US 12,074,905 B2
Systems and methods for detecting ransomware attacks on file sharing systems
Tomer Shachar, Omer (IL); Maxim Balin, Gan-Yavne (IL); and Yevgeni Gehtman, Modi'in (IL)
Assigned to Dell Products, L.P., Round Rock, TX (US)
Filed by Dell Products, L.P., Round Rock, TX (US)
Filed on Jan. 24, 2022, as Appl. No. 17/648,734.
Prior Publication US 2023/0262089 A1, Aug. 17, 2023
Int. Cl. H04L 9/40 (2022.01); G06F 21/55 (2013.01)
CPC H04L 63/1466 (2013.01) [G06F 21/554 (2013.01); G06F 21/55 (2013.01); H04L 63/0884 (2013.01); H04L 63/145 (2013.01)] 18 Claims
OG exemplary drawing
 
1. A method for detecting ransomware attacks on an SMB (Server Message Block) file sharing system (FSS), the method comprising:
authenticating a user's request for access to the SMB file sharing system;
when the user is successfully authenticated, initiating an SMB session for the user;
during the SMB session, detecting QUERY_INFO and OPLOCK_BREAK SMB commands issued by the user;
evaluating the detected QUERY_INFO and OPLOCK_BREAK SMB commands against an activity profile based on SMB commands in prior SBM sessions by the user to identify repeated sequences of a QUERY_INFO command followed directly by an OPLOCK_BREAK command;
and
when repeated sequences of a QUERY_INFO command followed directly by an OPLOCK_BREAK command are identified, terminating the user's SMB session.