This article explains Datto's process for detecting ransomware and what you should do if you suspect a machine is infected with ransomware.
- Datto SIRIS
- Datto ALTO
- Explaining Ransomware Detection and false-positives
- Six Steps for Finding Ransomware
- What Next?
The good and the bad news of ransomware is that it is not subtle. It doesn’t hide or act as a trojan horse lurking in the background. Instead, it acts as soon as a device is compromised. This can be especially challenging for an MSP to verify and control remotely and, as a result, to return their clients to working order as soon as possible.
This is why Datto developed ransomware detection for the SIRIS line of products. It is designed to check the OS drive of a protected system for suspicious file patterns which resemble ransomware activity. With the alert, you can immediately take action and determine if there is indeed a problem. The results can then be used to improve ransomware detection.
Explaining Ransomware Detection and false-positives
Datto's Ransomware Detection works by detecting patterns of change in specific file types, rather than analyzing specific files. For example, it's highly unlikely that a user or legitimate program would rapidly and simultaneously:
- Perform an in-place file content overwrite with random data.
- Overwrite the content of ONLY the file types commonly targeted ransomware.
- Exclude file types commonly ignored by ransomware.
- Preserve all the original file modified time stamps even though the file contents were overwritten.
In a case like this, the Datto device would create an alert for suspected ransomware infection.
As with any prediction, some ransomware alerts may be false-positives because a legitimate program on a local machine may be updating files in an uncharacteristic or unexpected way. Datto expects a small number of false-positives while we refine our algorithm. You can report false-positives
Future releases are planned to address the need to confirm an infection instantly. The goal is for willing partners to help us improve the engine over time, lower the percentage of false-positives, and to help us to stay ahead of ransomware developers.
Ransomware detection is enabled by default. You can enable or disable this feature in the Datto web UI under Configure → Device Settings → Verification
Seven Steps for Finding Ransomware
If you suspect ransomware infection, there's a number of steps you can take:
- On compatible devices, run Backup Insights. Since ransomware detection runs with every backup, you can open Backup Insights to see if files with unusual extensions have been recently added to the device or if Microsoft Office files are suddenly missing.
- Boot the device or access it remotely. Often infected machines will boot with a window telling you who to contact and how long you have. If you don't have remote access to the server or don't want to connect to it or interrupt end users, you have two other options:
- Start a virtualization of the impacted server on your Datto appliance and browse the root folders of the OS volume
- Create a file restore from the Datto appliance GUI and review the file extensions within it. Files with extensions such as .ecc, .ezz, .exx, .zzz, .xyz, .aaa, .abc, .ccc, .vvv, .xxx, .ttt, .micro, .encrypted, .locked, .crypto, .cryptowall, _crypt, .cryp1, .zepto, .crinf, .r5a, .XRNT, .XTBL, .crypt, .R16M01D05, .pzdc, .good, .LOL!, .OMG!, .RDM, .RRK, .encryptedRSA, .crjoker, .EnCiPhErEd, .LeChiffre, .keybtc@inbox_com, .0x0, .bleep, .1999, .vault, .HA3, .toxcrypt, .magic, .SUPERCRYPT, .CTBL, .CTB2, .locky, .fun, or 6 - 7 character long extensions consisting of random numbers, letters, and symbols.may have been infected with ransomware.
You can report false-positive alerts, once per agent, directly from the ransomware alerting banner in the Datto appliance GUI. Note that reporting a false-positive will suppress further ransomware alerts for that agent, and the Restore page will no longer display historical infection reporting.
If a particular agent persistently false-alerts for ransomware (with no apparent infection upon inspection) you can disable detection for that particular agent from the Configure Agent Settings page of the Datto appliance. You should only do this as a last resort.
NOTE: Disabling ransomware detection for a protected system will also disable all historical infection reporting for that system. You will not be able to see which of the system's backups were suspected to contain ransomware until you re-enable the feature.
If you do find actual ransomware on the machine, don’t panic. Datto’s Data Continuity solutions are built to restore the machine back to a time before the attack took place. See What to do if a protected machine is infected with ransomware for steps you can use to recover.