What to do if a protected machine is infected with Ransomware



This article describes what steps you can take in case a server becomes infected with Cryptolocker, CryptoWall, or any other 'ransomware.'


Datto's 2016 report illustrates the state of ransomware among small and medium-sized businesses as well as predictions for the future:

You should also review the Datto Disaster Recovery Guide.


The type of restore you need to do depends on whether the virus has infected data, the OS, or both. If a data volume is infected, you can perform a file restore. If the virus is more widespread and has infected the OS, you will need to perform a Bare Metal Restore.

Start with the most recent recovery point and work your way back:

  • Use the Direct Restore Utility to check your recovery points for evidence of the infection.
  • Find the most recent "clean" recovery point to restore your files.
  • If the infection has infected the OS of a system, you will need to perform a Bare Metal Restore of the most recent clean recovery point.
  • If ransomware has infected a snapshot-enabled NAS share on your Datto device, Technical Support has the ability to perform a rollback of the dataset to an earlier healthy point, if one is present.

Once you've identified a healthy data set, you can proceed with restoring files or performing a Bare Metal Restore.

As always, feel free to reach out to Technical Support if you need more help.

Was this article helpful?

0 out of 1 found this helpful

You must sign in before voting on this article.

Calling all Partners! We want to hear your feedback! Please participate in this quick survey and help us build a better, more-relevant Knowledge Base!

Want to talk about it? Head on over to our Community Forum!