US 12,259,977 B2
Entropy-based ransomware detection
Sri Karthik Bhagi, Morganville, NJ (US); PurnaChandra Sekhar Bedhapudi, Eatontown, NJ (US); Pratima Laxman Gadhave, Neptune, NJ (US); and Akhilesh Naga Wathada, Neptune, NJ (US)
Assigned to Commvault Systems, Inc., Tinton Falls, NJ (US)
Filed by Commvault Systems, Inc., Tinton Falls, NJ (US)
Filed on Nov. 15, 2021, as Appl. No. 17/526,936.
Prior Publication US 2023/0153438 A1, May 18, 2023
Int. Cl. G06F 21/56 (2013.01); G06F 11/14 (2006.01); G06F 21/55 (2013.01); G06F 21/78 (2013.01)
CPC G06F 21/568 (2013.01) [G06F 11/1451 (2013.01); G06F 11/1464 (2013.01); G06F 11/1469 (2013.01); G06F 21/564 (2013.01); G06F 21/565 (2013.01); G06F 21/78 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method for securing a client computing device against ransomware, the method comprising:
detecting that at least one file of a first plurality of files has been modified, wherein the detecting is caused during a monitoring operation that is performed according to an information management policy, wherein the information management policy comprises a set of parameters for performing information management operations on data assigned to the information management policy, wherein information management operations comprise the monitoring operation;
determining a first entropy value for the modified at least one file;
identifying a first file type of the modified at least one file;
comparing the first entropy value with a second entropy value associated with a second file type corresponding to the first file type;
determining that the at least one file has been impermissibly modified based on the comparison of the first entropy value with the second entropy value; and,
causing one or more files of the first plurality of files to be backed up to secondary storage based on the determination that the at least one file has been impermissibly modified.