A method of detecting the onset of a ransomware attack is presented. In an example embodiment, file backup metadata for each of a plurality of computing devices is accessed and analyzed to detect anomalous file backup activity of individual ones of the computing devices. A determination is made as to whether the detected anomalous file backup activity of at least some of the computing devices is correlated in time. File description metadata for each of the computing devices is also accessed and analyzed to identify files in the computing devices that are anomalous to other files in the computing devices. A determination whether a ransomware attack has begun is based on a determination that the detected anomalous file backup activity of at least some of the computing devices is correlated in time, as well as on the identified anomalous files.

In the face of ransomware attacks, which can be increasingly difficult to effectively prevent, a solution can be considered to be the minimization of the cost and time taken to recover data and, hence business activities. Embodiments perform a restore operation that include automatically identifying the most recent healthy backup, from which data should be restored, and the prioritizing of the order in which data should be restored.

An information processing device, includes a memory; and a processor coupled to the memory and configured to: generate second data by adding, to first data including a machine language, first machine language data that may be destroyed at a time of transfer of the first data and second machine language data that is not destroyed at the time of the transfer, and transmit the second data.

There is disclosed in one example a computing apparatus, including: a hardware platform including a processor and a memory; a system profile store; and a ransomware detection engine including instructions encoded within the memory to instruct the processor to: detect an operation, by a process, that results in an operation on a file, wherein the operation includes newly creating the file including a file type identifier, or where the file is an existing file, changing a file type identifier for the file; querying the system profile store with a combination of the file type identifier and metadata about the file; based at least in part on the querying, determining that the process is a suspected ransomware attack; and taking a remedial action.

Exemplary security applications and systems are described herein. Such embodiments may be configured to provide backup functionality and ransomware protection for cloud storage systems. The described embodiments may monitor cloud storage systems to detect and classify various events. And the embodiments may perform any number of actions based on classified events, such as transmitting notifications to users, preventing a user or application from accessing the cloud storage system, and/or restoring infected files.

Systems and methods for recent file malware scanning are provided herein. In some embodiments, a security system may include a processor programmed to download one or more files; filter, by a first driver, the one or more downloaded files using a security zone identifier; scan, by the first driver, the filtered subset of one or more files for malware; store, by a second driver, a first set of information associated with each of the scanned files to indicate that each the filtered subset of one or more files have been scanned, wherein the first set of information is stored as metadata using alternative data stream (ADS) associated with each scanned file; monitor, by the second driver, changes to existing files based on the metadata stored; send instructions to rescan any existing file that has changed for malware; and update the information associated with any rescanned file's metadata using the ADS.

Disclosed herein are systems and methods for detecting potentially malicious changes in an application. In one aspect, an exemplary method comprises, selecting a first file to be analyzed and at least one second file similar to the first file, for each of the at least one second file, calculating at least one set of features, identifying a set of distinguishing features of the first file by finding, for each of the at least one second file, a difference between a set of features of the first file and the calculated at least one set of features of the second file, and detecting a presence of potentially malicious changes in the identified set of distinguishing features of the first file.

Systems and methods for malware filtering are provided herein. In some embodiments, a system having one or more processors is configured to: retrieve a file downloaded to a user device; break the downloaded file into a plurality of chunks; scan the plurality of chunks to identify potentially malicious chunks; predict whether the downloaded file is malicious based on the scan of the plurality of chunks; and determine whether the downloaded file is malicious based on the prediction.

According to an example embodiment, an information processing apparatus includes: a memory that stores a program; whitelist storage means for storing a whitelist in which first verification data corresponding to each part of the program is listed; arithmetic processing means for executing the program; verification means for verifying whether there is a tampering with each part of the program by comparing the first verification data listed in the whitelist with second verification data that is newly calculated when each part of the program is executed; and information acquisition means for acquiring, when it is determined by the verification means that some part of the program has been tampered with, a snapshot related to the program determined to have been tampered with.

Disclosed is a system and method for increased security of files stored on local machines. The system and method include a number of checks to ensure that the file is being opened on the local machine where it was created. The checks may include a comparison to a CPUID of the machine on which the file is being opened to a CPUID stored in a script when the file was created. The checks may also include a review of a plurality of memory locations in search of artifacts indicating that the file is being opened on a virtual machine. A server may also check that any messages send from the local machine do not pass through an intermediate server.