Ransomware Detection

If you are using the Datto EDR and Datto AV Integration in Datto RMM, it is recommended to deploy Ransomware Detection through Datto EDR. In doing so, the RWD Status for devices targeted by Datto EDR Ransomware Detection will show as Active in Datto RMM. Refer to Datto EDR and Datto AV Integration in this Help system and Understanding Datto EDR's ransomware detection in the Datto EDR Help system.

Datto RMM is a secure and full-featured cloud platform enabling MSPs to remotely monitor, manage, and support their endpoints, and it now also provides an extra layer of security with native Ransomware Detection. Datto RMM Ransomware Detection monitors for the existence of crypto-ransomware on endpoints using proprietary behavioral analysis of files and alerts you when a device is infected. Once ransomware is detected, Datto RMM can isolate the device and attempt to stop suspected ransomware processes to prevent the ransomware from spreading.

This topic provides an overview of Ransomware Detection in Datto RMM and answers questions frequently asked by our partners.

Key benefits

  • Know about ransomware infections instantly. Instead of waiting for a user to report the issue, Datto RMM will notify technicians at the moment files get encrypted by the ransomware. This will provide more time to respond and possibly prevent the spread. The following screenshot shows an example of a Datto RMM alert generated when ransomware is detected on a device.
  • Easily monitor using policy-driven configuration. The powerful, policy-driven approach of Datto RMM allows MSPs to easily monitor targeted devices at scale for the presence of ransomware. Integrations with key MSP tools, such as Autotask or ConnectWise PSA, along with email notification options, ensure that the right resources can be notified immediately if ransomware is detected.
  • Prevent spreading of ransomware with automatic network isolation and termination of ransomware processes. Once ransomware is detected, you can have the Agent isolate the affected device from the network and attempt to stop suspected ransomware processes to prevent further spread of the ransomware to other devices.
  • Remediate issues remotely. Devices automatically isolated from the network can still contact Datto RMM, allowing technicians to take effective action to resolve the issue.
  • Recover with Datto Continuity products. When Datto RMM is integrated with Datto BCDR, technicians can quickly recover from the ransomware outbreak by restoring a device to a previous state.

Requirements

  • You must have an active Datto RMM subscription or trial.
  • Ransomware Detection must be enabled.

NOTE  The Ransomware monitor requires a license. Refer to Add Ransomware Detection licenses.

  • You must have the relevant permissions to add a Ransomware monitor to a device, a Monitoring policy, or an Endpoint Security policy.

NOTE  It is best practice to use Ransomware Detection as part of an Endpoint Security policy in the New UI. Refer to Endpoint Security policy.

  • Devices must be managed devices. Ransomware Detection is not available for OnDemand devices.

Supported devices

The Ransomware monitor can be applied on all supported Windows devices. Refer to Windows.

Ransomware monitor features

You can create a Ransomware monitor as a standalone monitor added to individual devices or as part of a Monitoring policy or Endpoint Security policy.

NOTE  It is best practice to use Ransomware Detection as part of an Endpoint Security policy in the New UI. Refer to Endpoint Security policy.

The monitor includes the following features:

  • Alert details that include options such as configuring monitored locations and paths, excluding file extensions, and setting alert priority. These criteria specify what the monitor looks for before an alert is created.
  • Response details that include options such as isolating the affected device from the network or configuring a custom response component, attempting to stop suspected ransomware processes, creating tickets, and emailing responses.

For information about how to create a monitor and how to specify the details of a Ransomware monitor, refer to Monitors and Ransomware monitor. For information about how to create a policy and how to specify the details of a Monitoring policy or an Endpoint Security policy, refer to Policies, Monitoring policy, and Endpoint Security policy.

Ransomware status

For information about Ransomware Detection status, refer to RWD Status.

A widget displaying the Ransomware Detection status of your devices is available in the Widget Library. Refer to Ransomware Status.

FAQs