US Patent 10554688 Ransomware locked data decryption through ransomware key transposition

Traffic into and out of an organization-level network is monitored. A request for an encryption key from ransomware infecting a computer in the organization-level network to a remote command and control server is detected. A simulated reply to the ransomware is generated. A known encryption key for which the corresponding decryption key is also known is substituted for the encryption key supplied by the C&C server. The simulated reply containing the substituted known key is then supplied to the ransomware, such that the ransomware uses the known encryption key to encrypt files accessible from the computing device, and requests payment in order to provide a decryption key. Instead of paying the ransom, the encrypted files are decrypted using the known decryption key corresponding to the known encryption key which was provided to the ransomware.