Within the past few years, the focus of many security teams has been shifting from pure prevention of cyber-attacks to richer detection and response/recovery capabilities. With the Snapshot-Based Ransomware Recovery tool, domain administrators can access their data on a snapshot within 15-30 minutes and recover them within minutes (for small folders) or hours (for very large folders). The snapshots of the domain's data are taken automatically every four hours and are kept for two weeks.
The Snapshot-Based Ransomware Recovery is included with the Platform Enterprise plan, GxP with Governance Plan, and AEC (Construction Package). The feature is also available as an add-on for Platform and Enterprise Lite plans.
Skip Ahead to the FAQ...
Mounting a Snapshot
A domain admin can mount a snapshot by selecting one of the available snapshots s/he intends to mount and then clicking on “Mount snapshot”.
On the next pop-up, the admin can specify the name of the "preview" and the reason for it (the most common cause is "Recovery from Ransomware attack") and then click the “Mount” button.
Although scarce, sometimes links and permissions may not be available in the snapshot to restore. As shown in the above screenshot, the system will keep the user informed with the i-text against any such snapshot. If you intend to move the existing files to a different location before restoring the content from the snapshot, although it is recommended that you should not mount such a snapshot, you can still go ahead and mount it and potentially restore your content without links and permissions. If restoring the content to the same location (in-place restore), this constraint does not apply.
It will take 15-30 minutes (and usually less than that) to mount the snapshot - the status will change from "Mounting" to "Mounted." Also, the system will send emails when the mounting process begins and the snapshot is ready for preview.
Remounting a Snapshot
The user will also have an option to remount an already unmounted snapshot provided no other snapshot is already mounted or being mounted. From the history table, the user can click on the three dots and then the “Remount” option from the context menu.
Browsing Files on the Mounted Snapshot
One can click on the “Preview” button from the currently mounted snapshot tile.
That will open a Snapshot Preview that looks similar to a regular Web UI preview, but it will have a blue border around it as a reminder that it is a snapshot preview, not the regular domain preview:
File Preview or Download
An admin can preview or download files on a snapshot to double-check that these are the file versions that are needed to be restored:
Restoring Folders and Files From a Snapshot
To restore folders and files from a snapshot, the admin can select specific folders and then select "Restore" in the context menu for the folder (file):
Depending on the ransomware type, the admin might have experienced the situation when the existing files are encrypted by ransomware. For that situation, the default option is to "Restore files to the same location." The links to the files, comments, folder permissions, etc., are kept intact with this option.
Sometimes, though, there might be a situation when ransomware deletes the existing files (so that the files are in Trash now) and creates new files (with cryptic names) in the folder. In this case, it is better to select the option to move all the existing files to a different location before restoring them. That will rename the original folder and restore the files into a folder under the original path.
Currently, the snapshots do not contain comments, custom metadata, workflows, etc. They will not be restored when the "Move all the existing files to a different location before restoring them to the same location" option is selected. The files, folders, links, and permissions will be restored.
Frequently Asked Questions
Can I create a snapshot at a particular time?
No, currently, all the snapshots are created automatically, approximately every four hours .
Can the snapshots be kept for longer than the 14-day window?
Not right now. The focus of Snapshot-based Ransomware Recovery is to allow recovery from a ransomware attack. Usually, the encrypted ransomware files are discovered within 1-3 days of the attack. Hence, the 14-day window should be large enough. In the future, product capabilities may allow larger time windows.
Which file version is restored from the snapshot?
The latest version of a file from a snapshot will be added to the existing version of the file in the domain. If the destination file does not exist in the domain, the latest version of the file on the snapshot will be restored.
Are the encrypted versions/files deleted during the restoration process?
No, the restoration job will restore the files (versions). It does not delete the encrypted files/versions . Admin can delete the files that are not needed after the restoration.
Can I have multiple mounted snapshots at the same time?
Only one snapshot can be mounted at the same time . If it is needed to mount another snapshot, it is necessary to unmount the currently mounted snapshot.
How long can I keep the snapshot mounted?
If no restoration jobs are running for a mounted snapshot, the snapshot will be unmounted after some time (usually, 1-3 days since it was mounted) .
How do I know which snapshot to mount?
The file Audit Report contains records of file activity of users, so it is possible to identify when a user uploads many files starting from a specific point in time. If it happens to be the ransomware activity, a snapshot created before that specific point in time should be mounted for recovery.
How do I know which files or folders to restore?
The file Audit Report contains records of file activity of users, so it is possible to identify when a user uploads many files starting from a specific point in time. If it happens to be the ransomware activity, then files and folders impacted by the action should be restored from the snapshot.
Can I recover data even when they are purged from the Trash?
Yes, when the feature is turned on for a domain, it is possible to recover the data deleted from Trash - if they were deleted within the sliding 14-day window for which the snapshots are kept.
When the admin previews or downloads files using the snapshot, is it recorded in the audit?
Yes, there will be records in the File Audit Report:
- "Access": "Web UI - Snapshot Preview"
- This tells the user that these audit entries result from snapshot preview action from the Web UI.
- "Preview on Snapshot"
- This tells the user that the file was previewed from the snapshot.
- "Download from Snapshot"
- This tells the user that the file was downloaded from the snapshot.
- "Preview on Snapshot"
When the files are restored by a Restoration Job, is it recorded in the audit?
Yes, there will be records in the File Audit Report:
- "Access": "Restoration Job"
- This tells the user that these audit entries result from initiating a restoration process from the Web UI.
- "Action": "Restore from Snapshot" OR "Restore from Snapshot – Download Link" OR "Restore from Snapshot – Upload Link"
- Restore from Snapshot: This tells the user that the file was restored from the snapshot.
- Restore from Snapshot - Download Link: This tells the user that the download link for the file was restored from the snapshot.
- Restore from Snapshot - Upload Link: This tells the user that the upload link for the folder was restored from the snapshot.
When the admin mounts a snapshot, is it recorded in the audit?
Yes, there is a separate Snapshot Recovery Audit Report, where you can see information about who initiated the mounting of a snapshot when the snapshot was unmounted, etc.
When the admin starts a Recovery Job, is it recorded in the audit?
Yes, in the Snapshot Recovery Audit Report, you can see information about who initiated the restoration job.
Learn more about Snap-shot Based Ransomware Recovery by watching a Quick Tip on Egnyte University: Snapshot-Based Ransomware Recovery.