The Tell That Gives Ransomware Away: Encryption That Shouldn't Be Happening

Encryption is not inherently suspicious. Backup software encrypts, secure messaging encrypts, full-disk tools encrypt — the act of scrambling data is a normal part of a healthy system. That is exactly what makes ransomware hard to catch by encryption alone: the attack uses the same primitive that legitimate software uses every day. The question is never 'is encryption happening' but 'is this the right process doing it, in the right way, with keys it should have.'

The grant US10637879B2, "Systems and methods for detection and mitigation of malicious encryption" (issued April 28, 2020, assigned to Carbonite, Inc.), is built around that distinction. Its CPC classifications mix the intrusion-detection classes (H04L 63/1425, H04L 63/1416, G06F 21/554) with the cryptographic class H04L 9/14, which tells you the invention is reasoning about the encryption itself, not just file-system churn.

“The present disclosure describes systems and methods for detection and mitigation of malicious encryption. A security agent on an infected computing device may monitor data writes to disk, memory, or network transmission buffers for strings that may represent encryption keys or moduli.”— U.S. Patent No. 10,637,879 source

The mechanism that matters is the focus on the keys and the cryptographic behavior. Ransomware typically brings its own keys or generates them locally, encrypts data the user can no longer access, and offers the decryption key for payment. A defense that understands the cryptographic side can flag encryption that originates from an unexpected source — and, crucially, can move to mitigate it rather than just log it.

For defenders, the lesson is that the most durable detections target the part of an attack that cannot be changed. An attacker can rewrite the loader, repack the binary, and rotate command-and-control servers, but if the business model requires encrypting the victim's files with keys only the attacker holds, that step has to happen. Watching the cryptographic behavior catches the attack at the one point it cannot avoid.

The mitigation half is again where the real engineering lives. Detecting malicious encryption a second too late is the difference between a contained incident and a restored-from-backup weekend. The patent's emphasis on detection-and-mitigation as a pair reflects how the industry has come to think about ransomware: speed of response is the whole game.