CPC H04L 63/1466 (2013.01) [H04L 63/1425 (2013.01)] | 20 Claims |
1. A method for detecting a ransomware attack, comprising:
enabling changed block tracking of a data storage comprising of a plurality of data blocks;
taking snapshots of the plurality of data blocks at multiple times;
determining a rate of change between at least two snapshots of the plurality of data blocks;
determining a pattern of changes between the at least two snapshots of the plurality of data blocks; and
scanning the plurality of data blocks for ransomware when the determined rate of change between the at least two snapshots of the plurality of data blocks is greater than a threshold and/or the determined pattern of changes between the at least two snapshots of the plurality of data blocks deviates by more than a threshold from a normal pattern of changes of the plurality of data blocks.
|