Malicious actors may try to gain access to and corrupt user data on computing devices for various purposes. For example, malicious code may be distributed via a computer trojan, virus, or self-replicating worm, and in one implementation, when executed on a computing device may encrypt user data with a strong encryption algorithm. The code may generate a message to the user, offering to unlock or decrypt their files in exchange for monetary payments. As brute-force decryption of the files may take years, many users will reluctantly pay the ransom. Other malicious code may be distributed to sabotage data or applications for indirect economic gain, to cause damage, or out of malevolence or mischievousness.
Defending against such attacks is difficult, particularly with computing devices that are connected to the Internet. Typical countermeasures include anti-virus applications that execute on the computing device and scan received data for code segments or signatures matching a library. The library needs to be updated frequently to catch newly developed attacks, and accordingly, if the computing device receives the malicious code before the library is updated, the anti-virus application may not be able to detect or prevent the damage. Such attacks may be referred to as zero-day attacks, as they strike without any pre-warning or opportunity to apply library-based countermeasures.