Described herein is a system that detects ransomware infection in filesystems. The system detects ransomware infection by using backup data of machines. The system detects ransomware infection in two stages. In the first stage, the system analyzes a filesystem's behavior. The filesystem's behavior can be obtained by loading the backup data and crawling the filesystem to create a filesystem metadata including information about file operations during a time interval. The filesystem determines a pattern of the file operations and compares the pattern to a normal patter to analyze the filesystem's behavior. If the filesystem's behavior is abnormal, the system proceeds to the second stage to analyze the content of the files to look for signs of encryption in the filesystem. The system combines the analysis of both stages to determine whether the filesystem is infected by ransomware.