Ransomware Detection

Datto RMM is a secure and fully-featured cloud platform enabling MSPs to remotely monitor, manage, and support their endpoints, and it now also provides an extra layer of security with native Ransomware Detection. Datto RMM Ransomware Detection monitors for the existence of crypto-ransomware on endpoints using proprietary behavioral analysis of files and alerts you when a device is infected. Once ransomware is detected, Datto RMM can isolate the device and attempt to stop suspected ransomware processes to prevent the ransomware from spreading.

This topic provides an overview of Ransomware Detection in Datto RMM and answers questions frequently asked by our partners.

VIDEO  Learn how Datto RMM Ransomware Detection serves you as a vital layer of security in your customer environment.

NOTE  Following a recent update provided by KnowBe4, you will notice that the Collector file now has an .ex_ extension. It is necessary for you to manually change this to .exe (as it is displayed in the video below at 11:55) in order for the simulation to work correctly.

NOTE  From 3:10 to 3:35, the video shows how to verify the amount of licenses you have and purchase additional licenses, if necessary. As part of the 10.1.0 release, we made a number of updates to the Licenses page to improve the user experience. To review the updated configuration, refer to Licenses - New UI.

Music: Bensound

Key benefits

  • Know about ransomware infections instantly. Instead of waiting for a user to report the issue, Datto RMM will notify technicians at the moment files get encrypted by the ransomware. This will provide more time to respond and possibly prevent the spread. The screenshot below shows an example of a Datto RMM alert generated when ransomware is detected on a device.
  • Easily monitor using policy-driven configuration. The powerful, policy-driven approach of Datto RMM allows MSPs to easily monitor targeted devices at scale for the presence of ransomware. Integrations with key MSP tools, such as Autotask PSA or ConnectWise Manage, along with email notification options, ensure that the right resources can be notified immediately if ransomware is detected.
  • Prevent spreading of ransomware with automatic network isolation and termination of ransomware processes. Once ransomware is detected, you can have the Agent isolate the affected device from the network and attempt to stop suspected ransomware processes to prevent further spread of the ransomware to other devices.
  • Remediate issues remotely. Devices automatically isolated from the network can still contact Datto RMM, allowing technicians to take effective action to resolve the issue.
  • Recover with Datto Continuity products. When Datto RMM is integrated with Datto BCDR, technicians can quickly recover from the ransomware outbreak by restoring a device to a previous state.


  • You must have an active Datto RMM subscription or trial.
  • Ransomware Detection must be enabled.

NOTE  The Ransomware monitor requires an additional license before it can be used. Refer to Add Ransomware Detection licenses.

  • You must have the relevant permissions to add a Ransomware monitor to a device or to a Monitoring policy.
  • Devices must be managed devices. Ransomware Detection is not available for OnDemand devices.
  • The Ransomware monitor is only available in the New UI.

Supported devices

The Ransomware monitor can be applied on all supported Windows devices. Refer to Windows.

Ransomware monitor features

You can create a Ransomware monitor as a standalone monitor added to individual devices or as part of a Monitoring policy. The monitor includes the following features:

  • Alert details that include options such as configuring monitored locations and paths, excluding file extensions, and setting alert priority. These criteria specify what the monitor looks for before an alert is created.
  • Response details that include options such as isolating the affected device from the network or configuring a custom response component, attempting to stop suspected ransomware processes, creating tickets, and emailing responses.

For information about how to create a monitor in the New UI and how to specify the details of a Ransomware monitor, refer to Monitors - New UI and Ransomware monitor.

For information about how to create a policy in the New UI and how to specify the details of a Monitoring policy, refer to Policies - New UI and Monitoring policy.

For information about Ransomware Detection status, refer to RWD Status.