Encryption operations may be performed by a computer system for various reasons. It is often unclear, however, whether one of the many processes executing on a system is performing encryption. Encryption can be computationally expensive, and a process that engages in a large amount of encryption may represent a performance bottleneck for the system, limiting the ability of the system to do additional work (or weakening it to a Denial of Service attack). Further, while encryption is used in many legitimate contexts, it is also used by malware in certain scenarios to communicate with a remote attacker (e.g. command and control software) or used as part of ransomware. Thus, detecting whether a process is performing encryption can be important to identifying a performance bottleneck or uncovering malware. By monitoring a process and examining certain aspects of its activity, however, encryption operations can be detected and further remedial actions can be taken if needed.