What to do if a protected machine is infected with Ransomware



This article describes what steps you can take in case a server becomes infected with Cryptolocker, CryptoWall, or any other ransomware.


  • Datto SIRIS


The type of restore you need to do depends on whether the virus has infected data, the OS, or both. Ransomware detection analyzes the OS volume of the protected system; if you receive an infection alert, you should check all of the data volumes attached to the system.

Start with the most recent recovery point and work your way back:

  • Use the Direct Restore Utility to check your recovery points for evidence of the infection.
  • Find the most recent "clean" recovery point to restore your files.
  • If a data volume is infected, you can perform a file restore or volume restore.
  • If the infection has infected the OS of a system, you will need to perform a Rapid Rollback or Bare Metal Restore of the most recent clean recovery point.
  • If ransomware has infected a snapshot-enabled NAS share on your Datto device, you can perform an iSCSI rollback.

Once you've identified a healthy data set, you can proceed with restoration.

Was this article helpful?

0 out of 1 found this helpful

You must sign in before voting on this article.

Want to talk about it? Have a feature request?

Head on over to our Datto Community Forum or the Datto Community Online.

For more Business Management resources, see the Datto RMM Online Help and the Autotask PSA Online Help .

Still have questions? Get live help.

Datto Homepage