Working with Ransomware Rollback


SECURITY   Datto EDR subscription with administrator or analyst-level platform access

SECURITY   Service account or administrator-level rights on the target endpoint

Ransomware Rollback is a lightweight, efficient system that monitors changes to endpoint disk space and provides rollback functionality for files impacted by ransomware.

It leverages agent software installed on your protected endpoints to track file changes in the background silently, and a desktop application for monitoring and managing the rollback process. The solution works in tandem with Datto EDR’s ransomware detection engine to protect documents and databases targeted by ransomware attacks.

This topic explores the Ransomware Rollback feature and answers questions frequently asked by our partners. For information about our ransomware detection feature, refer to Understanding Datto EDR's ransomware detection.

BEFORE YOU BEGIN  If Ransomware Rollback is unavailable in your EDR instance, please contact Technical Support to enable it.


Getting started

To use Ransomware Rollback, you'll need to install the rollback agent on all endpoints you'd like to protect and ensure that they're being monitored by your Datto EDR ransomware policy. Once you've done so, when you receive a ransomware alert, you can use the Rollback Driver Desktop application on the affected machine to investigate, triage, and undo the attack. Perform the following steps to set up the agent and protect your endpoints.

Responding to ransomware alerts

Responding to ransomware alerts and rolling back an infection on a protected machine begins with a two-step process in Datto EDR. When you receive a ransomware alert, perform the following steps:

IMPORTANT  Ransomware Rollback cannot roll back the entire system state. It is designed to facilitate the recovery of critical business files only. If your operating system has also been compromised by ransomware, you may need to leverage your BCDR solution to achieve full restoration.

Sending feedback

Understanding your experience with Ransomware Rollback is critical to our continuous improvement. When contacting our team to provide feedback or to report a problem about a specific endpoint, be sure to include your device details. To do so, perform the following steps:

  1. Launch the Rollback Driver Desktop application on the endpoint you'd like to discuss.

  2. From the header menu, click the icon. The About window will open.

  3. Right-click the value shown in the DeviceId field. Then, click Copy DeviceId to Clipboard.

  4. Provide the copied information to your Datto Account Executive or Technical Support Expert so that we can best assist you.

Frequently-Asked Questions (FAQs)

Need support?

Kaseya is always available to assist further. Your Kaseya Account Executive can enroll you in basic and intermediate-level platform training. For technical assistance, visit our Kaseya Support article to learn how to get in touch.