Methods and systems for detecting a ransomware attack using entropy analysis and file update patterns

What is claimed is: 1 . A processor implemented method for detecting a ransomware infection in a plurality of files received by a device operatively associated with a file synchronization and sharing network, each file including a plurality of sequential bytes of digital information, the method comprising: a) determining a value-count of byte values included in a file section associated with a received file, the value-count including a count of byte value occurrences of the byte values included in the file section; b) performing a low frequency analysis of the file section to determine if the file section is low frequency encrypted, the low frequency analysis including b1) calculating one or both of a low frequency entropy value associated with the file section and a low frequency average value of substantially all byte values associated with the file section, the low frequency entropy value associated with the count of byte value occurrences of the byte values included in the file section, and b2) comparing one or both of the calculated low frequency entropy value to a low frequency entropy threshold value and the calculated low frequency average value of substantially all byte values to a low frequency average value range threshold to determine if the received file is low frequency encrypted; c) performing a high frequency analysis of the file section to determine if the file section is high frequency encrypted, the high frequency analysis including c1) calculating one or both of a high frequency entropy value associated with the file section and a high frequency high-low probability ratio value associated with the file section, the high frequency entropy value associated with a plurality of subsection entropy values where each subsection entropy value is calculated for one of a plurality of consecutive subsections of bytes included in the file section, and the high frequency high-low probability ratio is calculated by dividing a high probability measure of a byte value by a low probability measure of a byte value included in the file section, and c2) comparing one or both of the calculated high frequency entropy value to a high frequency entropy threshold value and the calculated high frequency high-low probability ratio to a high frequency high-low probability threshold to determine if the received file is high frequency encrypted; d) if the file section is low frequency encrypted and high frequency encrypted, setting an encryption status condition associated with the received file to indicate the received file is encrypted; and e) if the received file encryption status condition indicates the received file is encrypted, utilizing a watcher to monitor file events associated with the plurality of files received by the device associated with the file synchronization and sharing network to determine if one or more of the plurality of files are ransomware infected. 2 . The processor implemented method for detecting a ransomware infection in a plurality of files according to claim 1 , wherein the value-count includes a total number of byte value occurrences in the file section for each possible byte value, and a)-d) are repeated for each of the plurality of files received by the device associated with the file synchronization and sharing network. 3 . The processor implemented method for detecting a ransomware infection in a plurality of files according to claim 1 , further comprising: setting the encryption status condition as true if one or both of a) the calculated low frequency entropy value is greater than or equal to the low frequency entropy threshold value indicating low frequency encryption of the received file, and b) the calculated low frequency average value of substantially all byte values is outside the low frequency average value range threshold indicating low frequency encryption of the received file, and one or both of c) the calculated high frequency entropy value is greater than or equal to the high frequency entropy threshold value indicating high frequency encryption of the received file and d) the calculated high frequency high-low probability ratio value is less than or equal to the high frequency high-low probability threshold value indicating high frequency encryption of the received file. 4 . The processor implemented method for detecting a ransomware infection in a plurality of files according to claim 1 , wherein the low frequency analysis of the file section b1) calculates the low frequency entropy value associated with the file section and calculates the low frequency average value of substantially all byte values associated with the file section, and b2) compares the calculated low frequency entropy value to the low frequency entropy threshold value and compares the calculated low frequency average value of substantially all byte values to the low frequency average value range threshold to determine if the received file is low frequency encrypted. 5 . The processor implemented method for detecting a ransomware infection in a plurality of files according to claim 1 , wherein the high frequency analysis of the file section c1 a) calculates a high frequency entropy value for each of one or more of the plurality of subsections of bytes, c1b) calculates a high frequency average entropy value of the one or more plurality of subsection bytes, and c1c) determines a low calculated high frequency entropy value of the one or more plurality of subsection bytes, and c2a) compares the calculated high frequency average entropy value of the one or more plurality of subsection bytes to a high frequency entropy average threshold, c2b) compares the low calculated high frequency entropy value of the one or more plurality of subsection bytes to a high frequency entropy minimum threshold and c2c) compares the calculated high frequency high-low probability ratio value to a high frequency high-low probability threshold value to determine if the received file is high frequency encrypted. 6 . The processor implemented method for detecting a ransomware infection in a plurality of files according to claim 1 , wherein the low frequency analysis of the file section b1) calculates the low frequency entropy value associated with the file section and calculates the low frequency average value of substantially all byte values associated with the file section, and b2) compares the calculated low frequency entropy value to the low frequency entropy threshold value and compares the calculated low frequency average value of substantially all byte values to the low frequency average value range threshold to determine if the received file is low frequency encrypted, and wherein the high frequency analysis of the file section c1a) calculates a high frequency entropy value for each of one or more of the plurality of subsections of bytes, c1b) calculates a high frequency average entropy value of the one or more plurality of subsection bytes, and c1c) determines a low calculated high frequency entropy value of the one or more plurality of subsection bytes, and c2a) compares the calculated high frequency average entropy value of the one or more plurality of subsection bytes to a high frequency entropy average threshold, c2b) compares the low calculated high frequency entropy value of the one or more plurality of subsection bytes to a high frequency entropy minimum threshold and c2c) compares the calculated high frequency high-low probability ratio value to a high frequency high-low probability threshold value to determine if the received file is high frequency encrypted. 7 . The processor implemented method for detecting a ransomware infection in a plurality of files according to claim 6 , wherein the low frequency entropy threshold value is 7.92, the low frequency average value range threshold