Method, apparatus, computer device, storage medium and program product for protecting against malware encryption
By analyzing malware samples in a sandbox to generate filename extension lists, the method prevents malware encryption, ensuring data and information security by applying these lists to normal files, addressing the challenge of malware-caused file encryption.
Patent Information
- Authority / Receiving Office
- WO · WO
- Patent Type
- Applications
- Current Assignee / Owner
- SIEMENS AG
- Filing Date
- 2024-12-27
- Publication Date
- 2026-07-02
AI Technical Summary
Malware encryption causes irreparable losses to enterprises by encrypting files, with only the malware developer having access to decryption, compromising data security and information security.
A method involving a sandbox to analyze malware samples to generate blacklists and whitelists of filename extensions, performing operations on these lists to obtain unencrypted filename extensions, and applying these extensions to normal files to prevent encryption, using a computer device and storage medium to execute the method.
Ensures data and information security by preventing normal files from being encrypted by malware, maintaining file integrity and accessibility.
Smart Images

Figure CN2024143446_02072026_PF_FP_ABST
Abstract
Description
METHOD, APPARATUS, COMPUTER DEVICE, STORAGE MEDIUM AND PROGRAM PRODUCT FOR PROTECTING AGAINST MALWARE ENCRYPTIONTECHNICAL FIELD
[0001] Embodiments of the application relate to the computer science, and particularly relates to a method, an apparatus, an electronic device, a storage medium and a program product for protecting against malware encryption.BACKGROUND
[0002] Currently, malware emerges endlessly, and various malware attacks occur from time to time, and each attack causes irreparable losses to the enterprise or company. More specifically, corresponding files of a company being encrypted, and only the encryptor who develops and distributes the malware could access these encrypted files, thus causing significant losses for the business or company and adversely affecting the society.SUMMARY
[0003] The contents section of the present invention is provided to introduce in simplified form selected concepts which will be further described in the specific embodiments section below. The contents section of the invention is not intended to identify any key features or essential features of the claimed subject matter, nor is it intended to be used to assist in determining the scope of the claimed subject matter.
[0004] At least one of the embodiments of: the application provides a method for protecting against malware encryption, comprises:
[0005] receiving normal files and malware samples into a sandbox to obtain multiple blacklists and multiple whitelists of said malware samples;
[0006] performing an operation on said blacklists and whitelists to obtain a list of unencrypted filename extensions of said malware samples; and
[0007] performing a filename extension operation on said normal files in accordance with said list of unencrypted filename extensions; and
[0008] receiving said normal files and said malware samples into said sandbox after the filename extension operation, and outputting said list of unencrypted filename extensions if said normal files are not encrypted by said malware samples.
[0009] By above means, it is possible to obtain a list of filename extensions regarding the avoidance of malware encryption, and to avoid normal file from being encrypted by malware by adding said extensions after normal filenames, ensuring data security and information security.
[0010] In some embodiment, wherein receiving normal files and malware samples into a sandbox to obtain multiple blacklists and multiple whitelists of said malware samples, comprises:
[0011] receiving said normal files and said multiple malware samples into said sandbox;
[0012] obtaining encrypted and unencrypted normal files;
[0013] obtaining multiple blacklists and multiple whitelists of said malware samples by analyzing said encrypted and unencrypted normal files.
[0014] By above means, it is possible to obtain the respective blacklists and whitelists of multiple malware samples, and said blacklists and whitelists can be used to finally get said list of unencrypted filename extensions to avoid malware encryption.
[0015] In some embodiment, wherein receiving said normal files and said multiple malware samples into said sandbox, comprises:
[0016] receiving office documents, photos, and source files and said malware samples into the sandbox.
[0017] By above means, it can test different formats or types of files encrypted by malware to obtain accurate and comprehensive blacklists and whitelists.
[0018] In some embodiment, wherein performing an operation on said blacklists and whitelists to obtain a list of unencrypted filename extensions of said malware samples, comprises:
[0019] performing a union operation on said blacklists to obtain a first union set;
[0020] performing a union operation on said whitelists to obtain a second union set; and
[0021] performing an inverse operation on said first union set and then intersecting with said second union set to obtain said list of unencrypted filename extensions.
[0022] By above means, a comprehensive and accurate filename extension list can be obtained, and the file with extensions in said list of unencrypted filename extension will not be encrypted by malware.
[0023] In some embodiment, wherein performing an inverse operation on said first union set and then intersecting with said second union set to obtain said list of unencrypted filename extensions, comprises:
[0024] performing an inverse operation on the first union set and then taking the minimum intersection with the second union set to obtain said list of unencrypted filename extensions.
[0025] By above means, it is possible to get the leanest list of filename extension with no redundant filename extension in the list.
[0026] In some embodiment, wherein performing a filename extension operation on said normal files in accordance with said list of unencrypted filename extensions, comprises:
[0027] adding file extension to the end of filename of said normal files.
[0028] By above means, file information can be secured and not encrypted by those malware samples.
[0029] The application also discloses an apparatus for protecting against malware encryption, wherein comprises:
[0030] a sandbox module for receiving normal files and malware samples into a sandbox to obtain multiple blacklists and multiple whitelists of said malware samples;
[0031] an operation module for performing an operation on said blacklists and whitelists to obtain a list of unencrypted filename extensions of said malware samples; and
[0032] an extension module for performing a filename extension operation on said normal files in accordance with said list of unencrypted filename extensions; and
[0033] an output module for receiving said normal files and said malware samples into said sandbox after the filename extension operation, and outputting said list of unencrypted filename extensions if said normal files are not encrypted by said malware samples.
[0034] The application also provides a computer device comprising a memory and a processor, said memory storing a computer program, wherein said processor implements above said method when said computer program is executed by said processor.
[0035] The application also provides a computer readable storage medium having a computer program stored thereon, wherein said computer program implements above said method when executed by the processor.
[0036] The application also provides a computer program product, said computer program product being tangibly stored on a computer-readable medium and comprising computer-executable instructions, said computer-executable instructions when executed causing at least one processor to perform above said method as described above.DESCRIPTION OF DRAWINGS
[0037] To more clearly describe technical solutions in embodiments of the present disclosure or the prior art, drawings to be used in the description of the embodiments or the prior art will be briefly introduced below. Apparently, the drawings in the description below are merely some embodiments disclosed in the embodiments of the present disclosure. For those of ordinary skills in the art, other drawings may also be obtained based on these drawings.
[0038] FIG. 1 is schematic flowchart of a method for protecting against malware encryption provided in an embodiment of the present disclosure.
[0039] FIG. 2 is a schematic diagram of an apparatus for protecting against malware encryption provided in an embodiment of the present disclosure.
[0040] FIG. 3 is a schematic diagram of a computer device for protecting against malware encryption provided in an embodiment of the present disclosure.
[0041] FIG. 4 is a schematic diagram for protecting against malware encryption in an embodiment of the present disclosure.
[0042] List of reference numerals:
[0043] S101-S103: method steps
[0044] 200: apparatuses
[0045] 201: sandbox module
[0046] 202: operation module
[0047] 203: extension module
[0048] 204 : output module
[0049] 300: computer device
[0050] 302: processor
[0051] 304: memory
[0052] 401: normal file
[0053] 402: sandbox
[0054] 403: multiple blacklists and whitelists
[0055] 404: sandbox
[0056] 405: normal file
[0057] 406: malware sample set
[0058] 407: malware immunity file extension listDETAILED DESCRIPTION
[0059] In the following specification, many specific details are set forth for explanatory purposes. However, it will be appreciated that the realization of the present invention can be carried out without these specific details. In other examples, well-known circuits, structures, and techniques are not shown in detail so as not to affect the understanding of the specification.
[0060] Throughout the specification, there are references to “an embodiment” , “realization” , “exemplary embodiment” , “some embodiments” , “various embodiments” , “various embodiments” , “various embodiments” , “various embodiments” , “various embodiments” , and “various embodiments” , References to “an implementation” , “implementation” , “exemplary implementation” , “some implementations” , “various implementations” , etc., throughout the specification indicate that the described implementations of the present invention may include particular features, structures, or characteristics, however, it is not necessary for each implementation to include these particular features, structures, or characteristics. In addition, some implementations may have some, all, or none of the features described with respect to other implementations.
[0061] The scenario of this application is to prevent malware from encrypting data. This application proposes a solution to clarify the running logic of the malware samples, find the file extension whitelist and blacklist for which the malware need to bypass or exclude during data encryption. Then it needs to extract corresponding whitelist or blacklist from every family, and obtain respectively union for whitelist and blacklist, then compare the two unions to obtain minimum intersection subset. Eventually, even though the devices are infected by these malware samples, since files had the immunity file extensions, so files is possible to avoid the risk of infection and encryption.
[0062] As shown in FIG. 1, the method may include the following steps:
[0063] S101, receiving normal files and malware samples into a sandbox to obtain multiple blacklists and multiple whitelists of said malware samples;
[0064] In some embodiment, receiving normal files and malware samples into a sandbox is aimed at obtaining the blacklist and whitelist of the malware samples. The sandbox is the virtual machine or physical device to let normal file and malware sample mixed to obtain the blacklists and whitelists of said malware samples. Since there are different malware samples, so there are multiple blacklists and whitelists to be obtained correspondingly. In some embodiment, the blacklists and whitelists are associated with the filename extensions. In other words, blacklist or whitelist includes multiple filename extension. For example, the whitelists comprise filename extensions such as “. theme” , “. icns” , “. lock” , “. rdp” , “. lnk” , and the blacklists comprises filename extensions such as “. der” , “. pfx” , “. key” , “. crt” , “. csr” . By above filename extension, it could decide which file would be encrypted by malware samples and which file would not encrypt by malware samples.
[0065] In some embodiment, wherein receiving normal files and malware samples into a sandbox to obtain multiple blacklists and multiple whitelists of said malware samples, comprises:
[0066] receiving said normal files and said multiple malware samples into said sandbox;
[0067] obtaining encrypted and unencrypted normal files;
[0068] obtaining multiple blacklists and multiple whitelists of said malware samples by analyzing said encrypted and unencrypted normal files.
[0069] Based on the encrypted and unencrypted normal files, it could be possible to analyze the file extension of which the file is encrypted or not encrypted. If the file is encrypted, the corresponding filename extension could be recorded into blacklist. If the file is not encrypted, the corresponding filename extension could be recorded into whitelist.
[0070] By above means, it is possible to get the respective blacklists and whitelists of said multiple malware samples, and said blacklists and whitelists can be used to get a list of unencrypted filename extensions to avoid malware encryption.
[0071] In some embodiment, wherein receiving said normal files and said multiple malware samples into said sandbox, comprises:
[0072] receiving office documents, photos, and source files and said malware samples into the sandbox.
[0073] In some embodiment, since different types of normal file have different filename extension, so receiving different file into sandbox and mixing with different malware sample could test which filename extension of normal file would be encrypted by the malware samples and which filename extension of filename extension would not be encrypted by the malware samples. Then collect and summary such filename extension information to then form the blacklist and whitelist accordingly.
[0074] By above means, it can test different formats or types of normal files with malware to obtain accurate and comprehensive blacklists and whitelists of the malware samples.
[0075] S102, performing an operation on said blacklists and whitelists to obtain a list of unencrypted filename extensions of said malware samples; and
[0076] In some embodiment, to performing an operation on said blacklists and whitelists is to obtain a list of unencrypted filename extensions by which the normal files will not encrypted by all these malware samples. In some embodiment, it is to obtain a list of unencrypted filename extension from union of those multiple blacklists and whitelists.
[0077] In some embodiment, wherein performing an operation on said blacklists and whitelists to obtain a list of unencrypted filename extensions of said malware samples, comprises:
[0078] performing a union operation on said blacklists to obtain a first union set;
[0079] performing a union operation on said whitelists to obtain a second union set; and
[0080] performing an inverse operation on said first union set and then intersecting with said second union set to obtain said list of unencrypted filename extensions.
[0081] By above means, a comprehensive and accurate filename extension list can be obtained, and files comprising such filename extensions will not be encrypted by malware samples.
[0082] In some embodiment, wherein performing an inverse operation on said first union set and then intersecting with said second union set to obtain said list of unencrypted filename extensions, comprises:
[0083] performing an inverse operation on the first union set and then taking the minimum intersection with the second union set to obtain said list of unencrypted filename extensions.
[0084] By above means, it is possible to get the leanest list of filename extension with no redundant or repeated filename extensions in the list.
[0085] S103, performing a filename extension operation on said normal files in accordance with said list of unencrypted filename extensions;
[0086] In some embodiment, after obtained the list of unencrypted filename extension, the next procedure is to perform a filename extension operation to the normal files based on the list of unencrypted filename extension.
[0087] In some embodiment, wherein performing a filename extension operation on said normal files in accordance with said list of unencrypted filename extensions, comprises:
[0088] adding file extension to the end of filename of said normal files.
[0089] For example, the list of unencrypted filename extension comprises the extension of “. hlp” and normal file is “file1. docx” , then performing a filename extension operation on the normal file is to add “. hlp” to the end of “file1. docx” to become “file1. doxc. hlp” finally.
[0090] By above means, normal file can avoid the encryption from malware and file information could be secured.
[0091] S104, receiving said normal files and said malware samples into said sandbox after said filename extension operation, and outputting said list of unencrypted filename extensions if said normal files are not encrypted by said malware samples.
[0092] In some embodiment, this step is to verify the normal files unencrypted by malware samples after above filename extension operation. In other words, it is to input the file of “file1. doxc. hlp” and the malware samples into the sandbox to mix and test whether the “file1. doxc. hlp” is encrypted or not encrypted. If not encrypted, then the filename extension “. hlp” would be treated as qualified or certificated filename extension. Since there are multiple filename extensions in the list of unencrypted filename extension, each filename extension should be verified by above procedures to finally qualified and certificated. In the end, outputting said list of unencrypted filename extensions which comprise all qualified and certificated filename extension. In some embodiment, the list of unencrypted filename extension could be called “malware immunity file extension list” .
[0093] By above means, it is possible to obtain a list of filename extensions regarding the avoidance of malware encryption, and it is possible to avoid normal file from being encrypted by malware by adding said extensions after normal filenames, ensuring data security and information security.
[0094] As shown in Fig. 4, normal file 401 such as office files, photos and source files are submitted or input into sandbox 402. And malware sample set 406 submit or input malware samples into sandbox 402 as well and then sandbox 402 run and output multiple blacklists and whitelists 403. After performing an operation on said blacklists and whitelists to obtain a list of unencrypted filename extensions of said malware samples and send into sandbox 404. The copy of normal files 405 are input into sandbox 404 and malware sample set 406 submit or input malware sample into sandbox 404 as well to verify those normal files whether encrypted or unencrypted after adding with those unencrypted filename extensions. If verified as unencrypted, then output the malware immunity file extension list 407 which comprises those qualified or certificated filename extensions.
[0095] Although the individual steps in the flowchart of FIG. 1 are shown sequentially as indicated by the arrows, these steps are not necessarily executed sequentially in the order indicated by the arrows. Unless expressly stated herein, there is no strict order limitation on the execution of these steps, and the steps may be executed in other orders. Moreover, at least a portion of the steps of FIG. 1 may include multiple steps or multiple stages, which are not necessarily executed to completion at the same moment, but may be executed at different moments, and the order in which these steps or stages are executed is not necessarily sequential, but may be executed in turn or alternately with other steps or at least a portion of steps or stages in other steps.
[0096] As shown in FIG. 2, the application provides an apparatus 200 for protecting against malware encryption, wherein, comprises:
[0097] a sandbox module 201 for receiving normal files and malware samples into a sandbox to obtain multiple blacklists and multiple whitelists of said malware samples;
[0098] an operation module 202 for performing an operation on said blacklists and whitelists to obtain a list of unencrypted filename extensions of said malware samples; and
[0099] an extension module 203 for performing a filename extension operation on said normal files in accordance with said list of unencrypted filename extensions; and
[0100] an output module 204 for receiving said normal files and said malware samples into said sandbox after the filename extension operation, and outputting said list of unencrypted filename extensions if said normal files are not encrypted by said malware samples.
[0101] It is noted that the device may comprise more or fewer modules to perform the described functions. For example, at least one of the modules of FIG. 2 may be further divided into plural distinct sub-modules, each of which is used to perform at least a portion of the operations described herein in conjunction with the corresponding module. In addition, in some examples, the device 200 may include additional modules for performing other operations already described in the specification. In addition, it will be understood by those skilled in the art that the exemplary device 200 may be implemented with software, hardware, firmware, or any combination thereof.
[0102] FIG. 3 provides a computer device. According to one embodiment, the computer device 300 may include a processor 302, the processor 302 executing a computer program stored in a memory 304. The computer program is executed by the processor to implement the method described above.
[0103] It will be understood by one of ordinary skill in the art that the structure illustrated in FIG. 3, which is only a block diagram of a portion of the structure related to the embodiments of the present application, does not constitute a limitation on the computer device to which the present application is applied, and that a specific computer device may include more or fewer components than those shown in the drawings, or a combination of some of the components, or have a different arrangement of components.
[0104] A person of ordinary skill in the art may understand that all or part of the processes in the methods for realizing the above embodiments are possible to be accomplished by a computer program for instructing the relevant hardware, and that said computer program may be stored in a non-volatile computer-readable storage medium, which computer program, when executed, may comprise processes such as the processes of the embodiments of each of the above-described methods. Among other things, any reference to a memory, storage, database, or other medium used in the various embodiments provided in this application may include at least one of non-volatile and volatile memory. Non-volatile memory may include Read-Only Memory (ROM) , magnetic tape, floppy disk, flash memory, or optical memory. Volatile memory may include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, the RAM may be in various forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM) , and the like.
[0105] The present application also provides a computer readable storage medium having a computer program stored thereon, said computer program realizing the above steps when executed by a processor.
[0106] The present application also provides a computer program product, said computer program product being tangibly stored on a computer-readable medium and comprising computer-executable instructions, said computer-executable instructions when executed causing at least one processor to perform said method.
[0107] Further, said computer program may be stored, run in the cloud for execution of said method. Further, components of said program may be laid out on multiple devices, on the cloud, e.g. the corresponding steps may be laid out, run on a local or local computer, or run on different cloud devices, transmitting signals via a communication connection, or may also be laid out, run on a local or local computer. The present application does not limit the described ways or methods, and the corresponding techniques can be flexibly laid out and deployed to fully utilize the cloud, big data, supercomputing power, and other devices and techniques for the execution and completion of the methods.
[0108] Some implementations of the present disclosure may include artifacts. The artifacts may include a storage medium, which is used to store logic. Examples of storage media may include one or more types of computer-readable storage media capable of storing electronic data, including volatile memory or non-volatile memory, removable or non-removable memory, erasable or non-erasable memory, writable or rewritable memory, and the like. Examples of logic may include various software units, such as software components, programs, applications, computer programs, application programs, system programs, machine programs, operating system software, middleware, firmware, software modules, routines, subroutines, functions, methods, procedures, software interfaces, application program interfaces (APIs) , instruction sets, computational code, computer code, code segments, computer code segments, words, value, symbol, or any combination thereof. In some implementations, for example, the article may store executable computer program instructions that, when executed by the processor, cause the processor to perform the methods and / or operations described herein. The executable computer program instructions may include any suitable type of code, e.g., source code, compiled code, interpreted code, executable code, static code, dynamic code, and the like. The executable computer program instructions may be implemented according to a predefined computer language, manner, or syntax for commanding a computer to perform a particular function. Said instructions may be implemented using any suitable high-level, low-level, object-oriented, visual, compiled, and / or interpreted programming language.
[0109] What has been described above includes examples of the disclosed architecture. It is certainly not possible to describe every conceivable combination of components and / or methods, but those skilled in the art can appreciate that many other combinations and arrangements are possible. Accordingly, the novel architecture is intended to cover all such substitutions, modifications, and variations that fall within the spirit and scope of the appended claims.
[0110] Independent of the grammatical term usage, individuals with male, female or other gender identities are included within the term.
Claims
1.A method for protecting against malware encryption, comprises:receiving (S101) normal files and malware samples into a sandbox to obtain multiple blacklists and multiple whitelists of said malware samples;performing (S102) an operation on said blacklists and whitelists to obtain a list of unencrypted filename extensions of said malware samples; andperforming (S103) a filename extension operation on said normal files in accordance with said list of unencrypted filename extensions; andreceiving (S104) said normal files and said malware samples into said sandbox after the filename extension operation, and outputting said list of unencrypted filename extensions if said normal files are not encrypted by said malware samples.2.The method according to claim 1, wherein receiving (S101) normal files and malware samples into a sandbox to obtain multiple blacklists and multiple whitelists of said malware samples, comprises:receiving said normal files and said multiple malware samples into said sandbox;obtaining encrypted and unencrypted normal files;obtaining multiple blacklists and multiple whitelists of said malware samples by analyzing said encrypted and unencrypted normal files.3.The method of claim 2, wherein receiving said normal files and said multiple malware samples into said sandbox, comprisesreceiving office documents, photos, and source files and said malware samples into the sandbox.4.The method of claim 1, wherein performing (S102) an operation on said blacklists and whitelists to obtain a list of unencrypted filename extensions of said malware samples, comprises:performing a union operation on said blacklists to obtain a first union set;performing a union operation on said whitelists to obtain a second union set; andperforming an inverse operation on said first union set and then intersecting with said second union set to obtain said list of unencrypted filename extensions.5.The method according to claim 4, wherein performing an inverse operation on said first union set and then intersecting with said second union set to obtain said list of unencrypted filename extensions, comprises:performing an inverse operation on said first union set and then taking the minimum intersection with the second union set to obtain said list of unencrypted filename extensions.6.The method of claim 1, wherein performing (S103) a filename extension operation on said normal files in accordance with said list of unencrypted filename extensions, comprises:adding file extension to the end of filename of said normal files.7.An apparatus (200) for protecting against malware encryption, wherein comprises:a sandbox module (201) for receiving normal files and malware samples into a sandbox to obtain multiple blacklists and multiple whitelists of said malware samples;an operation module (202) for performing an operation on said blacklists and whitelists to obtain a list of unencrypted filename extensions of said malware samples; andan extension module (203) for performing a filename extension operation on said normal files in accordance with said list of unencrypted filename extensions; andan output module (204) for receiving said normal files and said malware samples into said sandbox after the filename extension operation, and outputting said list of unencrypted filename extensions if said normal files are not encrypted by said malware samples.8.A computer device comprising a memory and a processor, said memory storing a computer program, wherein said processor realizes the steps of the method described in any one of claims 1 to 6 when said computer program is executed by said processor.9.A computer readable storage medium, wherein having stored a computer program, said computer program executed by the processor implements the steps of any one of claims 1 to 6.10.A computer program product, said computer program product being tangibly stored on a computer-readable medium and comprising computer-executable instructions, said computer-executable instructions executed causing at least one processor to perform the method according to any one of claims 1 to 6.