SYSTEMS AND METHODS FOR PROTECTING BACKED-UP DATA FROM RANSOMWARE ATTACKS

US 20170140156A1
Filed: 11/12/2015
Published: 05/18/2017
Est. Priority Date: 11/12/2015
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for protecting backed-up data from ransomware attacks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:

determining that a backup system periodically backs up at least one file stored at the computing device to a remote storage system by storing a copy of the file at the remote storage system;

identifying one or more characteristics of the file backed up by the backup system, wherein the one or more characteristics are used by the backup system to identify files that are to be backed up to the remote storage system;

storing a tripwire file with the one or more characteristics at the computing device;

determining that the file stored at the computing device has likely been encrypted by ransomware executing on the computing device by detecting that the tripwire file has been modified;

performing, in response to detecting that the tripwire file has been modified, an action that prevents the backup system from replacing the copy of the file at the remote storage system with a copy of the encrypted file.

View all claims

6 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosed computer-implemented method for protecting backed-up data from ransomware attacks may include (1) determining that a backup system periodically backs up at least one file stored at a computing device to a remote storage system by storing a copy of the file at the remote storage system, (2) identifying one or more characteristics of the file backed up by the backup system, (3) storing a tripwire file with the one or more characteristics at the computing device, (4) determining that the file stored at the computing device has likely been encrypted by ransomware executing on the computing device by detecting that the tripwire file has been modified, (5) performing an action that prevents the backup system from replacing the copy of the file at the remote storage system with a copy of the encrypted file. Various other methods, systems, and computer-readable media are also disclosed.

67 Citations

View as Search Results

20 Claims

1. A computer-implemented method for protecting backed-up data from ransomware attacks, at least a portion of the method being performed by a computing device comprising at least one processor, the method comprising:
- determining that a backup system periodically backs up at least one file stored at the computing device to a remote storage system by storing a copy of the file at the remote storage system;
  
  identifying one or more characteristics of the file backed up by the backup system, wherein the one or more characteristics are used by the backup system to identify files that are to be backed up to the remote storage system;
  
  storing a tripwire file with the one or more characteristics at the computing device;
  
  determining that the file stored at the computing device has likely been encrypted by ransomware executing on the computing device by detecting that the tripwire file has been modified;
  
  performing, in response to detecting that the tripwire file has been modified, an action that prevents the backup system from replacing the copy of the file at the remote storage system with a copy of the encrypted file.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computer-implemented method of claim 1, wherein storing the tripwire file at the computing device comprises:
    - identifying an additional file stored at the computing device with the one or more characteristics;
      
      generating the tripwire file from the additional file.
  - 3. The computer-implemented method of claim 1, wherein:
    - the one or more characteristics comprise a storage location at the computing device;
      
      storing the tripwire file at the computing device comprises storing the tripwire file to the storage location.
  - 4. The computer-implemented method of claim 1, wherein:
    - the one or more characteristics comprise a file type;
      
      storing the tripwire file at the computing device comprises generating the tripwire file with the file type.
  - 5. The computer-implemented method of claim 1, wherein:
    - the one or more characteristics comprise the most common file type of files backed up by the backup system;
      
      storing the tripwire file at the computing device comprises generating the tripwire file with the most common file type.
  - 6. The computer-implemented method of claim 1, wherein:
    - identifying the one or more characteristics of the file backed up by the backup system comprises identifying every combination of characteristics used by the backup system to identify files that are to be backed up to the remote storage system;
      
      storing the tripwire file at the computing device comprises, for each combination of characteristics;
      
      generating a tripwire file with the combination of characteristics;
      
      storing the tripwire file with the combination of characteristics at the computing device.
  - 7. The computer-implemented method of claim 1, wherein performing the action comprises halting backup activities of the backup system.
  - 8. The computer-implemented method of claim 1, wherein the backup system performs the step of detecting that the tripwire file has been modified.
  - 9. The computer-implemented method of claim 1, wherein the backup system performs the step of storing the tripwire file at the computing device.
  - 10. The computer-implemented method of claim 1, further comprising:
    - notifying, in response to detecting that the tripwire file has been modified, a user of the computing device of the presence of the ransomware on the computing device;
      
      enabling the user to recover the file from the copy of the file at the remote storage system.
  - 11. The computer-implemented method of claim 1, wherein the tripwire file is unique to the computing device.

12. A system for protecting backed-up data from ransomware attacks, the system comprising:
- an identifying module, stored in memory, that;
  
  determines that a backup system periodically backs up at least one file stored at a computing device to a remote storage system by storing a copy of the file at the remote storage system;
  
  identifies one or more characteristics of the file backed up by the backup system, wherein the one or more characteristics are used by the backup system to identify files that are to be backed up to the remote storage system;
  
  a storing module, stored in memory, that stores a tripwire file with the one or more characteristics at the computing device;
  
  a determining module, stored in memory, that determines that the file stored at the computing device has likely been encrypted by ransomware executing on the computing device by detecting that the tripwire file has been modified;
  
  a preventing module, stored in memory, that performs, in response to detecting that the tripwire file has been modified, an action that prevents the backup system from replacing the copy of the file at the remote storage system with a copy of the encrypted file;
  
  at least one processor that executes the identifying module, the storing module, the determining module, and the preventing module.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. The system of claim 12, wherein the storing module stores the tripwire file at the computing device by:
    - identifying an additional file stored at the computing device with the one or more characteristics;
      
      generating the tripwire file from the additional file.
  - 14. The system of claim 12, wherein:
    - the one or more characteristics comprise a storage location at the computing device;
      
      the storing module stores the tripwire file at the computing device by storing the tripwire file to the storage location.
  - 15. The system of claim 12, wherein:
    - the one or more characteristics comprise a file type;
      
      the storing module stores the tripwire file at the computing device by generating the tripwire file with the file type.
  - 16. The system of claim 12, wherein:
    - the one or more characteristics comprise the most common file type of files backed up by the backup system;
      
      the storing module stores the tripwire file at the computing device by generating the tripwire file with the most common file type.
  - 17. The system of claim 12, wherein:
    - the identifying module identifies the one or more characteristics of the file backed up by the backup system by identifying every combination of characteristics used by the backup system to identify files that are to be backed up to the remote storage system;
      
      the storing module stores the tripwire file at the computing device by, for each combination of characteristics;
      
      generating a tripwire file with the combination of characteristics;
      
      storing the tripwire file with the combination of characteristics at the computing device.
  - 18. The system of claim 12, wherein the preventing module performs the action by halting backup activities of the backup system.
  - 19. The system of claim 12, wherein the backup system comprises the determining module.

20. A non-transitory computer-readable medium comprising one or more computer-executable instructions that, when executed by at least one processor of a computing device, cause the computing device to:
- determine that a backup system periodically backs up at least one file stored at the computing device to a remote storage system by storing a copy of the file at the remote storage system;
  
  identify one or more characteristics of the file backed up by the backup system, wherein the one or more characteristics are used by the backup system to identify files that are to be backed up to the remote storage system;
  
  store a tripwire file with the one or more characteristics at the computing device;
  
  determine that the file stored at the computing device has likely been encrypted by ransomware executing on the computing device by detecting that the tripwire file has been modified;
  
  perform, in response to detecting that the tripwire file has been modified, an action that prevents the backup system from replacing the copy of the file at the remote storage system with a copy of the encrypted file.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Gen Digital Inc.
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Boucher, Matt, Gu, Lei

Granted Patent

US 10,032,033 B2
Time in Patent Office

Days
Field of Search
US Class Current
CPC Class Codes

G06F 11/14   Error detection or correcti...

G06F 11/1446   Point-in-time backing up or...

G06F 11/1448   Management of the data invo...

G06F 11/1451   by selection of backup cont...

G06F 11/1458   Management of the backup or...

G06F 21/554   involving event detection a...

G06F 21/566   Dynamic detection, i.e. det...

G06F 21/602   Providing cryptographic fac...

G06F 2221/034   Test or assess a computer o...

SYSTEMS AND METHODS FOR PROTECTING BACKED-UP DATA FROM RANSOMWARE ATTACKS

First Claim

6 Assignments

0 Petitions

Accused Products

Abstract

67 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

SYSTEMS AND METHODS FOR PROTECTING BACKED-UP DATA FROM RANSOMWARE ATTACKS

First Claim

6 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

67 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links