US 12,267,355 B2
Systems and methods of detecting and responding to a ransomware attack impacting a cloud-based file storage service
Sean Hittel, Calgary (CA); Krishna Narayanaswamy, Saratoga, CA (US); Ravindra K. Balupari, San Jose, CA (US); and Ravi Ithal, Fremont, CA (US)
Assigned to Netskope, Inc., Santa Clara, CA (US)
Filed by Netskope, Inc., Santa Clara, CA (US)
Filed on Nov. 15, 2021, as Appl. No. 17/527,150.
Application 17/527,150 is a continuation of application No. 16/679,020, filed on Nov. 8, 2019, granted, now 11,178,172.
Application 16/679,020 is a continuation of application No. 15/628,547, filed on Jun. 20, 2017, granted, now 10,476,907, issued on Nov. 12, 2019.
Claims priority of provisional application 62/373,288, filed on Aug. 10, 2016.
Prior Publication US 2022/0150262 A1, May 12, 2022
This patent is subject to a terminal disclaimer.
Int. Cl. H04L 29/06 (2006.01); G06F 16/907 (2019.01); G06F 21/55 (2013.01); G06F 21/56 (2013.01); H04L 9/40 (2022.01)
CPC H04L 63/145 (2013.01) [G06F 16/907 (2019.01); G06F 21/552 (2013.01); G06F 21/565 (2013.01); H04L 63/1433 (2013.01); G06F 21/566 (2013.01); G06F 2221/2101 (2013.01)] 20 Claims
OG exemplary drawing
 
1. A method of detecting a ransomware attack impacting a cloud-based file storage service, the method comprising:
collecting metadata on files stored on the cloud-based file storage service, wherein:
the collecting the metadata comprises:
collecting a first portion of the metadata using an inspective agent of a proxy device through an application programming interface to the cloud-based file storage service; and
collecting a second portion of the metadata using a client agent installed locally on client devices that manipulate the files stored on the cloud-based file storage service,
the cloud-based file storage service supports manipulation by creating, editing, and sharing the files, and
the collected metadata includes at least one of an extension of a file name, a magic number, and a size;
storing the collected metadata as historical metadata in a historical metadata storage, wherein the historical metadata storage is separate from and not under control of the cloud-based file storage service;
detecting multiple artifacts of the ransomware attack resulting from ransomware manipulation of the files, the detecting including:
comparing at least one of the extension, the magic number and the size included in the historical metadata to respective at least one of the extension, the magic number and the size included in current metadata of the files to identify changes in the files,
detecting a pattern of the identified changes from the historical metadata to the current metadata, and
detecting that the identified changes in the detected pattern exceed a predetermined change velocity to determine that the ransomware attack is in progress;
identifying a user and/or client device of the client devices that manipulated the files exhibiting the multiple artifacts; and
responding to the determination that the ransomware attack is in progress, the responding comprising:
restricting further manipulation of other files on the cloud-based file storage service by the identified user and/or client device.