Ransomware is a type of malware that encrypts a victim's files and demands electronic payment of a ransom in order to provide a decryption key. Ransomware can use a different uniquely generated key pair for encrypting/decrypting files on each computer it infects. Such ransomware is typically controlled from a server, which is often referred to as a Command and Control (“C&C”) server. The ransomware first infects a computer, then sends a message back over the Internet to its C&C server. The C&C server generates a unique asymmetric key pair for use on the specific compromised computer. The private (decryption) key is saved on the C&C server, while the public (encryption) key is provided to the instance of the ransomware on the compromised computer, in order to perform the file encryption. The private key is needed to decrypt the files and it remains on the server. In a variation on this scenario, the ransomware generates a symmetric key, uses it to encrypt the files, requests the generation of a unique asymmetric key pair by the C&C server, uses the public key of the pair to encrypt the symmetric key, then deletes the clear text symmetric key. In this case, the private decryption key on the C&C server is needed to decrypt the symmetric key, so as to decrypt the files. In either case, it is access to the private (decryption) key that is promised to the user in return for paying the ransom.
Antimalware software is often deployed at an enterprise level, in order to detect and block malware such as ransomware. However, large organizations cannot always ensure that all endpoints within their network are protected. This is especially a risk in the case of unmanaged guest laptops or other mobile computing devices (e.g., those brought in by consultants, business visitors, etc.). Where an endpoint computer within an enterprise's network gets infected by malware, the malware can encrypt not only the files on the local media of the endpoint, but also remotely located accessible files, such as cloud based shares and fileserver data. In this case the server on which the files are located does not see the ransomware directly, but only the read/write access to encrypt the files. Therefore, the server cannot easily stop the encryption process.
It would be desirable to address these issues.