Ransomware Protection
Understand how BackupEngine detects ransomware activity and protects your backups from encryption attacks.
How Ransomware Detection Works
BackupEngine continuously monitors file changes during backup scans to detect patterns consistent with ransomware attacks. The detection engine uses multiple signals to identify suspicious activity before encrypted files are uploaded, preventing ransomware from corrupting your backup history.
- •Entropy analysis: Ransomware-encrypted files have near-maximum entropy (randomness). BackupEngine measures the Shannon entropy of changed file chunks and flags files that jump from normal entropy to near-random.
- •Mass modification detection: If an unusually high percentage of files in a backup set are modified between runs, the agent raises an alert.
- •File extension monitoring: Known ransomware extensions (.encrypted, .locked, .crypto, and hundreds more) trigger immediate warnings.
- •Rename pattern detection: Mass file renames with consistent patterns (e.g., adding a new extension to all files) are flagged.
- •Canary files: BackupEngine places hidden sentinel files in monitored directories. If these files are modified or deleted, it indicates unauthorized bulk file operations.
What Happens When Ransomware Is Detected
When the detection engine identifies a potential ransomware attack, BackupEngine takes several protective actions automatically:
- •The current backup run is immediately paused to prevent uploading encrypted files.
- •An alert is sent to the device owner via email and push notification.
- •The alert is also visible in the Customer Portal dashboard for team administrators.
- •The agent displays a prominent warning banner with details about the suspicious activity.
- •Previous clean backup versions remain intact and unaffected.
⚠ Warning
Recovering After a Ransomware Attack
Because BackupEngine pauses before uploading suspicious files, your most recent clean backup remains available for full recovery.
- •Remove the ransomware from your system using endpoint protection software.
- •Open BackupEngine and go to the Restore tab.
- •Select a restore point from before the attack began (check the timeline for the last clean backup).
- •Restore your files to the original location or a clean directory.
- •Once recovery is complete, dismiss the ransomware alert and resume backups.
# List recent backup points to find the last clean one backupengine restore list-points --backup-set "Documents" # Restore from a specific clean point backupengine restore full \ --backup-set "Documents" \ --point-in-time "2025-12-14T22:00:00Z" \ --destination "/Users/me/Documents/" # Dismiss the ransomware alert after recovery backupengine alert dismiss --id ALERT-2025-1214-001
Configuring Detection Sensitivity
You can adjust the sensitivity of ransomware detection in Settings to reduce false positives if your workflow involves frequent bulk file operations (e.g., video encoding, database exports).
- •High sensitivity (default): Flags any significant entropy change or mass modification. Recommended for most users.
- •Medium sensitivity: Requires multiple signals (entropy + mass rename) before raising an alert. Suitable for creative professionals.
- •Low sensitivity: Only alerts on known ransomware extensions and canary file tampering. Use only if you experience frequent false positives.
💡 Tip