Handling a Ransomware Incident
  • 1 Minute to read
  • Dark
  • PDF

Handling a Ransomware Incident

  • Dark
  • PDF

Article summary

If a ransomware attack is identified by CTERA Ransom Protect, the following occurs:

  • The Ransom Protect page displays the analyzed events over time and the status changes from Active to Alert.
  • If Ransomware Mitigation is checked in the Ransom Protect Settings window, the user who initiated the suspected attack is added to the Blocked Users group.

An email is also sent to the administrator by the edge filer describing the attack.


The alert status is displayed for one hour.

Recovering From a Ransomware Attack

Once a ransomware attack has been identified, every affected file is listed. You can then go through the list and rollback the affected files to the state immediately prior to the attack. For details, see Accessing Previous File Versions.

You display the list of affected files by clicking Details to the right of the attack details.

The Incident Details page is displayed.
The top part of the Incident Details report provides the following information about the incident:
Start Time – The date and time that the suspected ransomware attack started.
Username – The name of the user that initiated the suspected attack.
IP Address – The IP address from where the attack was initiated.
Detection Threshold – A number between zero and one that is used to determine the detection sensitivity.

The second part of the Incident Details report provides detailed information about each operation:
Time – The date and time that the suspect operation started.
Operation – The operation that is suspected of being a ransomware attack.
Source Path – The full path and file name of the file that the suspected attack affected.
Destination Path – If the file was moved, the full path and file name of the destination.

To export the incident details report to Microsoft Excel:

  1. Access the Incident Details page for the ransomware incident.
  2. Click Export to Excel.

The incident details are exported as an Excel file to your computer.

Investigating Ransomware Incidents

CTERA is dedicated to providing the best user experience possible and can investigate false positive incidents to better configure CTERA Ransom Protect.

To analyse ransomware incident, send the support report to CTERA support. The support report includes the CTERA Ransom Protect service logs, as well as the incident details report. For details about sending a support report to CTERA Support, see Generating a Support Report.

Was this article helpful?