62362: Acronis Active Protection: FAQ on missed ransomware attacks

Answers to frequent questions


Question: why a ransomware attack was not stopped by Acronis Active Protection? What happened?

Answer: there are many possible reasons, an investigation is required to determine the cause.

Please note, that a previously made backup is the only way to restore locked (encrypted) data. The term "investigation" here refers to efforts that we put to find out the root cause of the issue, not decrypt the data.
  • Acronis Active Protection prevents ransomware attacks, but it does not cure or decrypt files, if installed after the attack already happened.
  • If Acronis Active Protection is turned off or its service is stopped or disabled, computer is exposed to attacks.
  • If Acronis software's installation is incomplete, corrupted or damaged by a third party, Active Protection may not work properly.
  • Acronis Active Protection runs with the operating system where it was installed only. If attackers, locally or remotely, reboot the computer into malicious boot environment, the installed operating system is not loaded and Acronis Active Protection cannot prevent files encryption.
  • Acronis Active Protection scans and monitors processes, running on the local computer only. Files, stored on the local computer in a folder that is shared with others in the local network, are exposed to attacks from the network, especially if credentials to access the shared folder are compromised.
  • A human factor, when an application that should have not been trusted, was allowed execution or added to the white list in Acronis Active Protection settings
  • Acronis Active Protection has a defined scope of protection and a set of mechanisms to counter ransomware attacks. We are constantly working on expanding them to cover more possible scenarios, but it is possible that a new ransomware attacks, that we have not implemented protection against yet.

To help Acronis find out the root cause in your particular case, provide the following information to Acronis representative:

  1. Date and time, when the ransomware attack was noticed.
  2. If you suspect any link, website or program, where the ransomware could have originated, share the details with Acronis
  3. Screenshot of the ransom demand. Details on that screen help identifying which exact ransomware it was.
  4. Screenshot with the names of the encrypted files. Some ransomware use specific patterns of naming encrypted files, which also helps with investigation.
  5. Whether the encrypted files were residing in a shared folder.
  6. A system report. See instructions at https://kb.acronis.com/content/2707
  7. If the system report generation tool does not produce the system report file, generate a file as per instructions https://kb.acronis.com/content/1640, and also compress the following folder and send them to Acronis:

    Windows:  C:\ProgramData\Acronis
    (Note that the folder C:\ProgramData is hidden by default on Windows, and in order to see it you need to enable display of hidden files and folders in Windows Explorer under View - Hidden items, or under Control Panel - Appearance and Personalization - Show hidden files and folders.)

    Mac: \Library\Application Support\Acronis

Please keep in mind that depending on the results of the initial investigation, Acronis may and may not ask you for samples of encrypted files, permission to access the system drive to extract the ransomware itself, even if it was "permanently" deleted.


Question: I have the free Acronis Ransomware Protection. Is it not maintained and not updated anymore?

Answer: the free Acronis Ransomware Protection receives updates just as regularly as paid Acronis products. It does not have their advanced features, like protection against illicit mining of crypto currencies, or protection of remote data, accessed from the local computer, but in the main aspect of anti-ransomware protection of the local computer it is on a par with them and is kept up-to-date.


Question: how to recover files that were encrypted by ransomware?

Answer: recover files from a previously made backup. Refer to the respective section of documentation for instructions how to restore files from a backup.



You are reporting a typo in the following text:
Simply click the "Send typo report" button to complete the report. You can also include a comment.
This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.
1 + 1 =
Solve this simple math problem and enter the result. E.g. for 1+3, enter 4.