Edinburgh Napier University

  The present invention relates to a computer program product, a computing device and a method of detecting a file encrypted by ransomware by identifying a file write operation for a file on the computing device and determining if a predetermined number of bytes of the file is stored in a memory buffer on the computing device. An entropy value of the predetermined number of bytes in the memory buffer is determined and compared to a first predetermined threshold, wherein if the determined entropy value exceeds the first predetermined threshold the file associated with the file write operation is flagged as being potentially encrypted by ransomware.