Ransomware detection and mitigation
First Claim
1. A computerized method for detecting and mitigating a ransomware attack on an endpoint device, the method comprising:
- detecting, by a kernel mode agent, an initiation of a process;
determining, by the user mode agent, the process is a suspicious process;
intercepting, by the kernel mode agent, a first request by the suspicious process to open a protected file, wherein the suspicious process has write permissions;
prior to enabling the suspicious process to open the protected file, (i) responsive to determining a size of the protected file is greater than or equal to a predefined size threshold, generating a copy of a portion of the protected file less than an entirety of the protected file for storage at a secure storage location, and (ii) responsive to determining the size is less than the predefined size threshold, generating a copy of the entirety of the protected file for storage at the secure storage location;
intercepting, by the kernel mode agent, a second request by the suspicious process to close the protected file;
determining, by the user mode agent, whether the suspicious process is associated with the ransomware attack based on an analysis of the protected file; and
responsive to determining the suspicious process is associated with the ransomware attack, generating, by the user mode agent, an alert notifying a user of the endpoint device.
5 Assignments
0 Petitions
Accused Products
Abstract
A computerized method for detecting and mitigating a ransomware attack is described. The method features (i) a kernel mode agent that intercepts an initiation of a process, intercepts one or more system calls made by the process when the process is determined to be suspicious and copies at least a portion of a protected file to a secure storage location when a request to open a protected file by the process is intercepted when the process is determined to be suspicious, and (ii) a user mode agent that determines whether the process is a suspicious process, monitors processing of the suspicious process and determines whether the suspicious process is associated with a ransomware attack. Additionally, in order to mitigate effects of a ransomware attack, the kernel mode agent may restore the protected file with a copy stored in the secure storage location when a ransomware attack is detected.
818 Citations
21 Claims
-
1. A computerized method for detecting and mitigating a ransomware attack on an endpoint device, the method comprising:
-
detecting, by a kernel mode agent, an initiation of a process; determining, by the user mode agent, the process is a suspicious process; intercepting, by the kernel mode agent, a first request by the suspicious process to open a protected file, wherein the suspicious process has write permissions; prior to enabling the suspicious process to open the protected file, (i) responsive to determining a size of the protected file is greater than or equal to a predefined size threshold, generating a copy of a portion of the protected file less than an entirety of the protected file for storage at a secure storage location, and (ii) responsive to determining the size is less than the predefined size threshold, generating a copy of the entirety of the protected file for storage at the secure storage location; intercepting, by the kernel mode agent, a second request by the suspicious process to close the protected file; determining, by the user mode agent, whether the suspicious process is associated with the ransomware attack based on an analysis of the protected file; and responsive to determining the suspicious process is associated with the ransomware attack, generating, by the user mode agent, an alert notifying a user of the endpoint device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
-
-
11. A non-transitory computer readable medium, when processed by a hardware processor, monitors processing of a process on an endpoint device and determines whether the process is associated with a ransomware attack, the non-transitory computer readable medium comprising:
-
a kernel mode agent to intercept an initiation of a process, intercept one or more system calls made by the process when the process is determined to be suspicious and generate a copy of at least a portion of a protected file when a request to open a protected file by the process is intercepted when the process is determined to be suspicious, wherein the copy is stored at a secure storage location, and wherein (i) when a size of the protected file is greater than or equal to a predefined size threshold, the copy is less than an entirety of the protected file, and (ii) when the size of the protected file is less than the predefined size threshold, the copy is of an entirety of the protected file; and a user mode agent to determine whether the process is a suspicious process, monitor processing of the suspicious process, determine whether the suspicious process is associated with a cyber-attack, and generate an alert to notify a user of the endpoint device. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20)
-
-
21. A network device, comprising:
-
a hardware processor; and a memory communicatively coupled to the hardware processor, the memory comprises; (i) a kernel mode agent that, when executed by the processor, intercepts an initiation of a process, intercepts one or more system calls made by the process when the process is determined to be suspicious and generates a copy of at least a portion of a protected file when a request to open a protected file by the process is intercepted when the process is determined to be suspicious, wherein the copy is stored at a secure storage location, and wherein (i) when a size of the protected file is greater than or equal to a predefined size threshold, the copy is less than an entirety of the protected file, and (ii) when the size of the protected file is less than the predefined size threshold, the copy is of an entirety of the protected file; and (ii) a user mode agent that, when executed by the processor, determines whether the process is a suspicious process, monitors processing of the suspicious process, determines whether the suspicious process is associated with a ransomware attack and responsive to determining the suspicious process is associated with the ransomware attack, generates an alert to notify a user of the network device.
-
Specification