62362: Acronis Active Protection: FAQ on missed ransomware attacks

Last update: 07-07-2021

Answers to frequent questions


Question: why a ransomware attack was not stopped by Acronis Active Protection? What happened?

Answer: there are many possible reasons, an investigation is required to determine the cause.

Please note, that a previously made backup is the only way to restore locked (encrypted) data. The term "investigation" here refers to efforts that we put to find out the root cause of the issue, not decrypt the data.
  • Acronis Active Protection prevents ransomware attacks, but it does not cure or decrypt files, if installed after the attack already happened.
  • If Acronis Active Protection is turned off or its service is stopped or disabled, computer is exposed to attacks.
  • If Acronis software's installation is incomplete, corrupted or damaged by a third party, Active Protection may not work properly.
  • Acronis Active Protection runs only within the operating system where it was installed. If attackers, locally or remotely, reboot the computer into malicious boot environment, the installed operating system is not loaded and Acronis Active Protection cannot prevent files encryption.
  • Acronis Active Protection scans and monitors processes, running on the local computer only. Files stored on the local computer in a folder that is shared with others in the local network, are exposed to attacks from the network, especially if credentials to access the shared folder are compromised.
  • A human factor, when an application that should have not been trusted, was allowed execution or added to the white list in Acronis Active Protection settings
  • Acronis Active Protection has a defined scope of protection and a set of mechanisms to counter ransomware attacks. We are constantly working on expanding them to cover more possible scenarios, but it is possible that new ransomware attacks, that we have not implemented protection against yet.

Acronis representative will request some diagnostic information about your system and the attack. To help Acronis find out the root cause in your particular case, please provide the requested diagnostic data.

Please keep in mind that depending on the results of the initial investigation, Acronis may and may not ask you for samples of encrypted files, permission to access the system drive to extract the ransomware itself, even if it was "permanently" deleted.


Question: how to recover files that were encrypted by ransomware?

Answer: recover files from a previously made backup. Refer to the respective section of the documentation for instructions on how to restore files from a backup.