Ransomware detection method and system

Abstract

The invention discloses a ransomware detection method and system. The method comprises the steps of suspending a process and backing up files to a readable region if the file modification process exists, and releasing the process after the backup is finished; comparing entropy values of modified files and the backed-up files, and judging whether the current process performs encryption operation on the files or not; if the encryption operation exists, collecting all the encrypted files, and judging whether a proportion of the files with the same expanded names exceeds a preset value or not; if yes, continuing to judge whether the file names of the files with the same expanded names are consistent in length and part of same character strings exist or not; and if yes, judging that the files are suspected ransomware. According to the technical scheme, the ransomware can be effectively identified, the false alarm rate is reduced, and the operation of normal software on the files is not influenced.

Description

technical field [0001] The invention relates to the technical field of information security, in particular to a detection method and system for a blackmailer virus. Background technique [0002] Ransomware is a relatively popular virus in the past two years, especially in 2016, ransomware in my country has exploded. Once the ransomware infects the system, it will encrypt document files, picture files, text files, etc. on the computer disk. After the encryption is successful, it will notify the user through webpage files, TXT files, screen saver pictures, etc. within a certain period of time before paying the ransom. Give the way of decryption. Ransomware authors use very complex random asymmetric encryption to encrypt user data, and only malicious code authors can decrypt it. To some extent, even if the user pays the ransom to the malicious code author, the data may not be decrypted. This is a catastrophic event for enterprises and departments with important resources, suc...

AI Technical Summary

Problems solved by technology

To some extent, even if the user pays the ransom to the malicious code author, the data may not be decrypted. This is a catastrophic event for enterprises and departments with important resources, such as: once the medical department, bank, and government department are attacked by ransomware , it will paralyze all business systems, and the loss is immeasurable

[0003] At present, mainstream antivirus software has a file protection function, which can ensure that files are not maliciously tampered with, but this approach may also affect the operation of normal software on files. Even though the whitelist mechanism can guarantee the normal access of some software, it cannot guarantee all Actions on files by security programs

At the same time, whitelist technology cannot guarantee that files will not be tampered with by malicious programs, so it is not suitable for blackmailers, because many blackmailer viruses release attacks by injecting whitelist processes, such as explorer or svchost processes

Images