Anti-ransomware systems and methods using a sinkhole at an electronic device
First Claim
1. A malware scanner to scan computer files, the malware scanner comprising:
- at least one storage device; and
at least one processor, wherein the at least one processor is to implement;
a sinkhole generator to generate a sinkhole directory,wherein the sinkhole directory is to recursively expand when a computer file performs a file listing of the sinkhole directory to occupy the computer file by extending a period of time taken to perform the file listing of the sinkhole directory, andwherein the sinkhole generator is to generate the sinkhole directory to include a canary file to be processed and to include a recursive junction to point back to the sinkhole directory, the recursive junction to include a plurality of recursive file system mount points to recursively direct a process associated with the computer file to process the canary file;
an analyzer to monitor execution of the computer file while the computer file is performing the file listing of the sinkhole directory to attempt to identify an indicator of compromise associated with the computer file, the analyzer to classify the computer file as ransomware when the analyzer identifies the indicator of compromise; and
a cleaner to remediate the ransomware,wherein the sinkhole generator, the analyzer, and the cleaner are implemented using software and executed by the at least one processor.
4 Assignments
0 Petitions
Accused Products
Abstract
Methods, apparatus, systems, and articles of manufacture to remediate ransomware are disclosed. An example malware scanner includes a sinkhole generator to generate a sinkhole directory. The example malware scanner includes a storage device adapted to store a computer file and the sinkhole directory, wherein the sinkhole directory recursively expands when the computer file performs a file listing of the sinkhole directory to occupy the computer file by extending a period of time taken to perform the file listing of the sinkhole directory. The example malware scanner includes an analyzer to monitor execution of the computer file while the computer file is performing the file listing of the sinkhole directory to attempt to identify an indicator of compromise associated with the computer file, the analyzer to classify the computer file as ransomware when the analyzer identifies the indicator of compromise. The example malware scanner includes a cleaner to remediate the ransomware.
8 Citations
12 Claims
-
1. A malware scanner to scan computer files, the malware scanner comprising:
-
at least one storage device; and at least one processor, wherein the at least one processor is to implement; a sinkhole generator to generate a sinkhole directory, wherein the sinkhole directory is to recursively expand when a computer file performs a file listing of the sinkhole directory to occupy the computer file by extending a period of time taken to perform the file listing of the sinkhole directory, and wherein the sinkhole generator is to generate the sinkhole directory to include a canary file to be processed and to include a recursive junction to point back to the sinkhole directory, the recursive junction to include a plurality of recursive file system mount points to recursively direct a process associated with the computer file to process the canary file; an analyzer to monitor execution of the computer file while the computer file is performing the file listing of the sinkhole directory to attempt to identify an indicator of compromise associated with the computer file, the analyzer to classify the computer file as ransomware when the analyzer identifies the indicator of compromise; and a cleaner to remediate the ransomware, wherein the sinkhole generator, the analyzer, and the cleaner are implemented using software and executed by the at least one processor. - View Dependent Claims (2, 3, 4)
-
-
5. At least one non-transitory machine-readable medium comprising instructions which, when executed, cause at least one processor to at least:
-
spawn a sinkhole directory to recursively expand when a file index of the sinkhole directory is performed to extend a period of time taken for a computer file to perform the file index of the sinkhole directory, the sinkhole directory to include a canary file to be processed and to include a recursive junction to point back to the sinkhole directory, the recursive junction to include a plurality of recursive file system mount points to recursively direct a process associated with the computer file to process the canary file; identify the computer file as ransomware in response to a presence of an indicator of compromise associated with execution of the computer file; and remediate the ransomware. - View Dependent Claims (6, 7, 8)
-
-
9. A method to remediate ransomware on an electronic device, the method comprising:
-
generating, by executing an instruction with at least one processor, a sinkhole directory, the sinkhole directory to recursively expand when a computer file performs a file listing of the sinkhole directory to delay the computer file by extending a period of time to perform the file listing, the generating of the sinkhole directory including generating a canary file and a recursive junction in the sinkhole directory, the recursive junction to include a plurality of recursive file system mount points to recursively direct a process associated with the computer file to process the canary file; monitoring, by executing an instruction with the at least one processor, execution of the computer file while the computer file is performing the file listing of the sinkhole directory to attempt to identify an indicator of compromise associated with the computer file; classifying, by executing an instruction with the at least one processor, the computer file as ransomware in response to identification of the indicator of compromise; and remediating the ransomware by executing an instruction with the at least one processor. - View Dependent Claims (10, 11, 12)
-
Specification