Ransomware Detection 101



This article explains Datto's process for detecting ransomware and what you should do if you suspect a machine is infected with ransomware. 

Topics Covered:


The good and the bad news of Ransomware is that it is not subtle. It doesn’t hide or act as a trojan horse lurking in the background. Instead, it acts as soon as a device is compromised. This can be especially challenging for an MSP to verify and control remotely and, as a result, to return their clients to working order as soon as possible.

This is why Datto developed ransomware detection for the SIRIS line of products. It is designed to alert in case of a possible infection based on known ransomware characteristics. As a result, false positives are likely in an attempt to head off system and customer downtime. With the alert, you can immediately take action and determine if there is indeed a problem. The results can then be used to improve ransomware detection.

Explaining Ransomware Detection and False Positives

Datto's Ransomware Detection works by detecting patterns of change in specific file types, rather than analyzing specific files. For example, it's highly unlikely that a user or legitimate program would rapidly and simultaneously:

  • perform an in-place file content overwrite with random data
  • overwrite the content of ONLY the file types commonly targeted ransomware
  • exclude file types commonly ignored by ransomware
  • preserve all the original file modified time stamps even though the file contents were overwritten

In a case like this, the Datto device would create an alert for suspected ransomware infection.

However, as with any prediction, some ransomware alerts may be false positives because a legitimate program on a local machine may be updating files in an uncharacteristic or unexpected way. Datto expects a small number of false positives while we refine our algorithm.

Future releases are planned to address the need to confirm an infection instantly as well as reporting a false positive. The goal is for willing partners to help us improve the engine over time, lower the percentage of false positives, and to help us to stay ahead of ransomware developers

Figure 1 - Ransomware detection alert enabled


Figure 2 - Backup Warning example

Six Steps for Finding Ransomware

If you suspect ransomware infection:

  1. Run backup insights. Since ransomware detection runs with every backup, you can open Backup Insights to see if files with unusual extensions have been recently added to the device or if Microsoft Office files are suddenly missing.
  2. Boot the device or access it remotely. Often infected machines will boot with a window telling you who to contact and how long you have. 

    If you don't have remote access to the server or don't want to connect to it or interrupt end users, you have two other options:
    • Spin up a VM of the Server on the Datto and browse the root folders of the OS volume
    • Create a file restore from Remote Web and attempt to download and open any suspect files. If your machine is unable to open the file it may have been encrypted by ransomware.
  3. Open either Microsoft Word or Excel, and see if those applications display any sort of error or warning. Office and Word files are common targets of infections.
  4. Inspect common document folders, such as My Documents. See if file names or extensions are changing or if recent files have disappeared. Pay particular attention to .doc, .docx, .jpg, .xlsx, .pptx and similar common personal file types.
  5. Determine if any other local software behaves similarly to ransomware. For example, Dropbox encrypts local files in a way that resembles the random file encryption of ransomware. If you find similar software, please make sure to mark your snapshot as a false positive so we can improve our tests.
  6. Log into file sync and share platforms. Often file sync and share applications propagate all file changes, which can include ransomware. Log into the web interface of the file sync and share solution connected to the suspect system and inspect files. Altered file names or extensions will often appear, such as .fun.

As a last resort, if a particular agent persistently false-alerts for ransomware (with no apparent infection upon inspection) you can disable detection for that particular agent in Agent Settings. 

What Next?

If you are unable to find signs of ransomware, please mark the alert as a false positive by clicking Report False Positive underneath the ransomware flag in the Manage Recovery Points section of the web UI. (see Fig 3 above). We are continually improving our algorithm for ransomware detection and getting feedback on false positives is critical to that effort. 

Figure 3: Report false alert in Manage Recovery Points


If you do find actual ransomware on the machine, don’t panic.  Datto’s Data Continuity solutions are built to restore the machine back to a time before the attack took place. See What to do if a protected machine is infected with ransomware for steps you can use to recover.

Was this article helpful?

9 out of 10 found this helpful

You must sign in before voting on this article.

Want to talk about it? Head on over to our Community Forum!