US Patent 10503897 Detecting and stopping ransomware

Techniques of operating a computer involve providing controls to an OS that monitor a rate at which commands in an operating system are performed. Along these lines, ransomware performs the OS commands it needs to control access to data files on a computer by performing those commands rapidly. In many cases, such rapid sequences of commands, e.g., read-copy-encrypt-delete, are performed much more rapidly than would be done by a typical user. Accordingly, the OS is then provided the capacity to monitor, e.g., a number of specified command sequences (e.g., read-copy-encrypt-delete) within some specified period of time (e.g., a minute, 5 minutes, an hour, or greater or less). If the number is greater than some threshold number, then the computer may take a remedial action such as issuing an alert to the user and/or limiting the rate at which the commands may be performed.