Ransomware is a specific form of malware that may hold a computing device hostage by preventing access to, or otherwise impeding the normal function of, the device unless a user pays to remove the malware. For example, cryptoviral extortion may accomplish this by encrypting a user's files (using, e.g., a session key) and demanding payment before decrypting the user's files and restoring the user's access to their files.
Security software traditionally attempts to remove malware after it has infected a device and/or attempts to minimize the damage caused during infection. However, due to the large size of keys used in the encryption process of cryptoviral extortion, this form of ransomware may be nearly impossible to overcome after an attack without possession of the encryption key used in the attack. Because of this, some security solutions may create backup copies of files (by, e.g., mirroring existing files on the device) and store them in a separate location in the case of an attack. However, if ransomware is not detected in time, these backup copies may simply mirror the encrypted files and leave the user without a recovery option. Accordingly, the instant disclosure identifies and addresses a need for additional and improved systems for detecting ransomware and managing files in order to prevent the complete loss of files and data due to cryptoviral extortion and other forms of ransomware attacks.