Working with Ransomware Rollback

• Quick and efficient recovery: Ransomware Rollback application swiftly restores files to their original state, minimizing downtime and enabling users to regain access to their documents.
• Lightweight and non-intrusive: The application operates seamlessly in the background without causing noticeable performance degradation or disruptions to daily operations.
• Custom minifilter driver for enhanced protection: By using a custom minifilter driver, Ransomware Rollback avoids reliance on Windows Shadow Copy, which is often targeted by ransomware attacks, ensuring a higher level of protection.
• Comprehensive ransomware detection: Our integrated ransomware detection feature enables the solution to work in tandem with the rollback mechanism for maximum effectiveness.
• Scalability: This solution is suitable for businesses of all sizes, ensuring that data remains protected no matter the scale of the organization.
• Robust file deletion handling: The handling of file deletions, through the creation of hard links in a tracking directory, ensures that users can quickly restore deleted files, even in the case of accidental removal.
• Application compatibility: Ransomware Rollback works with various database applications, including SQL Server and QuickBooks, ensuring comprehensive protection across different types of software.

• Minimize downtime: Quickly recover from ransomware attacks, reducing the impact on productivity for your organization.
• Enhance business continuity: By enabling the rollback of critical files, our solution helps maintain business continuity, ensuring that essential operations can continue even in the face of a ransomware attack.
• Save costs: Recovering from ransomware attacks can be expensive, involving not only the potential ransom payment but also the costs of data recovery and IT support. Ransomware Rollback can help mitigate these expenses by streamlining the recovery process.
• Improve your security posture: Adding rollback functionality to your endpoint protection provides an additional layer of protection to your existing security measures, bolstering your organization's overall security posture and resilience against ransomware threats.
• Simplify the recovery process: Ransomware Rollback enables you to perform targeted rollbacks based on specific ransomware processes or time frames, making the recovery process more straightforward and efficient.
• Integrate with ease: Our solution works seamlessly with Windows 10 and 11 operating systems. It also integrates with the EDR portal, ensuring easy adoption and implementation for a wide range of businesses.
• Customize resource allocation: Because you can adjust disk space allocation for the ransomware rollback driver, you can tailor the solution to your specific needs, optimizing resource usage and efficiency.
• Feel confident: Knowing that your organization has an additional layer of protection against ransomware attacks provides peace of mind and a sense of security, enabling you to focus on your core business operations.

Ransomware Rollback supports laptops, desktop, file servers, and terminal servers running Windows 10, Windows 11, and Windows Server (version 2019 and above).

We do not recommend installing Ransomware Rollback on database, domain controller, Exchange, or Active Directory servers. These types of endpoints generate very high amounts of reads and writes to the disk, which may impact host performance. Instead, use a solution specifically designed to protect complex application servers, such as Datto BCDR's Rapid Rollback.

NOTE  Ransomware Rollback does not track changes on virtual disk images, including Hyper-V, VirtualBox, and Windows hard disk image files, including AVHDX, AVHD, VHD, VHDX, and VDI.

Before you can start protecting your endpoints with Ransomware Rollback, your environment must meet the following criteria.

• You must have an active Datto EDR subscription.
• The Datto Endpoint Security agent must be installed on all endpoints you wish to monitor, and those devices must be able to communicate with your EDR instance.
• Ransomware detection must be enabled and configured. For more information, refer to Ransomware policy.

Procedure

To deploy the rollback agent and Rollback Driver Desktop application to your monitored endpoints, you'll need to enable the Rollback and File Recovery option in your ransomware policy. Perform the following steps to do so.

IMPORTANT  If your endpoint requires managed reboots or must adhere to specific update policies, refer to the Managing Ransomware Rollback installation and updates section of this article for important information.

1. Navigate to the Policies page and locate your ransomware policy. Ensure that it is enabled. To learn how to do so, refer to Working with the Policies page.

2. Click the name of your ransomware policy to open its Edit Policy page.

3. Review the Details, Detection, and Response sections of the page. Make any configuration changes necessary. For feature definitions, refer to Ransomware monitoring options.

4. Scroll down to Rollback and File Recovery and click the Enable Rollback and File Recovery toggle to activate Ransomware Rollback. Doing so automatically begins the deployment process of the rollback agent's components to all monitored and supported Windows endpoints.

5. Make any desired customizations to the protection behavior of the rollback agent. Review Ransomware Rollback options for details about the available options.

   NOTE  In the Monitoring Scope section, you have the option to enable support for additional volumes.
   

6. Once you've finished configuring your ransomware policy, click Save.

7. To verify that the rollback agent has successfully deployed to your endpoints, log in to any protected system and check for the Rollback Driver Desktop application in the Windows Start Menu and the Apps section of the Settings control panel.

Agent components

During the installation of the rollback agent, we add the following components to each protected system.

• Kernel minifilter driver (cbfilter22.sys)

• Datto Rollback System Service

• Datto Rollback Status and Datto Rollback Updater scheduled tasks

• Rollback Driver Desktop application and Start Menu icon

• Cache folder at %SYSTEMDRIVE%\$.td and in the root directory of any additional tracked volumes

These resources are critical to the monitoring and protection of the endpoint's file system.

The rollback agent and its management application must be installed on all endpoints that you'd like to be able to restore. Once you've installed them, a link to the Rollback Driver Desktop application will become available in the Windows Start Menu. When you launch the program, you'll see the following features and fields.

Header menu
Feature	Definition
Drive	Volume filter; shows the alerts, history, and recovery options for each logical drive on the endpoint
	Refresh the current view
	Application is functioning without issue and connected to rollback system service
	Show Rollback Driver Desktop version information

Overview

We are continuously improving the Datto Rollback agent and Rollback Driver Desktop application. It will automatically update when a new release is available. You do not need to take any action to keep the endpoint software current. However, should you wish to manage the delivery of these updates, the following sections of this article will assist you in doing so.

Update types

Ransomware Rollback integrates deep within the Windows kernel. We may occasionally release updates that require a system reboot to complete the installation. We classify our updates as minor and major.

Minor updates are for bug fixes, performance updates, and other infrastructure enhancements that are part of the continuous improvement cycle of the solution. On average, we will release a minor update every four to eight weeks. Minor updates are silent, always installed, and happen in the background without any pop-ups or visible effect on screen.

Major updates require a reboot of the host for the installation to finalize. Unless disabled, major updates surface a notification and then force a reboot under user control within 24 hours of the system receiving the update. This mechanism is the default delivery method for the rollback engine. Any update that will require a reboot will be announced in your Datto EDR instance at least one month in advance to enable you to schedule appropriate maintenance windows. Normally, we only release one major update per year.

Major updates are installed if the following conditions are met:

• The HKEY_LOCAL_MACHINE\SOFTWARE\Datto\RollbackDriver\DisableRollbackReboot=true Windows Registry flag is not set; or...

• The --forceupdate command line switch is specified for the Datto Rollback Updater scheduled task.

When minor and major updates take place, the Datto Rollback System Service restarts. When an update requires a reboot, the updater creates a Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Datto\RollbackDriver\RestartFlag key in the endpoint's Windows Registry.

Datto Rollback Updater scheduled task

Datto Rollback uses the Datto Rollback Updater scheduled task every four hours to check for and download updates. The updater utility resides on protected endpoints at %SystemDrive%\Program Files\Datto\Datto Rollback Driver\updater.exe.

IMPORTANT  If you disable this task, be sure to run Ransomware Rollback's updater.exe during your scheduled maintenance window to ensure that the latest patches and fixes are applied.

As described in the previous section of this article, the Datto Rollback Updater will set the RestartFlag Windows Registry key if it determines that a reboot is required to finalize an update. Its purpose is twofold:

• If you are updating during a service window, the presence of the flag enables you to know whether a reboot is actually required. Once the reboot completes, the RestartFlag clears.

• The Datto Rollback Status scheduled task monitors for the presence of this key. If it exists, the user will be prompted to reboot the endpoint to finalize the update. Users have 24 hours to do so, after which, a forced reboot will occur.

  

Controlling Ransomware Rollback installation

If you do not want Ransomware Rollback installed on certain devices, you can avoid installation by creating a string key named DisableRollbackInstall within Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Datto\EDR in the registry and setting its value to 1.

If Ransomware Rollback has been installed on a device and you need to uninstall it while the policy is enabled, insert the key as instructed and manually uninstall Ransomware Rollback. This key will block automatic reinstallation.

Controlling major Ransomware Rollback updates

If you'd like to prevent Datto EDR from installing major Ransomware Rollback updates while allowing minor updates to be applied, perform the following steps:

1. Set the following Windows Registry value on the applicable endpoint: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Datto\DisableRollbackReboot=TRUE. Doing so instructs updater.exe to avoid major updates.

2. Reboot the system to ensure that the registry change takes effect.

   

Controlling all Ransomware Rollback updates

If you'd like to prevent Datto EDR from installing any Ransomware Rollback updates on a system until you're ready to do so, perform the following steps on the applicable endpoint:

1. Disable the Windows scheduled task called Datto Rollback Updater. Doing so prevents all automated updates.

2. During your service window, from an elevated Command Prompt or PowerShell session, run updater.exe --forceupdate, which will download and install any available updates, minor and major.

3. At the end of your service window, force a reboot of the endpoint to finalize the update.

1. Navigate to the Alerts page by clicking Alerts in the top navigation menu.

2. The page will load. Locate the ransomware alert to which you'd like to respond and click its name.

3. The Alert Detail page will load. Make a note of the Alert Time, Extension, and Host Name values.
   

4. Proceed to the next section of this article.

1. Using an administrator-level account, log in to the endpoint with the host name you identified in the previous section of this article. If the machine has been isolated from the network and you need to access it remotely, you can do so from your Datto RMM platform.

2. Launch the Rollback Driver Desktop application and navigate to the Ransomware Alert tab.

3. Click the alert that corresponds to the Alert Time value you recorded from Datto EDR.

4. Ensure that the Extension value shown in Rollback Driver Desktop matches the Extension value from Datto EDR.
   

5. Review the impact of the ransomware attack by using the information provided by each of the application's tabs. If you chose to protect multiple volumes on the endpoint, be sure to repeat the process for each logical drive shown in the Drive drop-down.

6. When you're ready to take corrective action, you can click the Rollback button on the Ransomware Alert tab to undo all file-level changes identified in the alert. If you'd prefer to take a more granular approach to recovery, you can use the options described in the Rollback Driver Desktop features section of this article to do so.

7. Once you've recovered your lost or compromised files, copy all business-critical data on the machine to a backup appliance, removable media, or NAS share.

8. Reimage the endpoint if you suspect that it still contains remnants of ransomware.

9. Restore all business-critical files to the machine.

Ransomware Rollback is a software agent that tracks changes made to files on a user's disk and provides a rollback mechanism to restore the original files if they become compromised by ransomware.

NOTE  Ransomware Rollback does not track changes on virtual disk images, including Hyper-V, VirtualBox, and Windows hard disk image files, including AVHDX, AVHD, VHD, VHDX, and VDI.

Our solution intercepts file system calls made by applications and performs lightweight tracking of the changes made. It uses a custom minifilter inside Microsoft's file I/O stack in Windows, a system service for tracking changes and performing rollbacks, and a desktop application for user interaction.

No, it focuses on tracking user documents rather than the entire system. It does not track changes to the Windows directory, program files, or app data.

While Ransomware Rollback is compatible with most host-based applications, it may conflict with applications that write or update a large volume of files. In the event that rollback impacts an application, we recommend creating an exclusion for the folder. Refer to How do I enable support for folder exclusions?

Ransomware Rollback saves the data being written on an operation-by-operation basis, allowing you to roll back the entire update if it is compromised by ransomware.

Yes, ransomware detection is integrated with this solution, enabling the two to work together.

No, our agent does not rely on Windows shadow copy, which is often targeted by ransomware attacks. Instead, it uses a custom minifilter to track file changes independently.

Yes, you can monitor the tracked changes through the included desktop application.

Upon a file's deletion, Ransomware Rollback creates a hard link to the file in a tracking directory while the original deletion operation proceeds. Doing so allows for easy restoration of the deleted file.

Yes, you can initiate a rollback manually through the desktop application or remotely via the EDR portal in future releases.

Ransomware Rollback is intended for use with Windows 10 and 11 operating systems, ensuring a wide range of businesses can benefit from this added layer of protection.

No, the solution does not replace regular backup procedures. Instead, it serves as an additional layer of protection, enabling the rollback of critical files modified by ransomware attacks to ensure business continuity.

You can monitor ransomware alerts through the Endpoint Detection and Response (EDR) portal. To initiate a rollback, you can use the dedicated desktop application, which allows for targeted rollbacks based on the specific ransomware process or a specified timeframe (e.g., rolling back all changes made within the last four hours).

Yes. You'll need to allocate disk space for the ransomware rollback driver to intercept file operations and keep a copy of changes. By default, we reserve 5% of disk space for this purpose. However, you can adjust the quota based on your specific needs.

The rollback application's installation is approximately 10 megabytes in size.

The solution attempts to keep a history of changes for seven days. The duration may be shorter if there is heavy disk activity or a ransomware attack occurs.

Ransomware Rollback does not rely on snapshots. Instead, it continuously records all changes on the disk as they happen in real-time.

Even if a ransomware attack goes undetected, Ransomware Rollback is still recording the changes to the disk, which means you can roll them back and recover your files.

No, for these types of servers, you should use a solution like Datto BCDR's Rapid Rollback, which is designed to protect complex application servers.

Any program running on the background uses resources on the machine. The resources used are as follows:

• CPU: We only use the CPU when there is I/O activity. Utilization will always be 0% unless file activity takes place. Then, the general overhead is relatively low but measurable under stress tests. File operations will occur in milliseconds. There is no installation indexing happening or periods when the agent actively scans your files; instead, it applies all overhead to file activity instead.

• Memory: The service uses between 60 to 200 megabytes of RAM. Memory usage can vary based on the device's activity levels.

• Disk space: We default the cache to 5% of the volume size. You can adjust this allocation in the agent settings. By default, Ransomware Rollback preserves up to seven days of activity. If that seven-day period will consume more than 5%, the agent will preserve a shorter window of time. The rollback agent will only use the maximum allocation if it is necessary for storing the entire history. If the recorded history requires less storage, the agent will reserve less space.
  

  NOTE  Using up free space on the disk while simultaneously deleting files can result in additional, unexpected storage consumption. This phenomenon is due to the rollback agent attempting to preserve the deleted files while also recording any additional files being created. It is important that you observe good storage management practices for any endpoint protected by the rollback agent.

• Network traffic: Ransomware Rollback uses minimal network traffic. We periodically upload diagnostic information so that we can improve the solution.

No. The cache folder for each volume cannot be moved.

Ransomware Rollback allows for multi-volume support and folder exclusions. Rollback file tracking on additional connected drives and optional folder blocklisting facilitate expanded granular control over the data you'd like to protect. Configurable from your ransomware policy, this feature delivers improved protection for endpoints that perform large numbers of read and write operations. Refer to Configuring your ransomware policy and installing the agent.

Clicking the settings icon in Rollback Driver Desktop allows you to enter folders to be excluded.

A minifilter is a small software component that works within your computer's file system. Its primary purpose is to monitor and sometimes modify how the operating system and applications access, read, and write files. For example, a minifilter might prevent unauthorized access to sensitive files or automatically encrypt certain types of files before they are saved to disk. In the context of a ransomware rollback solution, a minifilter is responsible for tracking changes made to files, allowing the system to revert those changes if a ransomware attack is detected.