In some implementations of malicious software programs or malware, sometimes referred to as ransomware, attacking programs may attempt to encrypt one or more user and/or system files on a victim computing device and delete the original plaintext versions of the files. Ransomware typically generates or displays a ransom note demanding payment in exchange for a decryption key for one or more files. As brute force decryption may require significant time and resources, many victims end up paying the demanded ransom order to regain access to their files.
Countermeasures for malicious encryption may include routine backup of files. After all, if the victim can simply restore from backup, then no files are lost. However, if backups are not frequent enough, some data may be lost. Furthermore, in some implementations, ransomware has the ability to encrypt attached storage, such as backup storage files, obviating this solution.
Another countermeasure is a family of techniques to prevent the attacker's code from running in the first place. Modern operating systems take pains to offer anti-malware scanners that examine program code, sandboxes to prevent the attacker's code from directly reading or writing to disk, and regular patch updates to prevent attackers from introducing code using other means including software vulnerabilities. However, a well disguised attack agent may be undetected by such scanners.
Still another family of countermeasures attempts to identify files that are being encrypted, for example, by identifying writes to files that result in significant increases in entropy. In one such implementation described in U.S. Publication No. 2017/0093886 to Ovcharik et al., an analyzer “calculates entropy of the overwritten file segment and calculates convergence for the entropy of the original and the overwritten file segment . . . [I]f the convergence does not exceed a given threshold, then . . . further file operations on the part of the user's computer . . . are allowed.” A similar countermeasure may attempt to identify unusual behaviors, such as copying large numbers of files in a short time frame and deleting the originals. The MWR Labs whitepaper, “A behavioural-based approach to ransomware detection,” by Daniel Nieuwenhuizen, notes that, “[i]n behavioural analysis, the behavioural characteristics of the executable is known as it is being observed in real-time, and inferences is made by an inductive decision algorithm on the threat level . . . . Behavioural-based analysis has been found to be highly effective for crypto ransomware detection because it exhibits core behavioural traits necessary for a data encryption attack that does not change from variant to variant or family to family.” However, in all such implementations, at least some file encryption may have occurred, limiting the amount of mitigation that may be performed.