CPC G06F 21/554 (2013.01) [G06F 21/564 (2013.01); G06F 21/565 (2013.01); G06F 21/568 (2013.01); G06F 21/78 (2013.01)] | 15 Claims |
1. A method, comprising:
determining, by a processor, whether a ransomware attack is in progress based on analyzing read and write requests to a file system, wherein said analyzing comprises (1) calculating a ratio of a count of read requests to a count of write requests received from a client, (2) ranking clients in decreasing order based on counts of write requests received from the clients over a time interval, and (3) detecting an increase in a rank of the client which is greater than a threshold; and
performing a mitigation action in response to determining that a ransomware attack is in progress.
|