To help Acronis find out the root cause in your particular case, please provide the following information to Acronis representative:
- Date and time, when the ransomware attack was noticed.
- Acronis Active Protection status when the issue appeared - was it turned on/off or its service was running/stopped or disabled.
- If you suspect any link, website or program, where the ransomware could have originated, share the details with Acronis.
- Screenshot of the ransom demand. Details on that screen help us identify which ransomware it was exactly.
- Screenshot with the names of the encrypted files. Some ransomware use specific patterns of naming encrypted files, which also helps with investigation.
- Whether the encrypted files were residing in a shared folder.
- Copies of the files with .ENCRYPTED extension in C:\Acronis Active Protection Storage, if any are present
- A system report. See instructions:
- If the system report generation tool does not produce the system report file, generate a file as per instructions https://kb.acronis.com/content/1640, and also compress the following folder and send them to Acronis:
(Note that the folder C:\ProgramData is hidden by default on Windows, and in order to see it you need to enable display of hidden files and folders in Windows Explorer under View - Hidden items, or under Control Panel - Appearance and Personalization - Show hidden files and folders.)
- Mac: \Library\Application Support\Acronis
- Get the sector-by-sector backup of the affected machine.
- If there is no agent installed, create a backup from bootable media. For Acronis Cyber Cloud product get the Acronis Backup bootable media.
- If sector-by-sector backup cannot be created, make a default one.