performing, in predetermined time intervals, snapshot backups of data in a block-oriented storage device;

responsive to performing a first snapshot backup, storing an identification of changed data blocks in a commit table, the storing occurring prior to performing a next snapshot backup according to the predetermined time intervals;

determining an interval malware index value indicative of a changed block rate as identified in the commit table;

detecting ransomware based on the interval malware index value being larger than a predefined interval malware index threshold value;

responsive to the detected ransomware, performing an emergency snapshot prior to performing the next snapshot backup according to the predetermined time intervals, the emergency snapshot being performed independent of and out of sequence with the predetermined time intervals for snapshot backups;

in response to determining a file has been affected by the detected ransomware, repairing the file using unencrypted data blocks from the first snapshot backup, using the identification of changed data blocks stored in the commit table; and

deleting the identification of changed data blocks in the commit table in response to a second snapshot backup being performed.