The United States Patent and Trademark Office has granted this week a patent to online payments company PayPal for a technique for detecting and stopping ransomware attacks.
According to
US patent number 10262138, issued on April 16, PayPal believes it can detect the early stages of a ransomware infection, and take one of two actions --to stop the encryption process, or to save a copy of the untainted original file to a remote server, before it gets encrypted, as a backup, so it can be restored later on.
HOW PAYPAL CAN DETECT RANSOMWARE
At the patent's heart is the technique through which PayPal claims it can detect the onset of a ransomware infection.
PayPal says that its system will watch for when local files are loaded inside a computer's memory cache system, the place all files are loaded when an application needs to execute an operation.
PayPal's system will look for a certain action pattern --when the file is duplicated, and high-entropy (encryption) operations are performed on the duplicate.
This is a common technique used by many ransomware strains, which encrypt a copy of the original file, and then permanently delete the original, sending the encrypted copy for storage on disk, to replace the legitimate file.
PayPal's solution is to detect this pattern and introduce a whitelist of applications that are allowed to perform such actions.
If the app process executing these operations is not on the whitelist, PayPal's system will stop the process, and/or send a copy of the original file to a remote cloud service for backup storage.
