Detecting and preventing crypto-ransomware attacks against data

We claim: 1. A method for preventing unauthorized file access, the method comprising: heuristically analyzing an attack to identify an access pattern, the access pattern comprising a sort method and a first attacked position; intercepting a first request from a process to access a target folder; in response to intercepting the first request, creating a virtual file; compiling a set of files from the target folder based on the intercepted first request; sorting the compiled set of files in accordance with the sort method; placing the virtual file in the first attacked position in the set; returning the sorted, compiled set of files to the process; and upon receiving a second request from the process to alter the virtual file, designating the process as a hostile process. 2. The method of claim 1 , wherein designating the process as a hostile process comprises locking one or more files for read-only access by the process. 3. The method of claim 1 , further comprising accessing a policy comprising instructions to be executed upon designating the process as the hostile process. 4. The method of claim 3 , wherein the policy instructs a filter driver to perform actions selected from a group consisting of suspending input/output (I/O) operations to the target folder, suspending I/O operations to a plurality of target folders accessible by the filter driver, suspending I/O operations to the set of files, notifying administrator of the detection of the hostile process, powering-down a host computing device associated with the filter driver, terminating a network connection associated with the system, and suspending a virtual machine associated with the filter driver. 5. The method of claim 1 , wherein placing the virtual file in the first attacked position comprises placing the virtual file first in the set. 6. The method of claim 5 , wherein the created virtual file is hidden from a user. 7. The method of claim 1 further comprises presenting a name and a size for the virtual file, and wherein the size is generated by applying an algorithm to the name. 8. The method of claim 5 , wherein the method further comprises storing the name for the duration of a session with the process. 9. A system, comprising: a processor; and a non-transitory computer readable medium having stored thereon program code for transferring data to another computer system, the program code causing the processor to: heuristically analyze an attack to identify an access pattern, the access pattern comprising a sort method and a first attacked position; intercept a first request from a process to access a target folder containing at least one file; in response to intercepting the first request, create a virtual file; compile a set of files from the target folder based on the intercepted first request; sort the compiled set of files in accordance with the sort method place the virtual file in the first attacked position in the set; return the sorted, compiled set of files to the process; and upon receiving a second request from the process to access the virtual file, designate the process as a hostile process. 10. The system of claim 9 , wherein the memory area further stores an authorized process list comprising at least one process identified as not hostile. 11. The system of claim 10 , wherein the program code further causes the processor to: compare the process to the authorized process list; and if the process is located on the authorized process list, allow the process to access the target folder without designating the process as the hostile process. 12. The system of claim 9 , further comprising a plurality of host computing devices associated with the system, and wherein the program code further causes the processor to issue an alert to the plurality of host computing devices associated with the system. 13. The system of claim 12 , wherein the program code further causes the processor to: receive an alert from at least one of the plurality of host computing devices, the alert identifying the hostile process; and based on the received alert, lock the target folder from access by the hostile process. 14. The system of claim 9 , wherein placing the created virtual file in the first attacked position comprises placing the created virtual file first in the set. 15. The system of claim 9 , wherein the created virtual file is hidden from a user. 16. The system of claim 9 , wherein the program code further causes the processor to access a policy comprising instructions to be executed upon designating the process as the hostile process. 17. A non-transitory computer readable storage medium having stored thereon program code executable by a first computer system at a first site, the program code embodying a method comprising: heuristically analyzing an attack to identify an access pattern, the access pattern comprising a sort method and a first attacked position; intercepting a first request from a process to access a target folder; in response to intercepting the first request, creating a virtual file; compiling a set of files from the target folder based on the intercepted first request; sorting the compiled set of files in accordance with the sort method placing the virtual file in the first attacked position in the set; returning the sorted, compiled set of files to the process; and upon receiving a second request from the process to access the virtual file, designating the process as a hostile process. 18. The non-transitory computer-readable storage media of claim 17 , wherein creating the virtual file comprises creating the virtual file once per target folder per a targeted file type. 19. The non-transitory computer-readable storage media of claim 17 , wherein the created virtual file is hidden from a user. 20. The non-transitory computer-readable storage media of claim 17 , wherein issuing the alert comprises notifying a computing device across a network.