US 12,248,573 B2
Method and apparatus for detecting the occurrence of a ransomware attack on a storage volume
John Madden, Jr., Holden, MA (US); Benjamin A. F. Randolph, Uxbridge, MA (US); Jeremy O'Hare, Westborough, MA (US); and Rong Yu, West Roxbury, MA (US)
Assigned to Dell Products, L.P., Hopkinton, MA (US)
Filed by Dell Products, L.P., Hopkinton, MA (US)
Filed on Jan. 19, 2022, as Appl. No. 17/578,574.
Prior Publication US 2023/0229773 A1, Jul. 20, 2023
Int. Cl. G06F 21/56 (2013.01)
CPC G06F 21/566 (2013.01) [G06F 2221/034 (2013.01)] 12 Claims
OG exemplary drawing
 
1. A non-transitory tangible computer readable storage medium having stored thereon a computer program for detecting existence of a ransomware attack on a storage volume, the computer program including a set of instructions which, when executed by a computer, cause the computer to perform a method comprising the steps of:
determining historic read and write Input/Output (IO) activity characteristics of extents of the storage volume by a ransomware activity detection system implemented in a data services layer of a storage system operating system, the data service layer being part of the storage system operating system that manages physical storage and retrieval of data on the physical storage;
comparing, by the ransomware activity detection system, current read and write IO activity characteristics of the extents of the storage volume with the historic read and write IO activity characteristics of the extents of the storage volume;
determining occurrence of a large sequential read IO operation on a set of extents of the storage volume;
in response to determining occurrence of the large sequential read IO operation, protecting the set of extents of the storage volume before determining occurrence of a large sequential write IO operation on the set of extents of the storage volume that was the subject of the large sequential read IO operation;
after protecting the set of extents of the storage volume, monitoring for occurrence of the subsequent large sequential write IO operation on the set of extents of the storage volume that was the subject of the large sequential read IO operation;
determining, by the ransomware activity detection system, historic data reducibility characteristics of data contained in the extents of the storage volume;
comparing, by the ransomware activity detection system, current data reducibility characteristics of data contained in the extents of the storage volume with the historic data characteristics of the data contained in the set of extents of the storage volume; and
detecting occurrence of the ransomware attack on the storage volume by the ransomware activity detection system where:
the large sequential read IO operation on the set of extents of the storage volume is followed by occurrence of the large sequential write IO operation on the set of extents of the storage volume;
the current read and write IO activity characteristics of the extents of the storage volume are significantly different than the historic read and write IO activity characteristics of the extents of the storage volume; and
the current data reducibility characteristics of data contained in the set of extents of the storage volume that was the subject of the large sequential read IO operation are significantly different than the historic data reducibility characteristics of data contained in the set of extents of the storage volume that was the subject of the large sequential read IO operation.