SYSTEMS AND METHODS FOR PROTECTING BACKED-UP DATA FROM RANSOMWARE ATTACKS
First Claim
1. A computer-implemented method for protecting backed-up data from ransomware attacks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- determining that a backup system periodically backs up at least one file stored at the computing device to a remote storage system by storing a copy of the file at the remote storage system;
identifying one or more characteristics of the file backed up by the backup system, wherein the one or more characteristics are used by the backup system to identify files that are to be backed up to the remote storage system;
storing a tripwire file with the one or more characteristics at the computing device;
determining that the file stored at the computing device has likely been encrypted by ransomware executing on the computing device by detecting that the tripwire file has been modified;
performing, in response to detecting that the tripwire file has been modified, an action that prevents the backup system from replacing the copy of the file at the remote storage system with a copy of the encrypted file.
6 Assignments
0 Petitions
Accused Products
Abstract
The disclosed computer-implemented method for protecting backed-up data from ransomware attacks may include (1) determining that a backup system periodically backs up at least one file stored at a computing device to a remote storage system by storing a copy of the file at the remote storage system, (2) identifying one or more characteristics of the file backed up by the backup system, (3) storing a tripwire file with the one or more characteristics at the computing device, (4) determining that the file stored at the computing device has likely been encrypted by ransomware executing on the computing device by detecting that the tripwire file has been modified, (5) performing an action that prevents the backup system from replacing the copy of the file at the remote storage system with a copy of the encrypted file. Various other methods, systems, and computer-readable media are also disclosed.
67 Citations
20 Claims
-
1. A computer-implemented method for protecting backed-up data from ransomware attacks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
-
determining that a backup system periodically backs up at least one file stored at the computing device to a remote storage system by storing a copy of the file at the remote storage system; identifying one or more characteristics of the file backed up by the backup system, wherein the one or more characteristics are used by the backup system to identify files that are to be backed up to the remote storage system; storing a tripwire file with the one or more characteristics at the computing device; determining that the file stored at the computing device has likely been encrypted by ransomware executing on the computing device by detecting that the tripwire file has been modified; performing, in response to detecting that the tripwire file has been modified, an action that prevents the backup system from replacing the copy of the file at the remote storage system with a copy of the encrypted file. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A system for protecting backed-up data from ransomware attacks, the system comprising:
-
an identifying module, stored in memory, that; determines that a backup system periodically backs up at least one file stored at a computing device to a remote storage system by storing a copy of the file at the remote storage system; identifies one or more characteristics of the file backed up by the backup system, wherein the one or more characteristics are used by the backup system to identify files that are to be backed up to the remote storage system; a storing module, stored in memory, that stores a tripwire file with the one or more characteristics at the computing device; a determining module, stored in memory, that determines that the file stored at the computing device has likely been encrypted by ransomware executing on the computing device by detecting that the tripwire file has been modified; a preventing module, stored in memory, that performs, in response to detecting that the tripwire file has been modified, an action that prevents the backup system from replacing the copy of the file at the remote storage system with a copy of the encrypted file; at least one processor that executes the identifying module, the storing module, the determining module, and the preventing module. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
-
20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
determine that a backup system periodically backs up at least one file stored at the computing device to a remote storage system by storing a copy of the file at the remote storage system; identify one or more characteristics of the file backed up by the backup system, wherein the one or more characteristics are used by the backup system to identify files that are to be backed up to the remote storage system; store a tripwire file with the one or more characteristics at the computing device; determine that the file stored at the computing device has likely been encrypted by ransomware executing on the computing device by detecting that the tripwire file has been modified; perform, in response to detecting that the tripwire file has been modified, an action that prevents the backup system from replacing the copy of the file at the remote storage system with a copy of the encrypted file.
-
Specification