Behavior-Based VM Resource Capture for Forensics
US-2021049031-A1 · Feb 18, 2021 · US
Reversing symmetric encryptions using keys found in snapshots—per-file keys, hashes of hashes
US12526152B2 · US · B2
| Field | Value |
|---|---|
| Publication number | US-12526152-B2 |
| Application number | US-202318299373-A |
| Country | US |
| Kind code | B2 |
| Filing date | Apr 12, 2023 |
| Priority date | Apr 12, 2023 |
| Publication date | Jan 13, 2026 |
| Grant date | Jan 13, 2026 |
How to read this patent
A practical reading order for non-experts. Skip the full description unless you need deep technical detail.
- Title
What the patent document calls the invention.
- Abstract
A short plain-language summary of the technical disclosure.
- Assignees and inventors
Who owns or filed the patent and who is credited as inventor.
- Key dates
Filing, priority, publication, and grant dates set the timeline.
- First independent claim
The legal scope of protection — read this for what is actually claimed.
- CPC / IPC classifications
Technology tags used to group this patent with similar filings.
- Citations and related patents
Prior art links and similar publications in this corpus.
Abstract
Official abstract text for this publication.
One example method includes taking snapshots of a ransomware process, obtaining, from the snapshots, a key sequence that comprises a subset of keys used by the ransomware process to encrypt data, hashing one of the keys of the subset of keys to generate a hash, and when the hash matches one of the keys in the subset of keys, using the hash to deduce other keys used by the ransomware process and not already included in the subset of keys.
First claim
Opening claim text (preview).
What is claimed is: 1 . A method, comprising: taking snapshots of a ransomware process which employs a deterministic key generation process in which, as between a first key and a subsequent key, the subsequent key is generated by hashing the first key either together with a salt, or without a salt; obtaining, from the snapshots, a key sequence that comprises a subset of keys used by the ransomware process to encrypt data, and the subset includes some, but not all, of the keys used by the ransomware process to encrypt data; hashing one of the keys of the subset of keys to generate a hash; and when the hash matches one of the keys in the subset of keys, using the hash to deduce other keys used by the ransomware process but not present in the subset of keys. 2 . The method as recited in claim 1 , wherein the hashing comprises hashing a salt together with the one key to generate the hash, and the salt is obtained from one of the snapshots. 3 . The method as recited in claim 1 , wherein each of the snapshots corresponds to a respective period of time during which the ransomware process is running. 4 . The method as recited in claim 1 , wherein encryption of the data by the ransomware process comprises a symmetric encryption process. 5 . The method as recited in claim 1 , wherein encryption of the data by the ransomware process comprises application of the keys to the data on a per-file basis. 6 . The method as recited in claim 1 , wherein each of the keys in the key sequence comprises a hash of another key. 7 . The method as recited in claim 1 , wherein the hashing comprises using a hashing method known, or suspected, to be used by the ransomware process for generating the keys. 8 . The method as recited in claim 1 , wherein the keys in the key sequence are arranged, in the key sequence, in an order in which the keys were generated by the ransomware process. 9 . The method as recited in claim 1 , wherein the key that matches the hash is an original, or intermediate, key used by the ransomware process. 10 . A non-transitory storage medium having stored therein instructions that are executable by one or more hardware processors to perform operations comprising: taking snapshots of a ransomware process which employs a deterministic key generation process in which, as between a first key and a subsequent key, the subsequent key is generated by hashing the first key either together with a salt, or without a salt; obtaining, from the snapshots, a key sequence that comprises a subset of keys used by the ransomware process to encrypt data, and the subset includes some, but not all, of the keys used by the ransomware process to encrypt data; hashing one of the keys of the subset of keys to generate a hash; and when the hash matches one of the keys in the subset of keys, using the hash to deduce other keys used by the ransomware process but not present in the subset of keys. 11 . The non-transitory storage medium as recited in claim 10 , wherein the hashing comprises hashing a salt together with the one key to generate the hash, and the salt is obtained from one of the snapshots. 12 . The non-transitory storage medium as recited in claim 10 , wherein each of the snapshots corresponds to a respective period of time during which the ransomware process is running. 13 . The non-transitory storage medium as recited in claim 10 , wherein encryption of the data by the ransomware process comprises a symmetric encryption process. 14 . The non-transitory storage medium as recited in claim 10 , wherein encryption of the data by the ransomware process comprises application of the keys to the data on a per-file basis. 15 . The non-transitory storage medium as recited in claim 10 , wherein each of the keys in the key sequence comprises a hash of another key. 16 . The non-transitory storage medium as recited in claim 10 , wherein the hashing comprises using a hashing process known, or suspected, to be used by the ransomware process for generating the keys. 17 . The non-transitory storage medium as recited in claim 10 , wherein the keys in the key sequence are arranged, in the key sequence, in an order in which the keys were generated by the ransomware process. 18 . The non-transitory storage medium as recited in claim 10 , wherein the key that matches the hash is an original, or intermediate, key used by the ransomware process.
Assignees
Inventors
Classifications
Generation of secret information including derivation or calculation of cryptographic keys or passwords · CPC title
Computer malware detection or handling, e.g. anti-virus arrangements · CPC title
- H04L9/3242Primary
involving keyed hash functions, e.g. message authentication codes [MACs], CBC-MAC or HMAC · CPC title
Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities · CPC title
- G06F21/568Primary
eliminating virus, restoring damaged files · CPC title
Patent family
Related publications grouped by family.
External sources
Frequently asked questions
Answers are generated from the same data shown on this page.
- What does patent US12526152B2 cover?
- One example method includes taking snapshots of a ransomware process, obtaining, from the snapshots, a key sequence that comprises a subset of keys used by the ransomware process to encrypt data, hashing one of the keys of the subset of keys to generate a hash, and when the hash matches one of the keys in the subset of keys, using the hash to deduce other keys used by the ransomware process and…
- Who is the assignee on this patent?
- Dell Products Lp
- What technology area does this patent fall under?
- Primary CPC classification H04L9/3242. Mapped technology areas include Electricity.
- When was this patent published?
- Publication date Tue Jan 13 2026 00:00:00 GMT+0000 (Coordinated Universal Time) (B2). Legal status and post-grant events are not shown on this page.
- What related patents are in patentsdb?
- We list 5 related publications on this page (citations in our corpus or others sharing the same primary CPC).