How Defenders Stop Ransomware They've Never Seen Before

Every signature-based defense shares the same blind spot: it can only recognize what it has already seen. The moment an attacker recompiles a payload or tweaks a few bytes, the signature no longer matches and the file sails through. Ransomware crews exploit this gap constantly, which is why the most damaging campaigns are usually built on variants that no scanner has a fingerprint for yet.

The grant US10628587B2, "Identifying and halting unknown ransomware" (issued April 21, 2020, assigned to Cisco Technology, Inc.), attacks the problem from the other end. Its CPC classifications sit squarely in the malware and intrusion-detection classes — G06F 21/566, G06F 21/552, G06F 21/554, G06F 21/56, and H04L 63/145 — which is the signature of a behavioral approach rather than a static-signature one.

“In one embodiment, a computing device collects ransomware behavioral data of known ransomware, the ransomware behavioral data based on one or more file writing features, and trains a ransomware classifier with the ransomware behavioral data to detect ransomware.”— U.S. Patent No. 10,628,587 source

The mechanism worth understanding is that ransomware, whatever its code looks like, has to do a recognizable set of things to succeed: it has to open a large number of files in quick succession, read them, write encrypted versions, and frequently delete or overwrite the originals. That activity pattern is hard to disguise because it is the attack itself. A defense that watches for the pattern can act before the encryption finishes, even on a sample it has never catalogued.

The practical takeaway for defenders is that behavior-based detection is not a replacement for signatures so much as a backstop for the gap signatures leave. The patent's value is in the halting half — recognizing the behavior is only useful if you can interrupt the process mid-encryption and limit the blast radius to a handful of files rather than a whole volume.

None of this makes ransomware a solved problem. Behavioral detection raises the false-positive question — legitimate backup and bulk-encryption tools look a lot like an attack — and the patent's real work is in drawing that line. But the conceptual shift it represents, away from 'have I seen this exact file' toward 'is this process behaving like ransomware,' is the foundation under most modern endpoint defenses.