Some existing systems are vulnerable to attacks to software operating on the systems from crypto-ransomware or other malware (e.g., “hostile processes”). The attacks by hostile processes are transmitted over a network or by an infected device connected to the system, such as via a universal serial bus (USB) device. These attacks are frequently referred to as “zero day attacks.” Zero day attacks rely on a vulnerability or “hole” in the software that is unknown to the vendor of the attacked software. The security holes are then exploited before the vendor provides a fix to the vulnerability, in some examples in the form of an update.
For example, a hostile process may be transmitted to a machine by email, downloaded in a cookie from a website, or uploaded as a file from the USB device. Once the hostile process accesses the device, it searches for files of interest, such as documents, spreadsheets, presentation files, and other personal or business files. Then the hostile process compromises the files of interest by encrypting them using a per user unique key. When a user attempts to open the compromised files later, a warning is displayed that the file is encrypted. The warning provides further instructions for the user to send ransom money (e.g., to a given virtual currency wallet) to decrypt the attacked file. Because most of those transactions are based on virtual currency, it is difficult to track the source of the hostile process. Many users maintain their files of interest in specific folders, such as user profile document folders or other user profile folders. Consequently, files under these user profile folders are more vulnerable to attacks.
With some existing solutions, anti-virus software relies upon signatures to identify and combat hostile processes. However, anti-virus signatures are less effective for the zero day attacks described above, because anti-virus software and databases do not have signatures for new hostile processes such as described above. Other existing solutions use behavior detection-based solutions to identify a pattern of unusual or suspicious process activity, like a series of encryption and disk writes. However, by the time the behavior detection-based solution recognizes the suspicious activity, some of the attacked files will already be encrypted.