What to do if a protected machine is infected with Ransomware



This article describes what steps you can take in case a server becomes infected with Cryptolocker, CryptoWall, or any other 'ransomware.'


Datto's 2016 report illustrates the state of ransomware among small and medium-sized businesses as well as predictions for the future:

You should also review the Datto Disaster Recovery Guide.


The type of restore you need to do depends on whether the virus has infected data, the OS, or both. If a data volume is infected, you can perform a file restore. If the virus is more widespread and has infected the OS, you will need to perform a Bare Metal Restore.

Start with the most recent recovery point and work your way back:

  • Use the Direct Restore Utility to check your recovery points for evidence of the infection.
  • Find the most recent "clean" recovery point to restore your files.
  • If the infection has infected the OS of a system, you will need to perform a Bare Metal Restore of the most recent clean recovery point.
  • If ransomware has infected a snapshot-enabled NAS share on your Datto device, Technical Support has the ability to perform a rollback of the dataset to an earlier healthy point, if one is present.

Once you've identified a healthy data set, you can proceed with restoring files or performing a Bare Metal Restore.

As always, feel free to reach out to Technical Support if you need more help.

Was this article helpful?

0 out of 1 found this helpful

You must sign in before voting on this article.

Want to talk about it? Head on over to our Community Forum!