Abstract: A system and method for detecting and preventing ransomware includes creating a number of watch files in a filesystem, and adding a location and a timestamp of each to an ingest log. A number of native files are found in the filesystem and cataloged, adding the location and the timestamp of each to the ingest log. Periodically, each timestamp of each entry in the ingest log is compared to a current timestamp of a corresponding file in the filesystem and a count of watch files that have change and a count of native files that have changed is made. If the count of watch and native files that have changed indicate that a ransomware program is running on the computer, the ransomware program is suspended and reported. If a command indicates that the ransomware program is not ransomware, execution of the ransomware program is resumed.

Abstract: A system and method for detecting and preventing ransomware includes creating a number of watch files in a filesystem and adding a location and a timestamp of each to an ingest log. A number of native files are found in the filesystem and cataloged, adding the location and the timestamp of each to the ingest log. Periodically, each timestamp of each entry in the ingest log is compared to a current timestamp of a corresponding file in the filesystem and a count of watch files that have change and a count of native files that have changed is made. If the count of watch and native files that have changed indicate that a ransomware program is running on the computer, the ransomware program is suspended and reported. If a command indicates that the ransomware program is not ransomware, execution of the program is resumed.

Abstract: A system and method for detecting and preventing ransomware includes creating a number of watch files in a filesystem and adding a location and a timestamp of each to an ingest log. A number of native files are found in the filesystem and cataloged, adding the location and the timestamp of each to the ingest log. Periodically, each timestamp of each entry in the ingest log is compared to a current timestamp of a corresponding file in the filesystem and a count of watch files that have change and a count of native files that have changed is made. If the count of watch and native files that have changed indicate that a ransomware program is running on the computer, the ransomware program is suspended and reported. If a command indicates that the ransomware program is not ransomware, execution of the program is resumed.