Data encryption programs (cryptors) have become popular form of malicious software, which when launched on a user's computer encrypt the most important data (such as images, text files and other files typically used by the computer user). After the encryption, the user is asked to pay the hacker money in order to get the key for decrypting his files. Given that hackers are making ever increasing use of asymmetrical encryption, it is practically impossible to restore the user's data without knowledge of the private key for decryption of the user data. An example of such encryption programs is the malicious program CryptoLocker.
The creators of antivirus applications have long known about such programs, and have developed a number of technologies able to detect encryption programs. For example, US Patent Application Pub No. 20150058987 describes an algorithm for calculating entropy to detect operation of file encryption malware. The application likewise considers excluding files based on their format type in order to reduce false alarms and increase the operating speed.
Such detection methods have proven themselves well, being able to detect an encryption malware in good time when operating on a user's computer. However, there is a problem related to the fact that, if a malicious encryption program is analyzing the drives on the user's computer on which it will then encrypt the data, if it comes upon a network drive (which resides physically on a server) the malicious program may also encrypt the data on the server. Of course, backtracking all the file activity on the server would allow this problem to be resolved, but this significantly reduces the operational productivity of the server, which is often unacceptable in a corporate environment. Thus, a new solution is needed for detecting malicious encryption programs launched from a client on a server.