63409: Information required for investigation of a Ransomware attack

Last update: 31-05-2021

To help Acronis find out the root cause in your particular case, please provide the following information to Acronis representative:

  1. Date and time, when the ransomware attack was noticed.
  2. Acronis Active Protection status when the issue appeared - was it turned on/off or its service was running/stopped or disabled.
  3. If you suspect any link, website or program, where the ransomware could have originated, share the details with Acronis.
  4. Screenshot of the ransom demand. Details on that screen help us identify which ransomware it was exactly.
  5. Screenshot with the names of the encrypted files. Some ransomware use specific patterns of naming encrypted files, which also helps with investigation.
  6. Whether the encrypted files were residing in a shared folder.
  7. Copies of the files with .ENCRYPTED extension in C:\Acronis Active Protection Storage, if any are present
  8. A system report. See instructions:
  9. If the system report generation tool does not produce the system report file, generate a file as per instructions https://kb.acronis.com/content/1640, and also compress the following folder and send them to Acronis:
    • Windows:  C:\ProgramData\Acronis
      (Note that the folder C:\ProgramData is hidden by default on Windows, and in order to see it you need to enable display of hidden files and folders in Windows Explorer under View - Hidden items, or under Control Panel - Appearance and Personalization - Show hidden files and folders.)

    • Mac: \Library\Application Support\Acronis
  10. Get the sector-by-sector backup of the affected machine. 
  • If there is no agent installed, create a backup from bootable media. For Acronis Cyber Cloud product get the Acronis Backup bootable media.
  • If sector-by-sector backup cannot be created, make a default one.