Ransomware is a type of malware that denies access to infected content, and demands that the user pay a ransom to remove the restriction. Ransomware is typically distributed through malicious document files attached to spam email messages, or through phishing attempts, where users are baited into clicking a link to an infected file. When users download the ransomware executable file, the machine becomes infected.
With Anchor, you can use policies to protect against the risks of ransomware; and if end users are infected, you can always recover with our advanced data recovery tools.
Important: Anchor provides best-in-class ransomware protection and recovery features. However, it is still important that organizations establish internal policies for verifying the integrity of email communications.
Protect Against Ransomware
Anchor can help you avoid widespread cloud infection by preventing any locally encrypted files from syncing to the cloud. Using the Excluded Extensions policy, you can define file extensions that should never sync.
By default, the Excluded Extensions policy is prepopulated with extensions that are often excluded as a best practice. Anchor empowers administrators to fully customize data protection strategies for their end users, so we suggest that you update this list on a regular basis with the most current ransomware extensions (for example, .locky, .thor, .zepto, and so forth).
For complete instructions, please reference the Excluding a File Type from Syncing Knowledgebase article.
Additional Best Practices
In addition to utilizing the Excluded Extensions policy, you might also consider implementing the following best practices to further protect data.
- Configure Trim Settings and Purge Settings for unlimited retention to ensure that data is never erased from the system.
- To minimize the effect of a ransomware attack, encourage users to turn on the Pause Sync feature as soon as they suspect a ransomware infection. If an infection is discovered, the user can unlink his desktop client, or an administrator can remotely wipe the synced data. This data will remain protected and accessible in the cloud.
- Encourage users to utilize the Selective Sync feature so that only necessary files and folders sync down to their local machine.
- Turn on backups to protect data outside of the protection of the Synced Folder.
Recover from Ransomware
Step 1: Find the Date and Time of Infection
Using the Activity Log in the end user’s web portal, the affected user can find the day and time his files were infected.
For complete instructions, please reference the Viewing Reports and Tracking Activity in the End User Web Portal Knowledgebase article.
Step 2: Recovery Using the Snapshot Feature
When you know the date and time of infection, you can recover using the Snapshot feature. The Snapshot feature allows administrators to easily copy a Team Share, backup, or a user’s personal data as it existed at a specific point in time, including content that was previously deleted, recreated, or changed. This feature even recovers the revision history of restored content, starting from the selected date.
For complete instructions, please reference the Recover from Ransomware Using the Snapshot Feature.
Additional Best Practices
- The Restore Revisions feature allows you to restore one file to a previous revision.
- The Restore Deleted feature allows you to restore a file that has been previously marked as deleted.
- The Revision Rollback feature helps you recover from many variants of ransomware; the feature utilizes a file’s revision history to restore all currently-existing content to a healthy revision.