Ransomware Prevention (RWP) with Syncrify
Ransomware is a menace that can wreak havoc to any company.
Although backed up data through Syncrify can save your day, often users do not find out about
the attack until it is too late. Consider the following example:
- You have configured Syncrify to backup every night around 7 PM
- A ransomware hits around 4:45 PM on a Friday, fifteen minutes prior to close of business
- By 6:30 PM every important document is now encrypted
- A backup runs at 7 PM, which contaminates previously backed up data.
features can be used to restore original files, version 4.4 of
Syncrify introduces another feature that can detect an attack and skip backup if ransomware attack is detected, preventing
a good set of backup getting corrupted as well.
ImportantRWP is designed to work when backup direction is either Client-to-Server or Two-way-sync.
It does not work if the direction is Server-to-Client.
How RWP works
Syncrify creates a dummy file, called a bait
, in every top-level folder on the client's machine. This file get downloaded from
your Syncrify Server and will have the same size and last modified date - meaning the copy on the client's machine will be identical
to the copy on the server.
Before backing up a top-level folder, Syncrify will match the file on the client matches with the copy on the server. An error gets logged if the
file does not match, allowing the user to take corrective measures.
TipA bait file will be created in every top-level folder on the source machine.
RWP is turned on by default. Syncrify server creates the bait
file automatically by assigning a random file name.
Administrators can change this name to give it a more meaningful touch. Following steps demonstrate how to do this:
- Log in to Syncrify Server's web interface
- Click Configuration and select the Security tab
- Specify a file name for Ransomware File. This will be the name of your bait
- Create a file with the same name in put it in
$INSTALL_DIR/RansomwarePrevention folder on the machine where
Syncrify server is running. For example,
create a file called RansomwareBait.docx using Microsoft Word and save it in the
It is important to use a file extension that is typically targetted by ransomware viruses. For example, *.docx, *.jpg, *.xlsx and *.pdf
are good examples. It is also recommended to write a message explaining your end-users the purpose of this file.
$INSTALL_DIR refers to the path where Syncrify Server is installed. On Windows, this is typically
C:\Syncrify and on Linux
To disable this feature globally
, remove the value for Ransomware File
field in the Security
tab of the Configuration
This will disable RWP for every client. The following image displays a screenshot.
Disabling RWP for a single profile
Occasionally, you may want to disable RWP for a single profile. Following steps demonstrate how to do that.
Since the file created by RWP will be visible to the end-user, it is likely they may modify the file by mistake, triggering a false alarm. In that
case, you must Reset RWP
. To do that, open Syncrify Client and select Reset RWP
under the Tools
Common Reasons For False Alarm
Consider the following reasons if a false alarm is triggered:
- Reason 1: A user mistakenly modifies the file.
- Reason 2: The background service running Syncrify Client is unable to create the bait file. By default, the background service runs under
the SYSTEM account. Depending upon the permissions on your machine, it is possible the operating system will not let the SYSTEM account create a file.
A common folder this happens is user's Desktop, which is a considered a private folder and the operating system will not allow SYSTEM account to create a file.
To fix, open Syncrify Client and click Reset RWP from the Tools menu. Then, run a full backup using the GUI (manual backup), which will
create the bait file. Once the bait file is created, subsequent backups won't trigger the alert.
Users will see an extra file in every top-level folder. Unfortunately, making this file hidden and/or readonly
may cause the ransomware virus to skip it, defeating its purpose.