What to do if a protected machine is infected with ransomware

Topic

This article describes what steps you can take in case a server becomes infected with Cryptolocker, CryptoWall, or any other ransomware.

Environment

Datto SIRIS

Description

The type of restore you need to do depends on whether the virus has infected data, the OS, or both. Ransomware detection analyzes the OS volume of the protected system; if you receive an infection alert, you should check all of the data volumes attached to the system.

Start with the most recent recovery point and work your way back:

Use the Direct Restore Utility to check your recovery points for evidence of the infection.
Find the most recent "clean" recovery point to restore your files.
If a data volume is infected, you can perform a file restore or volume restore.
If the infection has infected the OS of a system, you will need to perform a Rapid Rollback or Bare Metal Restore of the most recent clean recovery point.
If ransomware has infected a snapshot-enabled NAS share on your Datto device, you can perform an iSCSI rollback.

Once you've identified a healthy data set, you can proceed with restoration.

	Need troubleshooting help? Open the Kaseya Helpdesk.
	Want to talk about it? Head on over to the Community!
	Have an idea for a new feature? Want to learn about upcoming enhancements? Visit the ideas forum!
	Provide feedback for the Documentation team.