Feb 24, 2017
How to Use the Datto Ransomware Protection and Recovery Solution
Ransomware has become a major threat to individuals and businesses alike over the past few years. Organizations of all sizes have been impacted, but small businesses are particularly vulnerable to attacks. Cyber criminals use phishing emails to distribute ransomware on a massive scale. When the malware is run, it locks victim’s files using encryption and the criminals demand payment to release them. Encryption is enacted shortly after the malware is installed. However, early detection of ransomware can lessen the impact of attacks.
That’s why Datto offers a Ransomware Protection And Recovery Solution on SIRIS. To take advantage of this feature, partners can enable Ransomware Detection in the Reporting & Alerting section of the SIRIS Control Panel.
Datto's Ransomware Protection And Recovery Solution on SIRIS works by detecting patterns of change in specific file types. It is designed to alert MSPs of an infection quickly, based on known ransomware characteristics like randomized data or unusual changes to files. For example, it's highly unlikely that a user or legitimate program would rapidly and simultaneously:
Perform an in-place file content overwrite with random data
Overwrite the content of ONLY the file types commonly targeted ransomware
Exclude file types commonly ignored by ransomware
Preserve all the original file modified time stamps even though the file contents were overwritten
In any of those circumstances, SIRIS creates an alert for a suspected ransomware infection. Some ransomware alerts may be false positives because a legitimate program on a local machine may be updating files in an uncharacteristic or unexpected way. To verify whether ransomware is present, Datto Partners should take the following measures:
Since ransomware detection runs with every backup, you can open Backup Insights to look for file names or extensions that have changed or if files have disappeared. Pay particular attention to .doc, .docx, .jpg, .xlsx, and .pptx file types.
Boot the device or access it remotely. Often infected machines will boot with a window telling you who to contact and how long you have to pay the ransom.
Determine whether any local software behaves similarly to ransomware, which creates false positives. For example, Dropbox encrypts local files in a way that resembles the random file encryption of ransomware.
Log into the web interface of a file sync and share solution and inspect files. If ransomware is present, unusual filenames or extensions will often appear, such as .fun.
If ransomware is determined to be present on systems, you will need to restore data to a point in time before the infection. The type of restore you need to do depends on whether the virus has infected data, the OS, or both. For example, if a data volume is infected, you can perform a file restore. However, if the virus is more widespread and has infected the OS, you will need to perform a bare metal restore. For additional information on SIRIS restores, check out the Datto Disaster Recovery Guide.