Systems and methods for preventive ransomware detection using file honeypots

Assignee

• Acronis International GmbH · CH

Inventors

• Vladimir Strogov · Moscow, RU
• Alexey Dod · Moscow, RU
• Alexey Kostyushko · Yerevan, AM
• Valeriy Chernyakovsky · Moscow, RU
• Serguei Beloussov · Moscow, RU
• Sergey Ulasen · Moscow, RU
• Stanislav Protasov · Moscow, RU

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L67/1097
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A system and method is provided for detecting ransomware and malicious programs. An exemplary method comprises generating, by a hardware processor, a file honeypot in a directory in a filesystem, wherein the file honeypot is included on a file list of contents of the directory, receiving a directory enumeration request from a process executing in an operating system environment, determining whether the process is identified in a list of trusted processes based on one or more of a certificate, fingerprint, name, and process identifier, when the process is not found in the list of trusted processes, providing, by the filesystem, the file list including the file honeypot to the process responsive to receiving the directory enumeration request and otherwise, providing the file list excluding the file honeypot to the process, intercepting, by a filesystem filter driver, a file modification request for the file honeypot from the process when the file honeypot is included in the file list and identifying the process as a suspicious object responsive to intercepting the file modification request from the process.