Ransomware prevention method and system

Abstract

The invention relates to a ransomware prevention method and system. The method comprises the steps of creating at least one bait file with the type conforming to a ransomware encryption type and inserting the bait file into an original file sequence of a to-be-protected disk; judging whether the bait file is changed or not; and prohibiting the to-be-protected disk to be subjected to a preset operation when the bait file is changed. According to the method and the system, the bait file with the type conforming to the ransomware encryption type is created by utilizing a characteristic that ransomware traverses disk files necessarily to search for a file type suitable for encryption, and the bait file is put in the original file sequence of the to-be-protected disk; the effects of prewarning the ransomware and protecting other disk files are achieved by monitoring the bait file; the prewarning accuracy is high; a targeted scheme is designed based on an inevitable common behavior of the ransomware, so that known and unknown ransomware can be detected; and the disk space occupied by the created bait file nearly can be ignored.

Description

technical field [0001] The invention relates to the field of information security, in particular to a ransomware prevention method and system. Background technique [0002] Ransomware is a type of malicious software used by hackers to hijack user assets or resources and extort money from users on the condition of this. Ransomware usually encrypts documents, emails, databases, source codes, pictures, compressed files and other files on the user's system in some form to make them unusable, or interferes with the normal use of users by modifying system configuration files. The systematic method reduces the availability of the system, and then sends a blackmail notice to the user through pop-up windows, dialog boxes, or text files, requiring the user to transfer money to the designated account to obtain the password for decrypting the file or obtain the method to restore the normal operation of the system. [0003] In the prior art, there are mainly two kinds of prevention sche...

AI Technical Summary

Problems solved by technology

[0003] In the prior art, there are mainly two kinds of prevention schemes for ransomware: the first scheme is to find known ransomware by means of antivirus engine scanning features; antivirus engine is the main part of antivirus software, to detect and find programs, and the virus database is a sample of the virus that has been found. Use the samples in the virus database to compare all the programs or files in the machine to see if they match these samples. If it is, it is a virus, otherwise it is not necessarily a virus (because There are still many viruses that have not been discovered or just produced), but because the virus database of the antivirus engine is known and the collected samples are generated by extracting features, it is impossible to prevent unknown samples that have not been collected, based on The scheme of this principle also cannot detect unknown ransomware; and because the virus database is obtained based on the binary data extraction characteristics of samples, and the antivirus engine judges whether an unknown file is a virus (ransomware) based on the matching degree of this characteristic. software), therefore, even for known samples, as long as the binary data judged by the antivirus engine is changed, the antivirus engine will not be able to detect it, so the first solution cannot be detected even for known viruses and ransomware Disadvantages (as long as the signature is changed)

The second solution is to use file backup to prevent ransomware. The main principle is to back up files that have been modified and deleted on readable and writable disks within a certain period of time, so that when the files on the disk are blackmailed within this period of time, If the software is encrypted, the encrypted file can be retrieved by backing up the file, but the disadvantage of the second solution is that it takes up a lot of disk space

[0004] Therefore, there is currently no effective solution to prevent ransomware

Images