US 11,748,475 B1
Detection and recovery from ransomware infections
Vincent H. Berk, Lyme, NH (US); and Ian D. Gregorio-de Souza, Hanover, NH (US)
Assigned to Riverbed Technology, LLC, San Francisco, CA (US)
Filed by Riverbed Technology, Inc., San Francisco, CA (US)
Filed on Feb. 5, 2021, as Appl. No. 17/168,694.
Claims priority of provisional application 62/970,501, filed on Feb. 5, 2020.
Int. Cl. G06F 21/55 (2013.01); G06F 21/56 (2013.01); G06F 21/78 (2013.01)
CPC G06F 21/554 (2013.01) [G06F 21/564 (2013.01); G06F 21/565 (2013.01); G06F 21/568 (2013.01); G06F 21/78 (2013.01)] 15 Claims
OG exemplary drawing
 
1. A method, comprising:
determining, by a processor, whether a ransomware attack is in progress based on analyzing read and write requests to a file system, wherein said analyzing comprises (1) calculating a ratio of a count of read requests to a count of write requests received from a client, (2) ranking clients in decreasing order based on counts of write requests received from the clients over a time interval, and (3) detecting an increase in a rank of the client which is greater than a threshold; and
performing a mitigation action in response to determining that a ransomware attack is in progress.