February 17, 2021

How MSPs Can Detect Crypto-Ransomware with Datto RMM

By Sara Zorica

Managed service providers (MSPs) are well aware of the risk that ransomware poses – not only to their clients’ businesses but also their own. We surveyed more than 1,000 MSPs on the state of ransomware in the channel and found some staggering figures on ransomware, MSPs, and their small and medium business clients.

  • MSPs reported the average ransom demand is $5,600
  • The average cost of downtime is $274,200 – nearly 50X the average ransom demand
  • MSPs also report that only 30% of their clients feel ‘very concerned’ about ransomware

The massive shift to remote working that businesses across all industries saw in the spring of 2020 also increased the cybersecurity risk companies face as many employees were working on vulnerable home networks. Long gone are the days where phishing and cyberattacks look like an obviously malicious email from your “long lost uncle” who wants to send you millions of dollars. Nowadays, cybercriminals are using various forms of socially engineered attacks that are much more realistic than they were in the past.

Datto RMM is an MSP-centric remote monitoring and management (RMM) tool that more than 5,000 MSPs rely on to remotely manage their clients’ IT environments. Beyond the management of endpoints, Datto RMM also helps MSPs detect ransomware attacks on their clients’ environments with native Ransomware Detection.

How does Ransomware Detection find ransomware?

Datto RMM Ransomware Detection monitors for the existence of crypto-ransomware on the endpoint, using proprietary behavioral analysis of files. This means it looks at what activity happens at the disk level, and regardless of where the encryption activity comes from, it can analyze it and determine if it is ransomware.

Once ransomware is detected, Datto RMM will automatically notify technicians the moment files start being encrypted. This allows the MSP to be proactive instead of relying on a user to report the issue. Datto RMM’s native Ransomware Detection can attempt to kill the ransomware process and automatically isolate the affected device from the network to prevent its spread and reduce the overall impact of ransomware on the client.

Isolated devices will still maintain their connection with Datto RMM, enabling technicians to respond quickly and take action, most likely starting the recovery process using an integrated Datto BCDR solution to roll back to a previous state prior to the infection.


Datto RMM partners can set up Ransomware Detection like any other monitor, applied either at the device level or as part of a monitoring policy. This includes the standard monitor settings, including alert and response options, along with the option to isolate affected devices from the network.

If you want to learn more about the solution, take a look at the video below and sign up for a free demo today.

Suggested Next Reads

Elevate Autotask Tickets With IT Glue Checklists

Streamline IT support with Autotask checklists. Empower Level 1 technicians to handle repetitive tickets efficiently, reducing escalations and improving service quality.