US 11,055,411 B2
System and method for protection against ransomware attacks
Vladimir Strogov, Moscow (RU); Vyacheslav Levchenko, Moscow (RU); Alexey Dod, Moscow (RU); Serguei Beloussov, Costa del Sol (SG); Stanislav Protasov, Moscow (RU); Anatoly Stupak, Moscow (RU); and Valery Chernyakovsky, Moscow (RU)
Assigned to Acronis International GmbH, Schaffhausen (CH)
Filed by Acronis International GmbH, Schaffhausen (CH)
Filed on May 8, 2019, as Appl. No. 16/406,568.
Claims priority of provisional application 62/669,489, filed on May 10, 2018.
Prior Publication US 2019/0347418 A1, Nov. 14, 2019
Int. Cl. G06F 21/56 (2013.01); H04L 29/06 (2006.01); G06N 20/00 (2019.01); G06F 16/11 (2019.01)
CPC G06F 21/568 (2013.01) [G06F 16/128 (2019.01); G06F 21/566 (2013.01); G06N 20/00 (2019.01); H04L 63/101 (2013.01); H04L 63/145 (2013.01); G06F 2221/034 (2013.01)] 21 Claims
OG exemplary drawing
1. A method for protecting a file server from a ransomware attack, comprising:
assigning a session identifier to a remote session initiated with the file server;
monitoring operations on the file server associated with the session identifier;
determining whether the operations comprise any operations that are suspicious according to a policy;
creating a volume-level snapshot of files on the file server when the operations on the file server comprise any operations that are deemed suspicious;
determining that encryption of the data is occurring when entropy of the monitored data is growing faster than the predetermined threshold rate;
classifying the remote session as having a calculated degree of danger when the operations match operations contained in previously observed suspicious behavior patterns identified using machine learning applied to operations on the file server over a predetermined period of time;
interrupting the remote session when a combination of the degree of danger and the entropy is greater than a predetermined threshold value; and
restoring the data on the file server using the volume-level snapshot to a state prior to the encryption and dangerous activity.