Datto RMM is a secure and fully-featured cloud platform enabling MSPs to remotely monitor, manage, and support their endpoints, and it now also provides an extra layer of security with native Ransomware Detection. Datto RMM Ransomware Detection monitors for the existence of crypto-ransomware on endpoints using proprietary behavioral analysis of files and alerts you when a device is infected. Once ransomware is detected, Datto RMM can isolate the device and attempt to stop suspected ransomware processes to prevent the ransomware from spreading.
This topic provides an overview of Ransomware Detection in Datto RMM and answers questions frequently asked by our partners.
VIDEO Learn how Datto RMM Ransomware Detection serves you as a vital layer of security in your customer environment.
NOTE Following a recent update provided by KnowBe4, you will notice that the Collector file now has an .ex_ extension. It is necessary for you to manually change this to .exe (as it is displayed in the video below at 11:55) in order for the simulation to work correctly.
NOTE From 3:10 to 3:35, the video shows how to verify the amount of licenses you have and purchase additional licenses, if necessary. As part of the 10.1.0 release, we made a number of updates to the Licenses page to improve the user experience. To review the updated configuration, refer to Licenses - New UI.
- Know about ransomware infections instantly. Instead of waiting for a user to report the issue, Datto RMM will notify technicians at the moment files get encrypted by the ransomware. This will provide more time to respond and possibly prevent the spread. The screenshot below shows an example of a Datto RMM alert generated when ransomware is detected on a device.
- Easily monitor using policy-driven configuration. The powerful, policy-driven approach of Datto RMM allows MSPs to easily monitor targeted devices at scale for the presence of ransomware. Integrations with key MSP tools, such as Autotask PSA or ConnectWise Manage, along with email notification options, ensure that the right resources can be notified immediately if ransomware is detected.
- Prevent spreading of ransomware with automatic network isolation and termination of ransomware processes. Once ransomware is detected, you can have the Agent isolate the affected device from the network and attempt to stop suspected ransomware processes to prevent further spread of the ransomware to other devices.
- Remediate issues remotely. Devices automatically isolated from the network can still contact Datto RMM, allowing technicians to take effective action to resolve the issue.
- Recover with Datto Continuity products. When Datto RMM is integrated with Datto BCDR, technicians can quickly recover from the ransomware outbreak by restoring a device to a previous state.
- You must have an active Datto RMM subscription or trial.
- Ransomware Detection must be enabled.
NOTE The Ransomware monitor requires an additional license before it can be used. Refer to Add Ransomware Detection licenses.
- You must have the relevant permissions to add a Ransomware monitor to a device or to a Monitoring policy.
- Devices must be managed devices. Ransomware Detection is not available for OnDemand devices.
- The Ransomware monitor is only available in the New UI.
The Ransomware monitor can be applied on all supported Windows devices. Refer to Windows.
You can create a Ransomware monitor as a standalone monitor added to individual devices or as part of a Monitoring policy. The monitor includes the following features:
- Alert details that include options such as configuring monitored locations and paths, excluding file extensions, and setting alert priority. These criteria specify what the monitor looks for before an alert is created.
- Response details that include options such as isolating the affected device from the network or configuring a custom response component, attempting to stop suspected ransomware processes, creating tickets, and emailing responses.
For information about Ransomware Detection status, refer to RWD Status.
You can set up a Ransomware monitor like any other monitor, applied either at the device level or as part of a Monitoring policy. This includes the standard monitor settings (alert and response options) along with the option to isolate affected devices from the network and stopping suspected ransomware processes. Refer to Requirements and Ransomware monitor features.
The Ransomware Detection module is built into the Datto RMM Agent. Setting up Ransomware Detection requires only activation and licensing. Refer to Add Ransomware Detection licenses.
The solution is behavior-driven and does not require signatures.
Internet connectivity is not required in order for Ransomware Detection to monitor for the presence of ransomware and stop suspected ransomware processes. However, Datto RMM cannot send ransomware alerts until online.
If your Datto RMM account is integrated with Autotask PSA or ConnectWise Manage, then ransomware alerts created in Datto RMM can be configured to create tickets in those PSAs. Refer to Create a ticket.
Ransomware Detection is designed to work alongside other security products you deploy to your customer endpoints.
Device isolation can be reverted by running the Revert Device Isolation [WIN] component available in the ComStore. This will revert any isolation that has occurred on a device and return its ability to contact the Internet and other devices on the network. Refer to Download a component in the current UI and Download a component in the New UI.
IMPORTANT Always ensure you are using the latest version of this component. Running an older version could cause issues when attempting to restore internet connectivity settings. To learn how to update a component, refer to Update.
The RMM Ransomware Detection engine looks for the existence of crypto-ransomware on endpoints using proprietary behavioral analysis of files.
You can run a simulation package to test Datto RMM Ransomware Detection. The simulation package (AutoRS.zip) and a set of instructions (Readme.txt) are available to download from here.
If you have suggestions or comments regarding the simulation package, please submit your feedback via the Send Feedback button from the New UI.
NOTE How to get or run real ransomware is outside the scope of this procedure.
RMM detects ransomware attacks by analyzing file update behavior and detecting file encryption. To test detection of ransomware, follow these steps:
- Configure RMM with Ransomware Detection enabled. Refer to How can I set up Ransomware Detection?.
- Create a folder under the root (for example, C:\User\).
- Place a number of normal-sized user files in the folder (30-50 files or more). There should be several different types of files; for example, graphic files, text files, and so forth.
- Wait at least three minutes before starting the ransomware; this is to avoid files from being considered transient.
- Download and start the ransomware. It can take up to a minute or more before the encryption process starts, depending on the type of ransomware.
- If the ransomware begins to encrypt files, RMM should create an alert and try to kill the ransomware process.
IMPORTANT Do not create the folder in Program Data, AppData, Temp folders, or other folders not normally targeted by ransomware.
NOTE When RMM is started up for the first time, it takes at least 15 minutes before the Ransomware Detection process is started. This can also be the case if RMM is started from a virtual machine.
If RMM does not create an alert, check the following:
- If the files in the user folder were not renamed or deleted, it is a sign that the ransomware did not start up or perform any encryption. This can happen for many reasons; for example, the ransomware is outdated or the remote ransomware website the ransomware software attempts to connect to is no longer active, if it detects that it is running in a virtual machine, or if it detects that the keyboard of the machine is Russian or Ukrainian.
- If antivirus software is installed, it could block the ransomware. Antivirus software and similar programs should be disabled when testing.
- Simulation software, such as Ransim from KnowBe4, cannot be used directly because RMM detects that it is not real ransomware. Use the modified version available from Datto instead. Refer to Can I test Ransomware Detection?.
- Check that the log file C:\ProgramData\CentraStage\AEMAgent\DataLog\rwdetectfull.log has a recent timestamp. If not, Ransomware Detection was not enabled.
- If any of the above did not explain the missing alert, please provide a screenshot of the folder with the encrypted user files, a sample encrypted file, and the following log files:
NOTE The log files are encoded in UTF-8.
Datto RMM Ransomware Detection was tested by a third-party IT security testing firm. This included the following:
- Testing the effectiveness of Ransomware Detection against current in-the-wild strains of ransomware.
- False positive tests where Ransomware Detection was used alongside legitimate apps that mimic malicious ransomware behaviors.
- Performance testing to check impact on system performance for devices running Ransomware Detection.
To view the results, you can download the report from here.