Ransomware Detection

If you are using the Datto EDR and Datto AV Integration in Datto RMM, it is recommended to deploy Ransomware Detection through Datto EDR. In doing so, the RWD Status for devices targeted by Datto EDR Ransomware Detection will show as Active in Datto RMM. Refer to Datto EDR and Datto AV Integration in this Help system and Understanding Datto EDR's ransomware detection in the Datto EDR Help system.

Datto RMM is a secure and full-featured cloud platform enabling MSPs to remotely monitor, manage, and support their endpoints, and it now also provides an extra layer of security with native Ransomware Detection. Datto RMM Ransomware Detection monitors for the existence of crypto-ransomware on endpoints using proprietary behavioral analysis of files and alerts you when a device is infected. Once ransomware is detected, Datto RMM can isolate the device and attempt to stop suspected ransomware processes to prevent the ransomware from spreading.

This topic provides an overview of Ransomware Detection in Datto RMM and answers questions frequently asked by our partners.

Key benefits

  • Know about ransomware infections instantly. Instead of waiting for a user to report the issue, Datto RMM will notify technicians at the moment files get encrypted by the ransomware. This will provide more time to respond and possibly prevent the spread. The following screenshot shows an example of a Datto RMM alert generated when ransomware is detected on a device.
  • Easily monitor using policy-driven configuration. The powerful, policy-driven approach of Datto RMM allows MSPs to easily monitor targeted devices at scale for the presence of ransomware. Integrations with key MSP tools, such as Autotask or ConnectWise PSA, along with email notification options, ensure that the right resources can be notified immediately if ransomware is detected.
  • Prevent spreading of ransomware with automatic network isolation and termination of ransomware processes. Once ransomware is detected, you can have the Agent isolate the affected device from the network and attempt to stop suspected ransomware processes to prevent further spread of the ransomware to other devices.
  • Remediate issues remotely. Devices automatically isolated from the network can still contact Datto RMM, allowing technicians to take effective action to resolve the issue.
  • Recover with Datto Continuity products. When Datto RMM is integrated with Datto BCDR, technicians can quickly recover from the ransomware outbreak by restoring a device to a previous state.

Requirements

  • You must have an active Datto RMM subscription or trial.
  • Ransomware Detection must be enabled.

NOTE  The Ransomware monitor requires a license. Refer to Add Ransomware Detection licenses.

  • You must have the relevant permissions to add a Ransomware monitor to a device, a Monitoring policy, or an Endpoint Security policy.

NOTE  It is best practice to use Ransomware Detection as part of an Endpoint Security policy in the New UI. Refer to Endpoint Security policy.

  • Devices must be managed devices. Ransomware Detection is not available for OnDemand devices.

Supported devices

The Ransomware monitor can be applied on all supported Windows devices. Refer to Windows.

Ransomware monitor features

You can create a Ransomware monitor as a standalone monitor added to individual devices or as part of a Monitoring policy or Endpoint Security policy.

NOTE  It is best practice to use Ransomware Detection as part of an Endpoint Security policy in the New UI. Refer to Endpoint Security policy.

The monitor includes the following features:

  • Alert details that include options such as configuring monitored locations and paths, excluding file extensions, and setting alert priority. These criteria specify what the monitor looks for before an alert is created.
  • Response details that include options such as isolating the affected device from the network or configuring a custom response component, attempting to stop suspected ransomware processes, creating tickets, and emailing responses.

For information about how to create a monitor and how to specify the details of a Ransomware monitor, refer to Monitors and Ransomware monitor. For information about how to create a policy and how to specify the details of a Monitoring policy or an Endpoint Security policy, refer to Policies, Monitoring policy, and Endpoint Security policy.

Ransomware status

For information about Ransomware Detection status, refer to RWD Status.

A widget displaying the Ransomware Detection status of your devices is available in the Widget Library. Refer to Ransomware Status.

FAQs

You can set up a Ransomware monitor like any other monitor, applied either at the device level or as part of a Monitoring policy or Endpoint Security policy. This includes the standard monitor settings (alert and response options) along with the option to isolate affected devices from the network and stopping suspected ransomware processes. Refer to Requirements and Ransomware monitor features.

NOTE  It is best practice to use Ransomware Detection as part of an Endpoint Security policy in the New UI. Refer to Endpoint Security policy.

The Ransomware Detection module is built into the Datto RMM Agent. Setting up Ransomware Detection requires only activation and licensing. Refer to Add Ransomware Detection licenses.

The solution is behavior-driven and does not require signatures.

Internet connectivity is not required in order for Ransomware Detection to monitor for the presence of ransomware and stop suspected ransomware processes. However, Datto RMM cannot send ransomware alerts until online.

If your Datto RMM account is integrated with Autotask or ConnectWise PSA, then ransomware alerts created in Datto RMM can be configured to create tickets in those PSAs. Refer to Create a ticket.

Ransomware Detection is designed to work alongside other security products you deploy to your customer endpoints.

Device isolation can be reverted by running the Revert Device Isolation [WIN] component available in the ComStore. This will revert any isolation that has occurred on a device and return its ability to contact the Internet and other devices on the network. Refer to Download a component in the legacy UI and Download a component in the New UI.

NOTE  As part of the isolation process, the contents of UDF 1 will be replaced with the following message:

DEVICE ISOLATED [Date of isolation] :: DO NOT DELETE DEVICE RECORD

If UDF 1 previously contained data, it will be preserved as part of the output of the isolation process and in the log file.
Find devices that have been isolated by filtering UDF 1 for the text DEVICE ISOLATED.

IMPORTANT  Do not delete an isolated device's record. If you do, the device will require manual intervention to regain its access to the internet.

IMPORTANT  Always ensure you are using the latest version of this component. Running an older version could cause issues when attempting to restore internet connectivity settings. To learn how to update a component, refer to Update.

IMPORTANT  Datto RMM needs access to modify %SystemRoot%\System32\drivers\etc\hosts in order to revert device isolation remotely. Ensure that a device's AV is not blocking this access if you are unable to revert from isolation.

The RMM Ransomware Detection engine looks for the existence of crypto-ransomware on endpoints using proprietary behavioral analysis of files; as such, simulating this behavior will, when done correctly, cause the Ransomware Detection engine to react in the same manner.

Datto has prepared a simulation package that uses the RanSim tool from KnowBe4. To use it, follow these instructions:

  1. Download the Ransomware Simulator from KnowBe4 (RanSim).
  2. Download the Datto RMM Ransomware Simulation Package (AutoRS2.zip).
  3. Find a device to run a ransomware simulation on. Ideally, this device would be a virtual machine for which a snapshot exists. While the simulation operation is non-destructive, it will require disabling of antivirus software.
  4. Follow the readme.txt file enclosed within the archive. The script will guide you through the process of performing a ransomware simulation. No simulation is performed without seeking user consent first.

If you have suggestions or comments regarding the simulation package, please submit your feedback via the Send Feedback button in the upper-right corner of any page.

NOTE  How to get or run real ransomware is outside the scope of this procedure.

RMM detects ransomware attacks by analyzing file update behavior and detecting file encryption. To test detection of ransomware, follow these steps:

  1. Configure RMM with Ransomware Detection enabled. Refer to How can I set up Ransomware Detection?.
  2. Create a folder under the root (for example, C:\User\).

    3. IMPORTANT  Do not create the folder in Program Data, AppData, Temp folders, or other folders not normally targeted by ransomware.

  3. Place a number of normal-sized user files in the folder (30-50 files or more). There should be several different types of files; for example, graphic files, text files, and so forth.
  4. Wait at least three minutes before starting the ransomware; this is to avoid files from being considered transient.
  5. Download and start the ransomware. It can take up to a minute or more before the encryption process starts, depending on the type of ransomware.
  6. If the ransomware begins to encrypt files, RMM should create an alert and try to kill the ransomware process.

NOTE  When RMM is started up for the first time, it takes at least 15 minutes before the Ransomware Detection process is started. This can also be the case if RMM is started from a virtual machine.

If RMM does not create an alert, check the following:

  1. If the files in the user folder were not renamed or deleted, it is a sign that the ransomware did not start up or perform any encryption. This can happen for many reasons; for example, the ransomware is outdated or the remote ransomware website the ransomware software attempts to connect to is no longer active, if it detects that it is running in a virtual machine, or if it detects that the keyboard of the machine is Russian or Ukrainian.
  2. If antivirus software is installed, it could block the ransomware. Antivirus software and similar programs should be disabled when testing.
  3. Simulation software, such as Ransim from KnowBe4, cannot be used directly because Datto RMM detects that it is not real ransomware. Use the modified version available from Datto instead. Refer to How to simulate a ransomware attack.
  4. Check that the log file C:\ProgramData\CentraStage\AEMAgent\DataLog\rwdetectfull.log has a recent time stamp. If not, Ransomware Detection was not enabled.
  5. If any of the above did not explain the missing alert, please reach out to Kaseya Helpdesk, and provide a screenshot of the folder with the encrypted user files, a sample encrypted file, and the following log files:
    • C:\ProgramData\CentraStage\AEMAgent\DataLog\aemagent.log
    • C:\ProgramData\CentraStage\AEMAgent\DataLog\rwdetectfull.log
    • C:\ProgramData\CentraStage\AEMAgent\DataLog\Archives\0.rwdetectfull.log

    NOTE  The log files are encoded in UTF-8.

Datto RMM Ransomware Detection was tested by a third-party IT security testing firm. This included the following:

  • Testing the effectiveness of Ransomware Detection against current in-the-wild strains of ransomware.
  • False positive tests where Ransomware Detection was used alongside legitimate apps that mimic malicious ransomware behaviors.
  • Performance testing to check impact on system performance for devices running Ransomware Detection.

To view the results, you can download the report from here.

Refer to Add Ransomware Detection licenses.

The information can be found on the Licenses page. Refer to Licenses. The Licenses in use count for Ransomware Detection displays the number of devices that have an active (enabled) Ransomware monitor.

Yes, you can. The free promotional offer ended on January 2, 2023. At that point, the license count (the number of licenses offered during the promotion) was reset to zero. To continue to use Ransomware Detection and protect the endpoints you are managing from ransomware attacks, navigate to Setup > Licenses . Click Add More Licenses in the Ransomware Detection card and follow the steps outlined in Add Ransomware Detection licenses. In the next billing cycle, you will receive a bill for the number of licenses purchased and listed under License count.

If you no longer wish to use Ransomware Detection to protect your endpoints, delete or disable any Ransomware Detection monitor in your Datto RMM account. Note that a Ransomware monitor can be added to a device as a standalone monitor, or as part of a Monitoring policy or an Endpoint Security policy. Refer to Ransomware monitor, Monitoring policy, and Endpoint Security policy.