64969: Acronis Software: Acronis Active Protection creates files with .ENCRYPTED extension

Last update: Thu, 2020-09-03 06:01

Symptoms

Folder C:\Acronis Active Protection Storage contains files with .ENCRYPTED extension. Files may be related to custom or hand-written programs on the computer.

Cause

When programs modify files on the computer, Acronis Active Protection may have a false positive and detect that program as ransomware, especially if some files or databases are modified quickly. 

When ransomware is detected, Active Protection stops the suspicious program, reverts the changes made by the program and puts copies of the modified files in C:\Acronis Active Protection Storage folder. Extension .ENCRYPTED is added to these files to indicate that they are the copies of original encrypted files.

These copies can be used for forensic purposes (investigate the encryption in order to learn more about the ransomware) or in case user pays the ransom and has the opportunity to decipher them. This is "plan B" for rare cases when Acronis Active Protection cannot restore the original non-encrypted files or they get corrupted during recovery.

Solution

Whitelist the custom application that causes a false-positive ransomware detection and triggers file recovery.

If the blocked application is trusted, contents of C:\Acronis Active Protection Storage folder can be safely deleted. 

If you want to recover contents of C:\Acronis Active Protection Storage to original location after a false positive, rename the files to remove .ENCRYPTED extension and move or copy them to the required location. 

Tags: