| CPC H04L 63/145 (2013.01) [H04L 63/1416 (2013.01); H04L 63/1433 (2013.01)] | 20 Claims |
|
1. A computer program product for early detection of ransomware attacks, the computer program product comprising computer executable code embodied in non-transitory computer readable media that, when executing on one or more computing devices of a threat management facility, causes the one or more computing devices to perform the steps of:
receiving malware detections from malware detection software executing on a plurality of endpoints, each one of the malware detections associated with one of a number of customers by a customer identifier contained in the one of the malware detections;
identifying a first set of indicators of breach in the malware detections, the first set of indicators of breach collectively providing a first signature associated with use of a first malware tool on the plurality of endpoints;
identifying a second set of indicators of breach in the malware detections, the second set of indicators of breach collectively providing a second signature associated with use of a second malware tool on the plurality of endpoints having a different malware function than the first malware tool;
grouping the first and second sets of indicators of breach by customer based on the customer identifier in each of the corresponding ones of the malware detections;
identifying a progressive deployment of malware on two or more endpoints of the plurality of endpoints in an enterprise network for a particular one of the number of customers based on a sequential use of the first malware tool and the second malware tool within the enterprise network for the particular one of the number of customers in a pattern indicating staging for a ransomware attack on the enterprise network; and
notifying the particular one of the customers of a possible breach of the enterprise network based on the progressive deployment of malware.
|