Folder C:\Acronis Active Protection Storage contains files with .ENCRYPTED extension. Files may be related to custom or hand-written programs on the computer.
When programs modify files on the computer, Acronis Active Protection may have a false positive and detect that program as ransomware, especially if some files or databases are modified quickly.
When ransomware is detected, Active Protection stops the suspicious program, reverts the changes made by the program and puts copies of the modified files in C:\Acronis Active Protection Storage folder. Extension .ENCRYPTED is added to these files to indicate that they are the copies of original encrypted files.
These copies can be used for forensic purposes (investigate the encryption in order to learn more about the ransomware) or in case user pays the ransom and has the opportunity to decipher them. This is "plan B" for rare cases when Acronis Active Protection cannot restore the original non-encrypted files or they get corrupted during recovery.
Whitelist the custom application that causes a false-positive ransomware detection and triggers file recovery.
- Acronis Cyber Backup 12.5: see product documentation
- Acronis True Image: see Acronis True Image: Active Protection blocks legitimate applications for instructions.
If the blocked application is trusted, contents of C:\Acronis Active Protection Storage folder can be safely deleted.
If you want to recover contents of C:\Acronis Active Protection Storage to original location after a false positive, rename the files to remove .ENCRYPTED extension and move or copy them to the required location.