Ransomware detection in a continuous data protection environment

What is claimed is: 1. A method for use in a storage system comprising: intercepting a write request from a host to the storage system, the write request comprising write data; adding the write data to a list of recent write data and determining a probability that the write data is actually encrypted by calculating an entropy over the list of recent write data; calculating a probability of ransomware within the host based upon the probability that the write data is actually encrypted; if the probability of ransomware is less than or equal to a first threshold, sending an acknowledgement (ACK) without delay from the storage system to the host; if the probability of ransomware is greater than a first threshold value and less than or equal to a second threshold value, creating a bookmark that is associated with a point in time corresponding to the data, storing the bookmark in the storage system, and sending an ACK without delay from the storage system to the host; and if the probability of ransomware is greater than the second threshold value, sending a delayed ACK from the storage system to the host. 2. The method of claim 1 wherein intercepting the write request from a host to storage comprises intercepting the write request at a splitter, the method further comprising: sending the write request from the splitter to a data protection appliance (DPA), wherein sending an acknowledgement (ACK) comprises sending an acknowledgement (ACK) from the DPA to the splitter. 3. The method of claim 2 further comprising: sending the write request to the storage after the splitter receives an ACK from the DPA. 4. The method of claim 1 further comprising: if the probability of ransomware is greater than the second threshold value, notifying a user of suspected ransomware. 5. The method of claim 1 wherein determining a probability that the write data is actually encrypted comprises calculating an entropy of the write data. 6. The method of claim 1 wherein determining the probability that the write data is expected to be encrypted comprises determining a percentage of the storage that is encrypted. 7. The method of claim 1 wherein the write request further comprises an offset within the storage, wherein determining the probability that the write data is expected to be encrypted comprises determining whether encrypted data was previously written to the offset within the storage. 8. The method of claim 1 wherein determining the probability that the write data is expected to be encrypted comprises determining one or more applications running on the host. 9. A system comprising: one or more processors; a volatile memory; and a non-volatile memory storing computer program code that when executed on the processor causes execution across the one or more processors of a process operable to perform the operations of: intercepting a write request from a host to a storage system, the write request comprising write data; adding the write data to a list of recent write data and determining a probability that the write data is actually encrypted by calculating an entropy over the list of recent write data; calculating a probability of ransomware within the host based upon the probability that the write data is actually encrypted; if the probability of ransomware is less than or equal to a first threshold, sending to an acknowledgement (ACK) to the host; if the probability of ransomware is greater than a first threshold value and less than or equal to a second threshold value, creating a bookmark that is associated with a point in time corresponding to the data, storing the bookmark in the storage system, and sending an ACK to the host; and if the probability of ransomware is greater than the second threshold value, sending a delayed ACK to the host. 10. The system of claim 9 wherein the computer program code causes execution of a process further operable to perform the operations of: if the probability of ransomware is greater than the second threshold value, notifying a user of suspected ransomware. 11. The system of claim 9 wherein determining a probability that the write data is actually encrypted comprises calculating an entropy of the write data. 12. The system of claim 9 wherein determining the probability that the write data is expected to be encrypted comprises determining a percentage of the storage that is encrypted. 13. The system of claim 9 wherein the write request further comprises an offset within the storage, wherein determining the probability that the write data is expected to be encrypted comprises determining whether encrypted data was previously written to the offset within the storage. 14. The system of claim 9 wherein determining the probability that the write data is expected to be encrypted comprises determining one or more applications running on the host. 15. A computer program product tangibly embodied in a non-transitory computer-readable medium, the computer-readable medium storing program instructions that are executable to: intercept a write request from a host to a storage system, the write request comprising write data; add the write data to a list of recent write data and determining a probability that the write data is actually encrypted by calculating an entropy over the list of recent write data; calculate a probability of ransomware within the host based upon the probability that the write data is actually encrypted; if the probability of ransomware is less than or equal to a first threshold, send an acknowledgement (ACK) to the host; if the probability of ransomware is greater than a first threshold value and less than or equal to a second threshold value, create a bookmark that is associated with a point in time corresponding to the data, storing the bookmark in the storage system, and sending an ACK to the host; and if the probability of ransomware is greater than the second threshold value, send a delayed ACK to the host.