Method for detecting ransomware, related system, and storage medium

What is claimed is: 1 . A method for detecting ransomware, comprising: obtaining a partial feature of a target file based on preset data in the target file, wherein the partial feature comprises a partial incremental entropy and/or partial histogram statistical data; determining, based on the partial feature of the target file, whether the target file is an encrypted file; and determining, if the target file is the encrypted file, that the target file is attacked by the ransomware. 2 . The method according to claim 1 , wherein the method further comprises: obtaining a magic number and a file name extension of the target file; determining, based on a preset correspondence between the magic number and the file name extension, whether the magic number corresponds to the file name extension in the target file; and triggering, if the magic number corresponds to the file name extension in the target file, the operation of obtaining a partial feature of a target file based on preset data in the target file. 3 . The method according to claim 1 , wherein the method further comprises: obtaining a plurality of operation records of a plurality of operated files, wherein the plurality of operation records correspond to the plurality of operated files, and each of the plurality of operation records is for recording an operation on an operated file corresponding to the operation record; generating a plurality of operation mode sequences within first preset duration based on the plurality of operation records, wherein the plurality of operation mode sequences correspond to the plurality of operation records; obtaining, one by one from the plurality of operation mode sequences, an operation mode sequence that matches a preset operation mode sequence; and determining, when a quantity of operation mode sequences that match the preset operation mode sequence is greater than a first preset quantity, an operated file corresponding to the operation mode sequence that matches the preset operation mode sequence as the target file. 4 . The method according to claim 1 , wherein the method further comprises: obtaining a plurality of operation records of a plurality of operated files, and obtaining, based on the plurality of operation records, a same operated file on which a write operation is performed by a same device, wherein the plurality of operation records correspond to the plurality of operated files, and each of the plurality of operation records is for recording an operation on an operated file corresponding to the operation record; successively obtaining a write offset and a write length of the same operated file on which the write operation is performed by the same device; accumulating, if a current write offset is greater than a previous write offset for the same operated file on which the write operation is performed by the same device, a current write length and a previous write length for the same operated file to obtain an accumulated write length value of the same operated file; obtaining a write ratio of the same operated file based on a size of the same operated file and the accumulated write length value; and determining, if the write ratio of the same operated file within second preset duration is not less than a preset write ratio, the same operated file on which the write operation is performed by the same device as the target file. 5 . The method according to claim 1 , wherein the method further comprises: obtaining a plurality of operation records of a plurality of operated files, and obtaining operated files corresponding to a first operation based on the plurality of operation records, wherein the plurality of operation records correspond to the plurality of operated files, and each of the plurality of operation records is for recording an operation on an operated file corresponding to the operation record; obtaining, one by one from the operated files corresponding to the first operation, an operated file that matches a preset abnormal file name extension; and determining, when a quantity of operated files that match the preset abnormal file name extension is greater than a second preset quantity, the operated file that matches the preset abnormal file name extension as the target file. 6 . The method according to claim 1 , wherein the method further comprises: obtaining a plurality of operation records of a plurality of operated files, and obtaining an operated file corresponding to a second operation and a third operation based on the plurality of operation records, wherein the plurality of operation records correspond to the plurality of operated files, each of the plurality of operation records is for recording an operation on an operated file corresponding to the operation record, and the second operation and the third operation are operations corresponding to a same operated file; and determining, if a quantity of types of name extensions of operated files corresponding to the second operation is not less than a third preset quantity, a quantity of types of name extensions of operated files corresponding to the third operation is not less than a fourth preset quantity, and the quantity of types of the name extensions of the operated files corresponding to the second operation is greater than the quantity of types of the name extensions of the operated files corresponding to the third operation, the operated file corresponding to the second operation and the third operation as the target file. 7 . The method according to claim 1 , wherein the method further comprises: sending the target file to a user to determine whether the target file undergoes an encryption operation performed by the user; and sending an alarm prompt if the user does not perform the encryption operation on the target file. 8 . An apparatus for detecting ransomware, comprising at least one processor; and a computer-readable storage medium coupled to the at least one processor and storing programming instructions, the programming instructions, when executed by the at least one processor, instruct the at least one processor to perform the following operations: obtaining a partial feature of a target file based on preset data in the target file, wherein the partial feature comprises a partial incremental entropy and/or partial histogram statistical data; determining, based on the partial feature of the target file, whether the target file is an encrypted file; and determining, if the target file is the encrypted file, that the target file is attacked by the ransomware. 9 . The apparatus according to claim 8 , wherein the at least one processor is further configured to perform the following operations: obtaining a magic number and a file name extension of the target file; determining, based on a preset correspondence between the magic number and the file name extension, whether the magic number corresponds to the file name extension in the target file; and triggering, if the magic number corresponds to the file name extension in the target file, the operation of obtaining a partial feature of a target file based on preset data in the target file. 10 . The apparatus according to claim 8 , wherein the at least one processor is further configured to perform the following operations: obtaining a plurality of operation records of a plurality of operated files, wherein the plurality of operation records correspond to the plurality of operated files, and each of the plurality of operation records is for recording an operation on an operated file corresponding to the operation record; generating a plurality of operation mode sequences within first preset duration based on the plurality of operation