts one or more system calls made by the process when the process is determined to be suspicious and generates a copy of at least a portion of a protected file when a request to open a protected file by the process is intercepted when the process is determined to be suspicious, wherein the copy is stored at a secure storage location, and wherein (i) when a size of the protected file is greater than or equal to a predefined size threshold, the copy is less than an entirety of the protected file, and (ii) when the size of the protected file is less than the predefined size threshold, the copy is of an entirety of the protected file; and
  
  (ii) a user mode agent that, when executed by the processor, determines whether the process is a suspicious process, monitors processing of the suspicious process, determines whether the suspicious process is associated with a ransomware attack and responsive to determining the suspicious process is associated with the ransomware attack, generates an alert to notify a user of the network device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fireeye Security Holdings US LLC
Original Assignee
FireEye, Inc.
Inventors
Singh, Japneet, Gupta, Anil
Primary Examiner(s)
Lwin, Maung T

Application Number

US15/658,278
Time in Patent Office

869 Days
Field of Search

None
US Class Current
CPC Class Codes

G06F 21/554   involving event detection a...

G06F 21/561   Virus type analysis

G06F 21/565   by checking file integrity

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/568   eliminating virus, restorin...

Ransomware detection and mitigation

First Claim

5 Assignments

0 Petitions

Accused Products

Abstract

818 Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Ransomware detection and mitigation

First Claim

5 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

818 Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links