The variety of malware on the Internet is ever-growing. One such variant of malware is ransomware, which attempts to encrypt important files on a user's computing system and then holds the encrypted files for ransom. If the user does not pay the ransom, the important files remain encrypted and may be impossible for the user to access. Unfortunately, the encryption of important files may result in data loss and/or may compromise functionality on the computing system. In addition, paying the ransom can also introduce other problems since the malicious developers will then have access to the user's payment information.
Traditional security systems are often designed to prevent malware from being inadvertently installed by a user, but may have no means of detecting or removing malware once it has been installed. In particular, traditional security systems that are designed to detect viruses, Trojans, keyloggers, and other threats that create new files or monitor user input but do not make changes to existing files may not be able to detect ransomware at all. Moreover, even if a traditional security system is able to remove installed ransomware, it may be too late since the user's files have already been encrypted and the damage has been done. Early detection is crucial for limiting the ability of ransomware to interfere with a user's computing device. The instant disclosure, therefore, identifies and addresses a need for systems and methods for detecting malicious processes that encrypt files.