Ransomware is unusual among threats in that it cannot hide its core action. To extort, it must encrypt files — a lot of them, fast. That behavior is loud, and it is the basis for detection that does not depend on recognizing the specific malware family.
McAfee, LLC's US11531757B2, “Ransomware detection and mitigation” (issued December 20, 2022; CPC G06F 21/566 — runtime malware detection, and G06F 21/568 — detecting malicious modification of data), describes detecting ransomware and mitigating it. Read it at US11531757B2.
Mechanically, the system watches for the behavioral fingerprint of ransomware — the burst of file modification and encryption that legitimate software almost never produces — and triggers mitigation: halting the process, isolating the host, preserving what has not yet been encrypted. The CPC tag G06F 21/568, detecting malicious modification of data, is the precise classification of the mechanism.
Why this is a business story: ransomware is the single threat that moved cyber insurance premiums, board agendas, and security budgets the most across this period, and behavioral anti-ransomware became a checkbox every endpoint vendor had to fill. McAfee's consumer business went public again as McAfee Corp. in 2021 before being taken private, and its enterprise arm became Trellix — anti-ransomware IP like this was a load-bearing feature in both stories. The market for endpoint protection is, in large part, a market for stopping this one behavior.
The grounded read: ransomware detection works because the threat cannot avoid its own loud behavior — mass encryption — and mitigation races to limit it. McAfee's 2022 grant names that detect-and-mitigate mechanism for the threat that reshaped the entire security budget.